How IT Pros Can Avoid Legal Trouble 230
snydeq writes "InfoWorld's Peter S. Vogel reports on the kinds of inadvertent transgressions that could land IT pros into legal trouble without realizing it. From confidentiality and privacy negligence, to copyright and source code violations, IT staff are legally liable for a lot more than they might think — in some cases because the law will not stop at your employer, instead holding individual IT employees responsible for violations even if the individuals are just 'doing their job.' Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,' Vogel writes. 'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'"
What legally questionable scenarios have cropped up at your job?
Blackberry Enterprise Server (Score:5, Interesting)
When someone at work has a blackberry, they are set up on the Blackberry enterprise server, which manages all their contacts and emails and calendar and such.
If they leave, or are terminated, we are told to send the kill command to their BES account. This will delete any emails off their phone AND their contact details. In some cases, a person will be let go - our IT staff will be let known first so their account can be disabled for security reasons. Then that recently laid off person has lost all of their contact details - including Mom and Dad and sweet Great Aunt Gertrude.
We haven't faced any legal suits yet - but it happened a couple times where people have gotten angry. As a precaution - we've started informing people that this happens - so anyone with a blackberry needs to back up their contacts constantly.
Re:Obvious (Score:1, Interesting)
That was my answer. As a DBA at a company that handled credit card transactions I could see where our internal application could easily be fooled into spilling its very valuable guts. After pointing this out to Mgt. and having it verified by an external auditor, they refused to fix. I'm not voluntarily sitting on that kind of time boom so I left. They haven't been hacked yet, they may never be. But it's not my problem now.
AC
Legally questionable scenarios? (Score:5, Interesting)
Here's one: I worked for one of the top national retail firms. Their POS systems were booted using PXE, and there was no firwalling between the stores and corporate HQ. In other words, the network topology was completely flat. Setup a PXE server at any store, distribution center, or headquarters, and you could respond to PXE requests sent by the POS systems. The store's location was coded into the DNS RR, and followed an easy to understand naming convention -- they also were powered down every evening. Which means, you had about a 10 minute window each day where if you disabled or DDoS'd the one PXE server on the network, you would be able to send a bootable image to every POS server in that timezone.
They fired me three days after reporting this flaw, calling me a security risk.
Re:Premeditated murder (Score:3, Interesting)
I'm a medical equipment technician at a California corrections facility. My boss routinely asks me to kill people in cold blood, and I've been doing it for a few years now... there's a lot of paperwork and everything, but I'm not entirely sure it's legal.
I can't tell if your're trolling or serious. Are you responsible for the lethal injection equipment? Or are you Therac-25ing cons to oblivion during simple 'treatment' procedures? I guess the key piece of missing information is the 'medical equipment' in question.
Asked to use pirate software (Score:5, Interesting)
I have often been either asked to use pirate copies of software (Borland Turbo C in the 1980s), or accept license agreements personally, where a corporate license would have been more fitting. Neither of these have occurred at my present place of employment, thankfully.
In other areas, I was once asked by a low-level manager at a client company of our contracting firm for my SSN for a "background check". I was told this person had a reputation of committing identity theft in the name of contractors, obtaining credit in their name, and threatening to insist they be removed from the assignment if they complained. I don't know if that was true, but did insist that any "background check" would be done by a recognized neutral party. I was requested removed from the assignment, and let go for lack of other work.
On the pirate software issue, I simply licensed my own copies, and took them with me when I left (well, wiped them off my work computer). Borland's license would let me use their compiler on any machine, even let someone else use it, one at a time.
The bottom line is that if your employer asks you to break the law, find another job... fast.
Re:Licensing (Score:5, Interesting)
I remember I came in once (this was right after I started) only to find the entire staff (except the interns) had quit without warning. Everyone from the production managers to the secretaries-- gone. I soon followed, natch!
How about legally liable for the PHB and other hig (Score:3, Interesting)
How about legally liable for the PHB and other higher up people at the work place who don't know about IT but they buy stuff on the golf course buy they fail to buy the right licenses and they they tell the techs that proper license are done / the buying department took care of it.
In some places the IT guy do not buy any thing they just tell some what they need and hope to get it.
Do to cut backs he was the only guy on the job24/7 (Score:4, Interesting)
Do to cut backs he was the only guy on the job 24/7 and lot of the people there did not have a clue at all. And giving the out the network pass word over a open phone call in a big meting room?
Re:Terry Childs the new Mitnick? (Score:3, Interesting)
Childs was a petulant prima dona with delusions of grandeur, and he paid the price, and so it should be. I know some folks seem to want to make the guy some martyr, but he was a complete twit, and I wouldn't hire the guy to wipe out floppies, let alone manage a large network. Not because he isn't skilled, but because he's a self-important ass hat.
Re:Licensing (Score:3, Interesting)
No, my job has no MS software involved. Helpdesk can go handle that.
We as a company have moved all non-managers over to openoffice. Money talks.
Re:Terry Childs the new Mitnick? (Score:4, Interesting)
From what I gathered, Childs (a) broke the law, (b) didn't do the right thing (specifically, the city was in real trouble if he got hit by a bus), and (c) tried to run away, suggesting he thought he'd be in trouble.
Lack of criminal intent and good intentions go only so far in mitigating breaches of the law, and my common-sense injection would have been that Childs had gone over the line and should be convicted. Had Childs provided for the possibility of his sudden demise, I'd feel a lot better towards him, and I'm not at all sure he'd have been convicted.
Get your boss to sign off on it (Score:1, Interesting)
Get your boss to sign off on it. But seriously, the best (in fact ONLY) way to avoid legal trouble that the article is talking about is to do nothing but ask your boss for access to a solicitor to sign off on work.
The article is like asking "How do you avoid legal problems with a video compression algorithm that you think has no patented by anyone else?". The answer: you can't. As MPEG-LA know, since they don't indemnify against other people's patents.
Re:Licensing (Score:5, Interesting)
I agree, but I'd go further - and my comments apply equally to free and commercial software.
We're a small shop and part of my job is to keep on top of licensing. After doing this job for some years, I have reached an inevitable conclusion.
You are not supposed to get it 100% right. Indeed, you are being set up for failure .
While some licenses are fairly straightforward, enough of them are sufficiently complicated that it is wholly unrealistic to expect any organisation to be entirely perfect. Whether this is by accident or design I wouldn't like to say, but I am dead certain that there is no organisation on God's sweet earth that would come out of a BSA audit without at least something wrong.
Re:Licensing (Score:5, Interesting)
I've seldom worked at a place that didn't pirate software. From fortune 500 to mom and pop shop, they all do it. The annoying part is I actually purchase mine, and in 3D that's not cheap. Ive spent easily 30K in the past 3 years keeping 'legal' with my software only to be underbid by these pirate shops. Now I am contracting at one because I can't win a bid against these pirates as their overhead is much lower than mine because of this.
My favorite part is negotiating my rate for a contract and I stipulate that it's cheaper if I can work from home because I have full support of my fully paid for software. They almost never get it at first, but when I mention my one caveat of not supporting or bug fixing/debugging scenes made with pirated versions. That wakes them up every time. Mostly because the first two weeks are at a preset lower rate while we get used to eachother. Only after those two weeks I am privy to all sorts of info (such as pirating) and then they are often afraid not to hire me in case I rat them out. It's a shitty system with a couple perks.
Re:Legally questionable scenarios? (Score:1, Interesting)
This is a situation you file an affidavit with your local police department for a violation of Sarbanes–Oxley then anonymously forward that affidavit, which is now officially public record, to the company shareholders and executives.
You will see how fast people start getting [i]arrested[/i].
They have a duty to keep credit card information secure; being fired for pointing out a security flaw to your companies infrastructure that you can drive a truck through is a criminal act punishable up to 10 years in prison.
From there it should be relatively easy to sue.
Re:Terry Childs was NOT an IT pro (Score:3, Interesting)
Perhaps I am now misinformed but as I understand it liability for content never exists unless some censorship takes place on a network. Therefore it would seem to me that the very last thing one would ever want to do is look at any form of content flowing through a network.
But I can not see failure to hand over a password being a crime. It may well have wreaked havoc with a system but that was not Terry's problem nor if he was dismissed did he have any obligation to hand over anything to a former employer. The fact that the employer did not have more than one way to access and control that network had nothing to do with Terry. The city was sloppy and negligent.
Re:Terry Childs was NOT an IT pro (Score:2, Interesting)
he didn't do anything wrong from a legal standpoint
Denial of service and denial to an authorized user are both wrong from a legal standpoint. The jury, which included at least one professional network administrator, had no trouble concluding that a denial of service did, in fact, occur. And, while it was more difficult to determine that denial to an authorized user occurred, they did come to the conclusion that he definitely knew that the individuals for whom he was denying access were, in fact, authorized to have that access.
Then there's the whole business of locking down the system and then trying to flee the State with the passwords....
Re:Licensing (Score:3, Interesting)
...or a software licenced per concurrent user,controlled by a dedicated server.
Yeah--but then you run into the shitty software that does something like "INSERT INTO CurrentSessions WorkstationName VALUES ('BILLS-PC')"...and when the application crashes, there's no delete. So you have to call the vendor to get a special 'unlock' password to clear that crap out of the database (if you're the kind of person that doesn't know SQL)... It's so much easier when software companies don't treat their users like criminals--because the criminals don't care, and the users are the ones jumping through all the hoops.
Re:Both wrong. (Score:3, Interesting)
(a) There was policy that he had to hand over the keys securely, which he refused to do earlier. That is one of the things that led to conviction.
(b) If he'd had been hit by a bus, there was no way known at the time to reset passwords without destroying the configuration, which was not satisfactorily documented. (Think about this - you don't want people to be able to walk up to such a device and pwn it. Routers like those cannot necessarily be kept physically secure.)
Nor, apparently, did his contract state who should have the passwords. The terms of employment did say that he had to have the passwords recoverable by somebody else, and he didn't.
I'm not referring to the events after his dismissal in particular. Childs left the network vulnerable should he be hit by a truck. That is not ethical behavior on the part of a sysadmin, and if he made demands afterwards that could be illegal extortion. I don't remember exactly what he was convicted of, but it's often a short step from unethical to illegal.
Re:Licensing (Score:1, Interesting)
That was for the people who need a car analogy, of course.
Re:the president of the company (Score:3, Interesting)