Saturday, January 14, 2006

Lock The Door

Ignore Liability Issues At Your Own RiskIgnore Liability Issues At Your Own Risk

With new regulations surrounding storage and communication, not to mention those on the horizon, data center managers have a number of liability issues to keep in mind.

Beyond Sarbanes-Oxley or HIPAA, there's also the possibility of shareholder lawsuits based on employee negligence or technology failure. This murky brew of litigation mixed with legislation can be difficult for even the most experienced manager to stomach.

Fortunately, drastic steps such as unplugging users and closing down the network don't have to be taken. Rather, IT managers can benefit from just knowing where the vulnerabilities are and what can happen if something goes wrong.

They Are No Angels
One of the largest sources of potential liability could be walking by your office right this second. Although many IT departments try to show respect to employees by respecting their privacy in terms of email and Web surfing, that consideration could be bad for the company in the long run.

"Generally speaking, employers are liable for the acts of their employees," says Sean Garrison, partner with law firm Lewis and Roca and co-chair of the firm's intellectual property group.

He adds, "In today's world, with rapidly advancing technology, the potential corporate loss and liability arising from an employee's theft or mishandling of corporate data files can be substantial and must account for a significant portion of any corporate risk management system."

Negligent, disgruntled, or greedy employees that use company equipment to cause data loss, share trade secrets, or simply cause network downtime can spark a number of liability actions. A type of lawsuit that's seen more frequently is claims made by shareholders, says Jim Brelsford, head of technology law at Jones Day.

"We're going to see a wave of these in the next few years," he says. "They'll center around shareholders suing the company to claim that data loss or some other event changes the stock price."

In some cases, employees might not be to blame for company problems. If an outsider hacks the network, a company could be liable for not implementing proper security measures. But that kind of litigation is minor when compared to what might happen if IT knows there was a breach and failed to act.

"If someone can prove that you knew about a problem and didn't do anything about it, you'll be in trouble," Brelsford says.

Even getting rid of equipment without aggressive electronic data cleaning could be dangerous. Steve Harris, director of data center planning at technology consultancy Forsythe, says that disposal is the responsibility of the company. That includes making sure that a disposal firm is legitimate, as well as that the data really is gone.

He says, "If you're letting a major piece of technology go out the door, it's incumbent on you to make triple sure that it's wiped clean."

Cracking Down
Protecting a company from inside and outside threats can be done in a number of ways. Usually, implementing bulletproof firewalls and network security, as well as doing regular network monitoring demonstrates that an IT department is working to shield the company from harm, and this goes a long way toward minimizing liability concerns.

With employees, the issue can become more complicated, but one solution at least is straightforward. "It's vital to have an acceptable use policy for employees," says Chris Getner, CEO of e-discovery firm Aaxis Technologies. "Most companies have those in place, but they don't do enforcement."

If a regulation is broken or a company is sued, it isn't the policy that will get examined, Getner notes; it's how IT enforced that policy. "We see a lot of cases where employees download what they like or do online gambling, or even run a personal small business from their company's computers."

To minimize threats, IT can consider installing content filters, blocking illegal downloads, putting limits on email attach ments, and writing a policy that is strongly and clearly worded. Also important is creating guidelines for how the company name can be used in external communication. For example, if an employee posts a nasty message about someone's race or sexual orientation to an online bulletin board and uses company equipment to do it, there could be liability. If the employee claims such thoughts are shared by the company, failure to take swift action to prove otherwise could be deadly.

Sometimes, says Getner, simply letting employees know that you can become Big Brother at any time might reduce problems.

"Employees have to know what they can and can't do," he says. "Delivering that information is part of IT's job. If those areas aren't made clear, then the company can be held liable for not informing its employees about acceptable use of technology."

Because IT has numerous responsibilities, data center managers can't become staff babysitters, but they should understand how employee negligence can affect the company. "You can't be held accountable for all the acts of your employees," says Jeremy Mishkin, a partner at law firm Montgomery, McCracken, Walker & Rhoads. "It's similar to if someone used the photocopier to commit fraud. You can't be responsible for everything that happens at the company because you don't know about everything."

He adds, "But, you can make sure that you don't turn the other way instead of trying to He adds, "But, you can make sure that you don't turn the other way instead of trying to see problems."

by Elizabeth Millard