IT Manager's Legal Guide: Data Handling and Security

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

As computers have permeated our society, it was only a matter of time before the lawyers started getting involved. And it seems that lately there are more laws on the books and pending regulations that influence how IT managers will run their computing infrastructure and manage their desktops.

While some of these legal matters originate from personal situations, they have broader implications for corporate computing too. Let’s take a look at some of these recent actions and suggest ways you can cope and plan for what will certainly be our more litigious future.

Copyrighted content

Certainly, the area around digital copyrights is an active one, as the courts and content creators such as the RIAA try to define what is allowed (not much) and what is illegal (just about everything).

But some of these legal actions are showing just how global the Internet has become and how widespread what can be considered a copyrighted work can be. As examples, one lawsuit originates from Italy’s MediaSet, a powerful conglomerate run by the son of the country’s prime minister. Another is that the popular game Scrabulous was removed from Facebook due to copyright actions by the makers of Scrabble, even though the game continues to be available on the Scrabulous Web site itself.

One could argue that the popularity of the game, combined with the power of the social networking site, made it more egregious for the game’s copyright holders. A cynic could also counter argue that the companies involved were doing their best to annoy their biggest fans, and it all boiled down to a matter of royalty payments. Certainly, posting video clips of popular TV shows should be avoided, especially if these clips have been put anywhere on enterprise-owned storage.

TIP: Employ endpoint scanning technology to determine what your users save to their desktops and also examine network servers for illegal content. “We can tell at any time if one of our workstations contains a catalog of MP3 files, or perhaps has a particular spyware application installed. It is disturbing that our current legal environment forces us to take these steps, but the equipment and network are not personal property and cannot be treated as such,” says Tony Maro, Chief Information Officer for HCR Imaging, Inc. in White Sulphur Springs, WVa.

Peer file sharing services

Last month, FCC Commissioner Robert McDowell asked AT&T Wireless to provide the information regarding its peer-to-peer policy during a recent FCC hearing tied to broadband issues.

While they currently don’t block peer-to-peer traffic across their wireless network, clearly it is a concern. And as more smart phones with broadband wireless coverage become popular, clearly it isn’t just what p2p traffic transits your own corporate network, but how your users interact with the wireless vendors too.

This makes it even more important to have a policy on usage of peer file services by corporate-owned computing devices, including phones and PDAs. “We prohibit peer to peer across our network because of the security aspects and the bandwidth concerns at our remote sites,” says David O’Berry, Director of IT Systems for the South Carolina Dept. of Probation, Parole and Pardon services.

TIP: For some IT managers, such as those at colleges, it isn’t a matter of blocking peer file sharing, but putting in place enough protection to make sure that other network traffic has priority. One manager said, “If we block it completely, the students would just figure out a way around the blocks. So we slow it down, particularly during the work day when staff and others need Internet access, and open it up more at night.” In any case, make sure you understand the nature of your traffic with respect to protocols, ports, and applications.

Net neutrality

Speaking of slowing down traffic, part of the debate over net neutrality has to do with what traffic gets carried by which Internet provider, and the priority assigned to various users, protocols, and applications. And while the FTC has ruled that Comcast can’t entirely block peer file sharing traffic, at least not without prior notification of its customers, the ruling has major implications for distributed corporate workforces and a greater reliance on cloud computing and Web-based services and applications.

TIP: Consider carefully which services you migrate out of your data center, and who and how your users will have access. “I absolutely won’t move a service to the cloud unless it is a commodity and I can manage its delivery,” says O’Berry. Currently, he is exploring Web services to deliver email, spam and virus filtering for his users as well as to provide more secure Internet access for his most mobile users while they are away from their offices.

Privacy and Web history

Earlier this summer, senior members of the House Energy and Commerce Committee wrote to broadband Internet providers and other online companies, asking whether they have “tailored, or facilitated the tailoring of, Internet advertising based on consumers Internet search, surfing, or other use.”

This brings up issues surrounding what is being monitored by corporate users outside of the corporate infrastructure, and whether this will become a legal liability later on if this information is subpoenaed by a court.

TIP: Make sure your service provider is managing your network connection and not the content that passes through to your enterprise. As Arbor Networks CTO Kurt Dobbins says, “Managing the network does not require any personally identifiable information, knowledge of a user’s URL browsing history, Internet search activity or capturing and playing back any communications exchange.”

One possibility is to insist on a service level agreement from upstream Internet providers that cover privacy issues. ”I want SLAs from my Internet providers that guarantee me that my email isn’t going to be compromised. These agreements aren’t about uptime but for the purposes of privacy and security. I want secure and assured services, including the ability to browse and search the Web without having this information recorded on a server somewhere. I don’t think a lot of people are doing this right now,” says O’Berry.

Internet access policies

Another side of the customer privacy issue is: who should have access to the Internet from their desktops?

In most companies, it is taken for granted that everyone is connected and online all the time, but this doesn’t have to be the case. And as more case law accumulates about what constitutes a privacy breach, you might want to re-examine exactly who has access to the Net, especially if their jobs involve customer records. This could be as simple as emailing a spreadsheet with social security numbers to a private Yahoo account to work on over the weekend: while not a breach, it should be against corporate policy and users should be educated accordingly.

This is particularly acute in healthcare. “In most companies, catching a single spyware application on a single desktop may mean that some financial data might be stolen. For us it means patient health information might be leaked. We have taken the stance that if an employee doesn’t need the Internet to do his or her job, that computer won’t have access of any kind. Those with Web access don’t store medical data,” says Maro.

TIP: Disconnect your users from the Internet if you really need to keep customer data private. And don’t forget to update your computer and network usage policies to match the changing legal landscape too. “We continue to update our policies as technology and threats change,” says Maro.

O’Berry is particularly sensitive to this situation, as he works for a state agency.

“Beginning in July of 2009, South Carolina has possible civil penalties if you don’t notify folks in a timely manner once you believe data is leaked, and these penalties can add up if you divulge even a fairly small amount personal data. It just makes good common sense to protect at all levels and we have always taken that seriously based on our absolute responsibility to both victim’s data as well as our moral duty to not create a new victim, and thereby a possible burden on taxpayers, by compromising even one of our offenders. Nevertheless, there are some fairly broad legal definitions of what constitutes private information and we need to do a better job of defining it in the future.”

Leaked laptops

We all know that laptops are potential data security targets, and as more corporations standardize on laptops as their principle computing device, it means that the opportunity for their theft or loss increases. And to complicate matters, the Department of Homeland Security has had a policy that allows them to impound your laptop when you come back into the US, with no other reason than their particular mood of the day.

Certainly, there will continue to be cases of stolen or lost laptops with customer data on them. Mine was lifted from the trunk of my car in a shopping center while I was eating dinner one night: fortunately, most of the data was encrypted, thanks to Lotus Notes. But this begs the question, why don’t more enterprises have encryption policies?

TIP: If you don’t have a policy for whole disk encryption of your laptops, now is the time to formulate one. Maro says, “It’s not a question of if you will lose a laptop; it’s a question of when.” This hasn’t been an issue for his shop because he encrypts each laptop’s hard drive. “All of our laptops have PGP’s whole disk encryption on them before they are issued to the employee. I wouldn’t want someone leaving a company car downtown unattended with the keys in it, the same goes for our data.”

eDiscovery

An entire industry has evolved over the notion of eDiscovery, the ability to archive important electronic documents that may pertain to pending legal actions such as lawsuits.

Sadly, the off-the-shelf email and document management tools don’t really have the ability to archive particular messages or documents that are subpoenaed, or to collect them easily based other legal actions. Most of these tools and applications have no security models that can match the needs of the lawyers, and the individual messages have to be manually sorted or copied to be preserved. One IT manager at a law firm mentioned that “There is no mechanism in our document management systems that can export then associate detailed document metadata such as who viewed and edited the document, and for how long.”

TIP: Consider any litigation support as part of your next email and document archival solution. Also consider who has access to this archive, including any help desk and support staff, and whether that access will pollute any potential evidence chain in a pending legal matter involving the archived data.

Summary

As you can see, the changing legal landscape bears continued vigilance and IT managers have to stay on top of compliance and liability issues, even for those laws that may not directly involved corporate data usage. “It is getting harder and harder to keep up with legislation because every state is different. It is like a giant spider web,” says O’Berry.

Alice Stitelman, an expert in email usage and legal matters, says: “What you don’t know about legal computer issues can hurt you. Many business users mistakenly believe that their data is private–whether it be on their laptop, cell phone, or mobile device. In fact, they should have no expectation of privacy. Users have much less control over who reads their data than they may realize. Companies need to develop policies and procedures around these issues, if they haven’t already. Also, they need to be very clear in how they communicate those critical policies and procedures to their employees.”