There are many legal liability issues that can happen from the electronic world. Consider copyrighted material, inappropriate usage of systems, etc. Electronic media presents some interesting nuances to potential legal liability issues. Violations happen electronically much faster than in the real world. In the electronic world, the scope of the problem and the eventual resting place of the ‘smoking gun’ can also become very complex. An inappropriate email referenced in a sexual harassment suit could end up in multiple systems, backup tapes and mobile devices. The very nature of the electronic world can make it very expensive for companies to respond to any litigation involving electronic media or usage of information systems.
What can you do to limit the possibility of litigation?
Every risk and security issue has a technical and non-technical side to it. Policies, education, awareness, consistency in enforcement, consistent disciplinary actions for violations and the ‘soft’ side has to be part of the solution. The technology side for this issue has numerous avenues. Unfortunately, most often times, for every wall that is put up by IT, there is some other avenue users will seek. Block Instant Messenger traffic, users start using web based IM. Block web based mail sites on your network, users start sending emails from their work accounts or using their company issued mobile devices to check personal mail. Therefore, the company has to look at this issue holistically.
How can you prevent them from happening in the first place?
- An anecdote comes to mind when I think of the legal liabilities issue. I think about a company I worked with that had a web server crash at one of their outlying business units. It turns out that the server had been hacked, anonymous FTP had been turned on and it was being used as a warez site. The server finally crashed when the disk filled up with pirated movies and software. So now the company had not only a business disruption on their hands but also a hacked system AND legal issues with the nature of the files on their system.
- Policies and awareness have to part of the fundamental approach. The company has to define acceptable usage of systems, acceptable practices and codes of conduct.
- Secondly, a technology strategy has to be defined that layers on different preventative controls. This includes the definition of firewall rules, network routing strategies, host and desktop management tools and content filtering technologies. Each one of these tools has its place in preventing the improper usage or potential malicious ‘takeover’ of systems.
- Monitoring controls are also necessary. Log management and consolidation tools and SEIM technologies can pull together the pieces into one consistent view on what is going on in the environment. In both of the anecdotes above, it would have been very helpful for both companies to have a better understanding of what was going on in their technology environments. A high level of FTP traffic to a web server should have indicated an issue – especially since the web server initially was not implemented as an FTP site. A high level of P2P traffic should have indicated in the second case that there was an issue with the proliferation of P2P network
- Finally, the company has to be prepared to respond. The worse part of litigation, in many instances, is the pure cost of the investigation or discovery acts. Record retention policies, data back up and maintenance programs, information asset catalogs (such as those created by Data Loss Prevention technologies) can be extremely helpful during these discovery acts.