Problem solve Get help with specific problems with your technologies, process and projects.

Infosec professional's liability

I am in charge of my company's network security and e-mail. My company refuses to authorize or put in place a policy regarding the monitoring of e-mail, Web browsing and telephone conversations. Can employees or ex-employees pursue me legally for liability and compensation for personal damages resulting from my job responsibilities? If so, how can I protect myself?

First, I am NOT an attorney so I cannot offer legal advice, and you should seek advice within the state where you live/work. However, it has been my experience that the company, not the individual, would be held accountable for the actions of an employee when directed by the organization and using company resources.

Work-place privacy (or lack thereof) has been a hotly debated issue and it does not look as though this issue will slow. You may want to draft up a formal request for development and implementation of a Privacy and Monitoring Policy. Also, there could be implications for your company if they need to comply with the EU Directive or Safe Harbor, which require privacy safeguards.

Other reasons for setting policies include:
  • Setting minimum standards and requirements for key activities.
  • Security policies, standards and technical controls assist in providing data integrity.
  • Defining security tasks and responsibilities to the organization.
  • Reducing miscommunication/confusion.
  • Providing instruction on safe computing.
  • Indicating management's intent to safeguard organizational information (critical to success of security program).
  • Reducing liability for negligence and breach of fiduciary duty.
  • Increasing management's awareness of issues at hand.
  • Establishing communication to upper management.
  • Establishing security organizational credibility.
  • Generating user support for information security function through understanding.
  • Establishing mechanisms for disciplinary action, if necessary.

  • This was last published in November 2001

    Dig Deeper on Information security policies, procedures and guidelines

    Have a question for an expert?

    Please add a title for your question

    Get answers from a TechTarget expert on whatever's puzzling you.

    You will be able to add details on the next page.

    Start the conversation

    Send me notifications when other members comment.

    By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

    Please create a username to comment.