Barbara Rogan,Chief Legal Counsel with LogLogic (www.loglogic.com), says:

What steps can data center and IT managers take to limit the possibility of potential legal liabilities?

The keys protecting the company is communication and knowledge:

  • The first and most important level is communication between IT and the department which set the policies, which is typically the Legal Department. IT must understand what the policies say and what implementation of the policy means practically for their department. The best case scenario is when IT and the Legal Department work together to develop the policies in light of the needs of the business. IT input is invaluable to the Legal Department in setting the policies, identifying areas of vulnerability, and implementing the policy. Typically, the Legal Dept has only a rudimentary understanding of how IT works and how the data flows. If you can provide your legal team with data flows and IT processes, you will certainly be the Legal Dept’s hero!
  • Ask the Legal Department for designated contact for questions about policies. Don’t guess what a policy means. Also, if a policy creates a business problem, speak up! Let the Legal Department know as many of the policies can be revised or modified to meet your business’ needs.
  • Ask for training on issues that are relevant to your company. If you don’t have the expertise in-house, get outside training.
  • Know what’s being stored in and what’s going on in your network.
Log management can be extremely helpful for this.
o    Ignorance is not bliss – you cannot be willful ignorant and rely on “We didn’t know” if a law enforcement agency knocks on your door. 
§  As an example, under copyright law, if a company exercises due diligence in monitoring for copyright violations, then it’s possible for the company to escape liability entirely.
§   As an opposite example, under the HITECH Act, fines for companies who were willfully ignorant of their risks face much larger fines and penalties.

·         Don’t store data you don’t need.  Make sure your policies allows only for the storage of information that is required for the business and absolutely nothing else. 
·         Make sure your procedures are tight.  Bill’s right – the greatest source of data loss is through employees and contractors.
o    Think through from start to finish what happens when someone is granted new access to the network.  Do they have to sign a legal document that says they will adhere to policies?  If not, work with HR and Legal to get such processes in place. 
o    Also think through what needs to happen when someone leaves the company.  What information/notifications does IT need to properly ensure that access is shut down promptly and correctly? 
o    Finally, just knowing that a procedure is in place is not sufficient.  How does IT verify the rights procedures are followed?

A partial list of laws that might impact a SMB IT Department:

  • Gramm-Leach-Bliley
  • HIPAA
  • HITECH ACT
  • European Data Privacy Laws
  • Child Online Protection Act
  • Copyright laws such as Digital Millennium Copyright Act
  • Various State laws such as the Massachusetts Privacy law and California Civil Code 1798.82 and 1798.29
  • Trade secrets laws such as the Economic Espionage Act