Infosec professional's liability
I am in charge of my company's network security and e-mail. My company refuses to authorize or put in place a policy regarding the monitoring of e-mail, Web browsing and telephone conversations. Can employees or ex-employees pursue me legally for liability and compensation for personal damages resulting from my job responsibilities? If so, how can I protect myself?
First, I am NOT an attorney so I cannot offer legal advice, and you should seek advice within the state where you live/work. However, it has been my experience that the company, not the individual, would be held accountable for the actions of an employee when directed by the organization and using company resources.
(or lack thereof) has been a hotly debated issue and it does not look as though this issue will slow. You may want to draft up a formal request for development and implementation of a Privacy and Monitoring Policy
. Also, there could be implications for your company if they need to comply with the EU Directive or Safe Harbor, which require privacy safeguards.
Other reasons for setting policies include:
Setting minimum standards and requirements for key activities.
Security policies, standards and technical controls assist in providing data integrity.
Defining security tasks and responsibilities to the organization.
Providing instruction on safe computing.
Indicating management's intent to safeguard organizational information (critical to success of security program).
Reducing liability for negligence and breach of fiduciary duty.
Increasing management's awareness of issues at hand.
Establishing communication to upper management.
Establishing security organizational credibility.
Generating user support for information security function through understanding.
Establishing mechanisms for disciplinary action, if necessary.
This was first published in November 2001