Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Who is liable for network breach?

Status
Not open for further replies.
wardog25

wardog25

Technical User
Oct 24, 2003
129
US
I have a question I'm having trouble finding solid answers to.

Let's say a Network/System admin decides some aspect of his companies network is extremely unsafe and leaves their business open to attack. He requests the money/resources/permission to fix this from his superiors and the superiors deny it all, telling him to leave it as is.

Now say the company network is hacked and personal data is compromised. Who will courts hold responsible for this? Is there a good chance it could fall back to the Network admin, in spite of his efforts? What are the legal precidents for this? Does anyone know?
 
Sort by date Sort by votes
I would assume that unless there is concrete evidence that the security risk was identified and funding/permission was denied, that the responsibility for the breach will fall on the person who is responsible for the network - the network admin. The only way it can be passed up the chain, IMO, is to show that the risk was identified, but management interfered with the admin's efforts to fix the breach before data integrity was compromised.

[blue]Never listen to your customers. They were dumb enough to buy your product, so they have no credibility. - Dogbert[/blue]
 
Upvote 0 Downvote
And even so, I would think the company would also fire the admin, attempting to clear out everyone involved in the security failure.

[blue]Never listen to your customers. They were dumb enough to buy your product, so they have no credibility. - Dogbert[/blue]
 
Upvote 0 Downvote
I would think that the company would be held accountable, unless it could be proved that the employee deliberately left the network open.

If there was documentation that showed the admin's concerns and requests, it makes life even easier.

"We can categorically state that we have not released man-eating badgers into the area" - Major Mike Shearer
 
Upvote 0 Downvote
Any time you ae asked to do something illegal or unsafe (or insecure in the case of a network), express your concerns in writing and do not settle for anything less than a written response telling you to do the thing you feel as if you could be held liable for. Hold a copy of all documentation off site, so that you can access it if you are ever wrongfully terminated. It's funny how much less often management is willing to settle for expedient when their names are on the decision in writing!

"NOTHING is more important in a database than integrity." ESquared
 
Upvote 0 Downvote
Liable"? Sounds like a legal term, and you sound like an attorney.

I think the ethical thing to do is to explain in writing to management the risks and possible downside if a given course of action is taken or not taken. Pretty much what SQLSister said.

To actually address your term of liable, all companies are liable for the actions of their employees while they are performing their job. So if substandard security, for example, leads to personal information being exposed or hacked into, yes, the company is liable IMHO.

Even if the people doing the job are totally incompetent, the company is liable for not hiring better people or using better systems.

About the only time liability can be placed on the employee is in the case of fraud or malice.

Software Sales, Training, Implementation and Support for Macola, eSynergy, and Crystal Reports

"If the phone doesn't ring, it's me".....Jimmy Buffet
Click to expand...
 
Upvote 0 Downvote
A question like this should really be posed to a lawyer. Pretty much all anyone in here can do is guess.

IMHO the company is the one who is liable as the company hired the employee. Employees are generally shielded from their employees stupidity except at the highest levels of management, or intentional malice / fraud / etc on the part of the employee.

Denny
MCSA (2003) / MCDBA (SQL 2000)
MCTS (SQL 2005 / Microsoft Windows SharePoint Services 3.0: Configuration / Microsoft Office SharePoint Server 2007: Configuration)
MCITP Database Administrator (SQL 2005) / Database Developer (SQL 2005)

--Anything is possible. All it takes is a little research. (Me)
[noevil]
 
Upvote 0 Downvote
Agreed. Especially when it comes to regulations like HIPAA and SOX, the company is responsible. The company has an obligation to hire people who know what they're doing and provide the resources to do their jobs, but most employees are limited to what their management allows them to do. That makes it very difficult to hold them responsible for the company's problems/misdeeds.

Of course, regardless of whether you pointed out the shortcomings or security issues in advance, if there is a major breach, especially one that is publicly announced, there's a good chance that you'll get fired anyway as part of the housecleaning.

As everyone else here has said, always make sure that your concerns are documented in writing. That way if there is some sort of investigation later there will be evidence pointing to the person/persons responsible for the decision.
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Pro50
  • Locked
  • Question
IT Management for financial services companies 6
Replies
6
Views
246
SamBones
SamBones
audaxviator
  • Locked
  • Question
Is Microsoft burrying CIL/MSIL?
Replies
2
Views
396
audaxviator
audaxviator
johnherman
  • Locked
  • Question
Is Privacy Dead? 2
Replies
0
Views
188
johnherman
johnherman
jimbojimbo
  • Locked
  • Question
Why is Windows 10 Free 3
2
Replies
25
Views
379
johnherman
johnherman
PeterMAS
  • Locked
  • Question
Would U.S. tech. staff accept low salaries for an adventure in an exotic locale?
Replies
2
Views
245
PeterMAS
PeterMAS

Part and Inventory Search

Sponsor

Back
Top