How IT Pros Can Avoid Legal Trouble

snydeq writes "InfoWorld's Peter S. Vogel reports on the kinds of inadvertent transgressions that could land IT pros into legal trouble without realizing it. From confidentiality and privacy negligence, to copyright and source code violations, IT staff are legally liable for a lot more than they might think — in some cases because the law will not stop at your employer, instead holding individual IT employees responsible for violations even if the individuals are just 'doing their job.' Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,' Vogel writes. 'After all, many people think anyone technical is a whiz kid or brainiac on any topic.'" What legally questionable scenarios have cropped up at your job?

Licensing

[CaptSlaq]

It's such a gigantic PITA to track all of the licensing for everything that I weep for any small to medium sized shop that can't afford to have a dedicated person/dedicated people for it.

Re:Licensing

[ultranova]

The solution is simple: use only GPL- or BSD-licensed stuff. Problem solved.

Using proprietary software at all is asking for trouble.

Re:Licensing

[bickerdyke]

Don't use N... that sounds too much like a countable, natural number.

It's usually more like: We have N employees, each of them has at least one workstation, plus 0 to M old/test machines under his desk. Half of those secondary machines have been reinstalled once or twice, again half of those re-installs included an OS upgrade. Those were done using the OEM licences included with the new primary machines, as on those primary machines software licencsed by the companys volume licence has been used.

Now triple that for OS, Office and the software you're doing your actiual work with. (probably MSDev or some CAD or whatever.)

As a bottom line, you may know how many licencses you have in your volume licence, but won't know how many licences came bundled or not bundled with the hardware. And you won't know how many you actually need..

Re:Licensing

[Luke+has+no+name]

Or network monitoring, or running a call center, or running any kind of website, e-commerce business, or accounting, etc..

The only places where I personally have seen open-source be woefully lacking is in the engineering fields. Most general business and IT-oriented tasks have a capable open-source commercially backed component. Managers and others who don't "get" FOSS think "Free? I'm not getting anything, because I'm not blindly throwing money at a vendor!"

Re:Licensing

Microsoft's KMS will dish out as many activations as you request. It is not limited to how many licences you pay for. Likewise MAK has many more activations than licences you paid for. However KMS won't report back to Microsoft. They do give you the VAMT to try and audit activations.

Has it shown that really???

[stephanruby]

Worse, as the recent case against Terry Childs has shown, judges and juries are often not technically savvy enough to understand what IT pros do. 'That lack of understanding can lead them to conclude you're at fault or should have known better,'

Has it shown that really??? I recall the foreman of the jury for the Terry Childs case was a pretty smart IT guy. Also, the resumes of the other jurors were not all that bad technically either. If anything, I really do think that Terry Childs was judged by a jury of his peers (even if this doesn't always happen in other cases).

Re:how about makeing EULA that non legal types can

Most EULAs aren't actually that difficult to read. They're just long and boring...

Re:Do to cut backs he was the only guy on the job2

[h4rr4r]

You quit, explain why you are quiting then give it out over the phone call.
Is that the right answer?

the president of the company

asked for a reprint of the customer listing. A couple of days later the two vp's asked for the same thing. The company was shut down about 3 months later and I was the only one hired by the parent company.

About two months later I was called in the attorney's office. I was asked if I distributed any unauthorized customer lists.

Damn.

Re:the president of the company

[Richard_at_work]

A former employer of mine spent thousands of hours, and thousands of GB Pounds putting together a very comprehensive list of commercial vehicle fleets in the UK. This list included such things as type of vehicle, maintenance history and periods, fleet age etc etc - the sort of stuff that you can only get from the long hard slog of research.

They sold access to this information for quite a large amount of money - it was a valued resource.

Now, my employer certainly didn't own the names and addresses, or even the fleet details - anyone can do the same research and invest the same time and money to gather the same information without issue - but they do own the collection of details that their investment resulted in.

Its not the individual facts that are valued, its the collection together that has value. A sorted and filtered marketing list is the same sort of deal.

Both wrong.

Both wrong.

(a): there was no law demanding he hand over the keys unsecurely
(b): he did the right thing. If he'd been hit by a bus, they could reset the passwords by getting an engineer out to the sites.

Terry did the RIGHT thing according to law and the thing demanded by his employment contract. That contract stated who he could give the passwords to, where and who could override those orders.

A general cannot order a Private on Guard Duty (assigned as such by the Duty Officer) to leave his post. Doing so would be a court martial offence (potentially one that could see him shot, if it's a war zone or in time of war). The General may or may not be able to order the Duty Sergeant to order the private to leave his post. But if the general is not the Base Officer, OD can demand that the correct channels be used and the Base CO would have to order the Duty Officer to order the Private (note: even the Base CO cannot order a private off Guard Duty at his post).

Similarly, the captain of a ship outranks any officer on board ship, even a Port Admiral. At port, the captain can be removed from command by the Port Admiral. This is why Barratry is such a severe offence in the Navy.

But short version: both your statements are wrong.

Re:Both wrong.

[jroysdon]

They could not just reset the password. The routers/switches were configured with "no service password-recovery" and could not just be reset. If they had been, it would have wiped out the configuration on all of the devices and all of the agencies depending on them would have been down.

If the device configurations had been properly backed up and documented somewhere, this would not have been a problem (I don't know one way or another, but clearly no one in charge knew if they were or had enough of a clue). I didn't follow the case that closely, but even Cisco was involved and couldn't solve the problem (which is a good thing, you don't want a vendor to be able to recovery a configuration in a situation like that).

The point of a "no service password-recovery" is to prevent unauthorized access to a router/switch and configuration tampering. It is required in more secure environments, especially ones with FIPS and other requirements.

no service password-recovery

There is nothing wrong with "no service password-recovery", so long as you have the configurations backed up and others know where those backups are (documentation), such that if you are hit by a bus things can be properly maintained.

dont set up secret monitoring on childrens laptops

[mjwalshe]

A good recent example of how techs could get in trouble would be the techs that set up the spying on kids via webcam in Philadelphia. Congratulations you have just set up a child porn machine. I trust that all involved will never be able to work with kids and vunerable people again - and that would be getting off lightly, in the UK you would probaly have a tabloid lynch mob out for you.

Re:Blackberry Enterprise Server

[Surt]

Right, these are two completely separate theories for how one might arrive at a career in sales.

I make hints or tell the client directly

[bAdministrator]

Working in IT, you're bound to come across pirated software from time to time.

a) When I find some pirated software or license misuses, I could for instance tell the client that "I'm not the police, but..."
I might also make them aware that there is this company that looks out for software vendors--the business software alliance, for instance.
b) When a client is aware that they're asking me to do something illegal, like ignoring license agreements etc, I tell them that I don't care what people do privately (nor do I assist them in that case either), but this is not the act of doing serious business--or tell them sorry, and explain that the company I work for won't allow me to do this, etc. If they still insist, they are a lost cause. You can only spend so much energy on these matters.

I'd prefer that more commercial business software would come with some activation mechanism. I've seen cases where clients have ordered one license, then gone ahead installing the software on most every PC, and when confronted about this, they've argued that only one of them uses it at the time--but the license agreement does not allow it to be installed on more than one PC.

You'll most often find that objectivity is the first thing to be sacrificed in business, so hang on to it, tight, or lose it.