Slashdot Mirror
Avoiding Liability While Fixing Employee PCs?
ellem asks: "The upper management team of my company has made a decision that the IT department will work with employee's home computers and laptops. Despite every possible explanation of liability and the loss of proprietary information, the decision was made in order to satisfy a 'need' that the employees have expressed. Many of our employees are, in fact, independent contractors and could go elsewhere with little impact to themselves. Upper management feels offering this service to our employees will separate us from our competitors, and is so committed to this that they have allocated a special budget for tools, software and new hires to handle this particular segment of IT. However, I am still rather worried about general liabilities. While I can keep the network relatively safe and guard against certain types of file transfers, the fear I have is a tech wrecking an employee's home machine/laptop - whether they actually do or the employee perceives that they did. Are any of your shops offering this type of extra service? Do you have any policies in place to protect your company from liabilities that could spring up?"
That said, you may want to have the aforementioned lawyer draft up a legal-looking piece of paper that says "In the event my computer or data is hozared by incompetent employees, I agree not to sue The Company..." bla bla bla.
I think you probably should look at the technical aspects, too. Establish rules for the fixit shop, such as "Never plug an employee's home machine directly into the company network." Your service shop should have a firewalled safe zone that can get to the internet, but not to your internal network.
Bring in an experienced repair shop manager. Get someone who knows how to set up and run a safe workbench, and who knows how schedules, policies, etc. work. Have them run as an independent agency inside your company. He doesn't have to turn a profit (duh) but should be responsible for maintaining service levels, providing estimates and setting prices (you're not GIVING away brand new replacement 512MB nVidia cards, are you?) and have purchase authority.
John
So what if these are employee's home computers and laptops.
What liability is there that is greater than an retail Computer fixit shop?
1. Maintain a fast server with plenty of storage space.
2. Get a good disk imaging program to make a full backup before any work is done.
3. ???
4. Have updated resume listed on all major job search websites.
...Just say no. If it's not yours, or you aren't specifically employed to fix it (by, say, a company), you're better off not doing it. Just about every geek goes through the same early phase: offering to take a look at any sick computer you hear about. But bitter experience teaches you to run screaming from any machine you're not actually contracted to service.
Special Liabilities? Yes, go to your local computer repair shop. Pick up one of their service forms with all the legalese and take it in to your corporate counsel and have them copy it. Hand it to the contractor/employee to sign at some point prior to the first time you go to work on their computer.
You do realize that there are lots of people who actually do what you are describing for a living, right? One upon a time about 10 years ago I managed such a shop. Your resistance to the feasibility of the idea seems to argue against you considering that all you are doing is basic PC work, just like lots of other people in your town do every day. There's nothing special legally in this case about the fact that you have an additional contractual relationship with the people you are doing the PC work for.
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
It's a computer. Use a standard click-through disclaimer.
Seriously, just get with HR or whomever is in charge of personnel and have a simple disclaimer written up that states that anyone who takes advantage of this waives all rights to sue for damages. Make sure that it covers both the company and the individual contractor performing the task. Include this in the employee handbook or in the information packet that is given out to people when they are hired.
Follow the same rules and procedures the big stores do when they service pc's (think Staples, Compusa, and Geek Squad)... get mangement to have the contractors sign a agreement saying "we give up right to sue for lost data and malpractice, we give up right to sue for everything and anything including neglegence blah blah blah"
And rememind the contractors BEFORE they bring in their pc's that illegal adult materials must be reported to the FBI for persecution.(so if they have a kiddie porn collection dont bring the pc in to get fixed) You wouldnt belive how many customers who would bring in their pc's to me back when i worked at the sweatshop called compusa would hear that warning, pick up their pc, walk out, and come back the next day without the offending files.
The real liability is dataloss, because it is impossible to defend against if they claim you wipe out 10 months of files (which were never there to begin with) and the going rate for REAL datarecovery (ISO Clean rooms) is like $900 per GB (multiply that by a 160 or 200gb hard drive and you got a major problem)
And this doesn't answer your question, but, seriously: WTF?
How sadly misguided is this? If they want to give employees and contractors perks, how about something with a little more common sense. Like healthbenefits (for contractors) or gas/travel vouchers. Both are something people would be glad to have and have tax benefits to the company. Or how about spa gift certs or something where there's little liability.
Alternately, they should subcontract the work out (Clearly they have no problem doing that). Get GeekSquad or something out there to do it for you. Sure, the liability is a headache for you, but I can't believe that any marginally responsible company would take on the infrastructure to do something like this. Maid service for all employees would be cheaper and have less overhead. And I'm sure would be a nice perk.
If one of your techs does wreck an employee's computer, I hope that your response is something better than pointing to a sheet of paper that the employee signed. Even the best technician will do something stupid on occasion, that's how people learn. It's much cheaper to just fix the problem and eat the cost. To do otherwise risks generating a lot of ill will and you may end up paying for it anyway, plus legal and court costs.
Mea navis aericumbens anguillis abundat
Then they'll wonder why they can't get connected to their cable modem. Guess who will be driving out to their house since you can't troubleshoot that at the office? Yes, this actually became the expectation where I work. IT makes house calls. I wondered if they asked Buildings and Grounds to mow their lawns for them.
Next, what kind of liability are you going to run when the employee blames you for deleting (really really super important file)? Yes, I know you had nothing to do with the hard disk crash, but tell the CEO's son that when he just lost the first draft of his novel.
In all seriousness, here are a few suggestions
Good luck. You'll need it.
"Seven Deadly Sins? I thought it was a to-do list!"
no no no you ....
1 create the image
2 check it into a forensic quality workspace
3 do your scans
4 forward the evidence to
CHAIN OF CUSTODY MUST REMAIN INTACT
Any person using FTFY or editing my postings agrees to a US$50.00 charge
WTF?
Pardon me but it sounds like you're pulling excuses out of you ass because this is a job nobody in your department wants to do. Your execs see it that way too, most likely.
Seriously, what if (during a normal days work) your tech dropped a pc on somebody's foot... you'd be liable for that too, do you bring up the concerns about carrying pc's to managment also?
The company is liable, not the employee... they're obviously willing to accept the risk, so stfu and do your job. Not trying to be an ass, but still, there has to be something more important for you to worry about than this.
IANAL
As I understand it waivers are useless if it actually comes down to a lawsuit. You don't get to have a sheet of paper say your not responsible for something if you're incompetent.
As you are doing under the instruction of the company you work for, in most places, you can't be individually sued unless you are acting outside your duties. So really, the only thing that has to worry is the company. And likely they are prepared to eat the cost of a motherboard, or hd once in a while. (hopefully, not often).
I would second that. IANAL so this is a solely technical/financial take on this.
In an average corporate deployment the software licenses exceed the cost of the computer. Depending on the area you work on this factor is anything between 2 and 10 times for a desktop. The cost of maintaining a windows machine in man-hours per year depends on the number of machines and tools in use but it is pretty much close to the cost of the computer (once you add up AV, Anti-Spyware, etc). So on, so fourth.
It is not worth it financially. Numbers do not add up. The saving and convenience will be eaten up.
That is besides all the AUP and "my kid installed the spyware" crap.
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
When I started on the bottom rung of the ISP ladder in the 90s, I was doing dialup support. We only supported helping customers set up their DUN (or PPP or SLIP, etc.), DNS, install a web browser from FTP if they didn't have one and didn't want us to mail them a CD, and set up any one of a small palette of email clients to get mail from our servers. We later expanded it to tell people how to upload to their web space, when we added that. Oh, and the name of our NNTP server, if they asked. Officially, that was it.
:)
:)
Of course, ignoring the rules and accepting the calls from clueless clients on dialup who also had T3s with us, handed off by our veeps and prez, were how I climbed the ladder, started supporting broadband before getting trained, and eventually became a "customer engineer" (network engineer)
However, times have changed. You're an ISP, not their personal tech support. If it's not related directly to their connectivity through you, it's not your problem. Seriously. People aren't totally clueless about the boundaries of support any more (I'm not sure most of my "special issues" ever really were) and you've hit the nail on the head about the margins being such that it's not really worth it. If you don't have calls waiting, and the customer is really nice, sure, be the hero, and feel better for it afterwards. But don't let anyone demand or guilt you into anything your company hasn't promised. I've even encountered people who have done serious damage to their systems, and wanted me to help them outside official bounds, with their intent being that they would later claim that we wrecked their systems, and should pay their consultants for them. Just another thing to remember, when someone asks you to support their horrendously complicated issue
Personally i'd be more worried about data protection than hardware failure or human error. You'll have access to employees and colleagues PERSONAL data, which is different from business machines where what personal data anemployee puts on the machine is pretty much at their own risk.
I wouldn't be comfortable having access to that data. You might not be personally liable for damages but if a fellow employee makes the case to your employer that you have abused their trust you could soon lose your job.
Instead of running this home computer program in-house, why not just outsource the job to a local or national computer repair shop? That way, you can let someone else worry about the liability issues. As an added bonus, any standard computer shop will have far more experience in dealing with the kinds of problems that home computers typically encounter than you might have. That fact alone could easily make outsourcing a cheaper proposition then running the show on your own. It's definately food for thought.
In addition to these obvious advantages, outsourcing also allows you to accurately track the costs of the program and draw your budgets accordingly. You and your boss can sit down and allocate each employee a certain dollar amount of gratis tech support, which will avoid the problem of Sue in Accounting bringing her desktop computer in every day for a month so you can wipe out the latest spyware her son aquired while searching for Internet p0rn. Also, you can offer special services with an outsourced program, like in-home system repair for CEOs or, if you work with a national chain, remote repair services for the sales team.
Finally, you should consider the tax issues you could run into if you keep the program in-house. Technically, the type of program you describe could be seen by government tax collectors as employee compensation. That means someone is going to have to track who receives what services, because the government is surely going to want its cut too. With outsourcing, you sidestep all of these problems and are left to concentrate on your primary mission -- maintaining the corporate IT infrastructure.
Make sure you have a policy that very clearly establishes (in absolutely no uncertain terms) that you do not install unlicensed software on the machines, no matter who tells you to. Invariably, you will get some guy from accounting coming in demanding that you install Photoshop on his home computer "because he needs it for work." When you mention that you can't install unlicensed software, he'll go tell his boss, who will then tell you "to just do it." Nobody out there seems to give a damn about licensing issues except for the guy responsible for it. Everyone else takes the view of "well, we have a CD, so it's okay to put it anywhere." The one plus to all of this is that if you ever decide to take off, you can always put in a friendly call to the BSA... : p
This guy's the limit!
I would rather that the IT department of wherever i'm working at the moment doesn't touch my personal machine thank you very much!
Also, it sounds suspiciously like the first steps from management to get employers to use their own machines for work - a big no-no.
Furthermore, if your management wants to retain those employers that are both highly qualified and highly mobile i suggest flexible working hours, little or no overwork (or maybe pay-per-hour), a location that's easy to access via both car and public transportation and a proper work environment (3-6 persons rooms, no cublicles, plenty of elbow room).
If you're hiring contractors and then sending them to work at the customer's site there is little you can do to retain them - it doesn't take long for a contractor to figure out that they're best served by removing the middleman.
Beyond that, i know for a fact that one of the most important ways of streamlining the systems administration/support group work is to standardize the work machines (both HW and SW) so that for example, fixing a HW problem is just a question of backup/change-machines/restore. Doing that is simply not possible when it comes to maintaining the employer's personal machines.
If they're really keen on wasting money in this half-baked idea, they should outsource repairs/support of personnal machines to a company that's speciallized in selling those services to the general public.
Keep careful track of time spent on working on "non-company" PCs; if your boss wonders why you aren't getting work done, show him the numbers. Hopefully this won't impact your job much, but if it does you should let the pointyheads now how much time this leeches from your day. They are pretty good at understanding "we spent 40% of ellem's salary fixing employee's home computers".
I Am My Own Worst Enemy
- They run MS Windows and these boxes just tend to "magically" degrade unless periodically re-installed. Except you can't do that because the user will lose something, because they don't have backups, original distribution media with which to reinstall applications (or even the OS itself), registration keys, etc.
- They run applications (MSIE, MS Outlook, MS Word, MS Excel) which in turn are vectors by which other malware comes into the system. You can't tell a user "Ok, I made it so that your machine is secure now," when the user has the habit of running MSIE to look at websites on the Internet(!) or is in the habit of loading untrusted data+macrocode into MS Word. (And of course they do these things while logged in as an administrator.) When things go wrong again, these people always complain later that you didn't really fix their problem. It's not like you can tell users to stop shooting themselves in the foot.
Legal department can care of the liabilities. The real thing to think about is: does anyone who does generic PC support, really want more customers? And these people you're talking about, aren't even paying customers. Holy crap, what a great way to lose money and make everyone hate you at the same time.As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
1, The company could supply a company-owned PC to the contractors. That way there's some semblance of standardization and you're not supporting every device on the shelf at Best Buy.
2, Virtualization is an option. Use a Xen, VMWare, or Virtual PC solution and you can just put out minimum requirements for a user's home machine, and you get your management to agree that the IT shop only supports the virtual box.
3, Get creative about ways to accomplish management's objectives without saying "No". Maybe you can limit your scope of support to company provided applications and get a statement signed by each user that they're responsible foreverything besides applications x, y, and z. Or maybe you can limit support to web-based apps that you guys host.
4, Find a different job. No, seriously. It sounds like there's someone in the company with a job title of CxO that isn't listening to the managers who work under him/her. If that person or people aren't listening to you on this one they likely won't listen anytime you give them advice. Not a good corporate culture, imo.
Yes, my only tool is a hammer. And you're starting to look like a nail.
That won't always help. Say they come in, and say the computer won't boot. You fire it up, and some virus has trashed the harddrive. They may still try to blame you when you have to tell them "Sorry, looks like all your data is gone."
This is going to be a taxable benefit. You are going to have to report the value of the service as taxable income to each employee and do appropriate witholding.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.