September 10, 2008 at 7:50 pm
Comments posted to this topic are about the item Legal Liability
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
September 11, 2008 at 2:50 am
The way I see it, it's a shared responsibility but the executive is always responsible. It's that person who decide which peron does what in the end or decides which other person he delegates to.
However, it's also the responsibility of the IT department to have security experts or notify the boss they lack security experts.
But I know for a fact loads of projects needs to get done and get done fast. In those cases, the one in charge decides where to cut down on time and thus is responsible for lack of security. All thou he might get his orders from someone else hence that person is responsible. It aint more complicated then that.
So in short, the responsibility is on us IT fokes to notify when we lack security or information on how to handle security but it's the boss responsibility to decide on the approach to the problem and if he is informed, then the responsibility is his.
There are however a wide lack of understanding of IT security amongst most of us. How many knows forinstance what a simple HTML redirect attacks is? How many does validate everything sent from the client on the serverside?
September 11, 2008 at 6:06 am
I got mugged at the grocery store this morning, and it's the police chief's fault, because he wasn't there to stop it. Actually, it's the security guard's fault, because he didn't show up to work early, when I was there. And it's the bagger's fault, because he didn't call 911 when I yelled for help with the doors closed so he couldn't hear me. I'd blame the 911 dispatcher too, but the bagger's cell phone doesn't have service, so I'm busy looking up the CEO of the cell phone company.
C'mon. Crime is the fault of the criminal, and idiocy can NEVER be a crime, we don't have enough jail space. Life is a liability, live at your own risk, and don't sue people for crimes they didn't commit; nobody wins that fight but the lawyers.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
September 11, 2008 at 6:20 am
jcrawf02 (9/11/2008)
I got mugged at the grocery store this morning, and it's the police chief's fault, because he wasn't there to stop it. Actually, it's the security guard's fault, because he didn't show up to work early, when I was there. And it's the bagger's fault, because he didn't call 911 when I yelled for help with the doors closed so he couldn't hear me. I'd blame the 911 dispatcher too, but the bagger's cell phone doesn't have service, so I'm busy looking up the CEO of the cell phone company.C'mon. Crime is the fault of the criminal, and idiocy can NEVER be a crime, we don't have enough jail space. Life is a liability, live at your own risk, and don't sue people for crimes they didn't commit; nobody wins that fight but the lawyers.
"idiocy can NEVER be a crime"
I dissagree. Ignorence or idiocy can never be used as an excuse to commit a crime. It is your responsibility to know the law in your country.
"we don't have enough jail space"
Interresting how usa has 5% of the worlds population but 25% of the worlds prisoners, guess it's a problem for usa only ^^.
"and don't sue people for crimes they didn't commit"
That does not seam to be much of a problem outside of usa what I know.
September 11, 2008 at 6:21 am
^^^ Agreed, lawyers are quite an expense as it is and a case like that would look like a SCO gravy-train to them. As for government regulations, I thought that there were already quite a few of them with SOX, et al. Certainly there is something in one of those that covers something like this? With all the policies and procedures and documentation that you have to put together to be a publically traded company, the liability should be covered and signed off on. Basically anything an employee does in a company when there isn't a procedure IMHO is done on behalf of the company. Therefore it should be the company that is liable. That's why companies have that errors and omissions insurance and not the employees. Then the insurance company would put pressure on the company to amend its procedures so that their premiums don't skyrocket.
September 11, 2008 at 6:35 am
I've had a bit of a think about this, and at the moment my answer is one of those "in an ideal world" scenarios. Not sure yet how it'd be effectively translated into practice.
As I see it, liability goes hand in hand with responsibility. A company has a responsibility to safeguard personal data it holds, so if it fails, it should be held liable. The company devolves all that responsibility onto its executive board, so the liability should be devolved with it. A board that is doing its job properly will delegate some of that responsibility to certain business areas, along with certain resources necessary to do put it into practice and an understanding that it'll check it's been done and is effective. If the board has done that properly, it's reasonable to absolve them of their liability and look further down the food chain. If not, the board has failed in its responsibility, so should wear the liability.
This successively more detailed devolution of responsibility for certain aspects, along with provision of resources to make execution possible, can be carried on down all levels of the business until one finds the point at which someone or some area failed to live up to its responsibility, and there is where the liability should fundamentally sit. If all levels have done what could reasonably be expected of them, there's no reason for liability (at least in the criminal sense) to sit anywhere, and we can let the stock markets/shareholders/insurance companies fight it out to apportion the costs that have resulted, since their responsibility comes hand in hand from the risks they take in putting their money where they did.
All IMHO, of course.
Semper in excretia, sumus solum profundum variat
September 11, 2008 at 6:38 am
IceDread (9/11/2008)
"idiocy can NEVER be a crime"
I dissagree. Ignorence or idiocy can never be used as an excuse to commit a crime. It is your responsibility to know the law in your country.
Not that it should be used as an excuse to commit a crime, but if there is not a regulation governing something, or you're following the existing regulation, and a crime is committed where data is leaked; regardless of how common-sense it may seem to protect it; the solution is to tighten the regulation, not sue the pants off of the party that was following the existing law. Be pissed at the criminal who exploited the weakness.
And I agree, excessive litigation does seem to be a uniquely USA-driven situation.
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
September 11, 2008 at 6:46 am
jcrawf02 (9/11/2008)
IceDread (9/11/2008)
...And I agree, excessive litigation does seem to be a uniquely USA-driven situation.
Oh, I don't know. I'd say there's plenty of excessive litigation outside the US too - just that the States does a fine job in carrying the excesses to excess 😀
Semper in excretia, sumus solum profundum variat
September 11, 2008 at 6:46 am
We are an overly litigous society, seeking to place blame everywhere rather than on the criminal. Great for lawyers and bureaucrats who thrive on placing blame. But by making every oversight a crime in hindsight, you don't eliminate oversights, you encourage CYA approaches that leave systems unusable.
...
-- FORTRAN manual for Xerox Computers --
September 11, 2008 at 10:42 am
I've heard other countries are starting to have more and more legal battles as we do in the US.
It's easy to say this is a gray area, but how do you handle things. For example, is someone setting a blank password an act of negligence (idiocy) or maliciousness (causing issues for their employer)? Or maybe it doesn't matter.
I think that having corporations responsible is correct, but there need to be places where executives take blame as well. And not just with their jobs. The Enron/Worldcom situations are an example of this. Relatively few people are doing things that affect millions. Punishing the corporation affects the jobs of thousands of people that didn't do anything wrong.
For the IT guys, we need to have some protection from liability unless it is shown we have done something maliciously.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
September 11, 2008 at 11:08 am
jcrawf02 (9/11/2008)
...C'mon. Crime is the fault of the criminal, and idiocy can NEVER be a crime, we don't have enough jail space. Life is a liability, live at your own risk, and don't sue people for crimes they didn't commit; nobody wins that fight but the lawyers.
I agree with jcrawf02. Additionally, I would like to say that responsibility is not something that can be legislated easily. The glut of laws and inessential legal cases in the USA only shows that our risk-free, blame-the-other-guy outlook on life is seriously flawed. It creates unreasonable expectations. How else could you account for the insanity of bringing a lawsuit to a company that hangs a banner which says "Merry Christmas", because the "Christ" in the message was offensive?
Calling for legislation on the order which Steve suggests only propagates the inclusion of more laws and more reasons to point the finger. If someone finds it terribly inconvenient to cancel and reorder credit cards, why not throw them out? If using cash and checks is more burdensome, then go back to credit cards and stop bitching about your inconveniences. We do have choices. And, because we have these choices, we cannot morally hold a credit card company liable for damages that result in their accidental loss of information.
One might as well sue Henckles for making knives that cut your finger open while you were preparing dinner. Or, sue Craftsman for making hammers too dense because you broke your toe when the hammer slipped out of your hands. Or worse, sue Sears for selling the Craftsman tools. Heck, you might as well sue the city for allowing Sears to use public roads to transfer the notorious hammers from their warehouses.
I can see someone, one day, suing God for creating stupid people.
September 11, 2008 at 2:00 pm
We have existing laws, but our legal system (in the US) makes it nigh impossible to apply them to "new" things in the electronic world. Besides, laws against burglary have never stopped it. Even responsible homeowners shooting all the burglars that they can find hasn't stopped it.
If we don't make someone liable for the theft of the crown jewels because they left the bank vault unlocked, why should we make someone liable for leaving their electronic doors unlocked? Can your home owner's insurance company fail to reimburse you for not locking your house or your car?
Besides the market corrects for this. I've been a victim of identity theft, and I've taken steps to protect myself and my family, and even so I probably won't be staying at Best Western for a while...
Ultimately, there's no protection from liability as it stands currently. And won't be until we stop electing lawyers and letting them write the laws...
I've been personally sued for or part of a company that was sued for:
* Getting a job that other people thought they should've gotten instead.
* Doing my job (as a police officer) to the letter of the law.
* Starting a business that challenged an existing business model that is protected by law.
* Playing hardball with competitors who didn't have pockets quite as deep.
Being sued can be a lot of fun. Especially when you win. Three out of four ain't bad... :hehe:
I also worked for an IP law firm that did a lot of suing back in the '90s, and the bill rates were nice. Does that make me a bad person?
September 12, 2008 at 5:41 am
David Reed (9/11/2008)
I also worked for an IP law firm that did a lot of suing back in the '90s, and the bill rates were nice. Does that make me a bad person?
If I say yes, does that count as defamation of character?
---------------------------------------------------------
How best to post your question[/url]
How to post performance problems[/url]
Tally Table:What it is and how it replaces a loop[/url]
"stewsterl 80804 (10/16/2009)I guess when you stop and try to understand the solution provided you not only learn, but save yourself some headaches when you need to make any slight changes."
September 12, 2008 at 8:30 am
Bad as in bad or as in "Dy-no-mite!, I'm Baaaaddddddd"
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
September 12, 2008 at 12:19 pm
jcrawf02 (9/12/2008)
David Reed (9/11/2008)
I also worked for an IP law firm that did a lot of suing back in the '90s, and the bill rates were nice. Does that make me a bad person?If I say yes, does that count as defamation of character?
Definitely. 😉 Please provide your physical address so that the process server can locate you. Might as well get your affairs in order so we can properly figure out which deep pockets are in your general vicinity. 😛 Always have to be on the lookout for a lottery ticket, no? :hehe:
Viewing 15 posts - 1 through 15 (of 15 total)
You must be logged in to reply to this topic. Login to reply