Data Security Policy and Procedures

As technology develops at the speed of light, as digital phones computers grow more powerful than twelve acres of 1967 IBM mainframes, as information is set down in liquid pixels and stored in virtual warehouses the size of a postage stamps, as hackers and those of ill-will seek out ever-new clever ways to “break and enter” virtual “banks of data”. the law must respond, reflect, assess and codify those principles which will serve the business community, management and labor, employers and employees, as it enters the unknown territory of a virtual future.

In a more gentile time of scriveners, Bartleby and Scrooge, an employee as day’s end would lift the top of his writer’s desk, store the hand written documents for that day and wait for his superior to stop by with a key to lock the desk for the night. Theft of such documents would have required the breaking and entering into a physical place to obtain physical objects.

Order custom essay Data Security Policy and Procedures with free plagiarism report

450+ experts on 30 subjects Starting from 3 hours delivery

Get Essay Help

Cause and effect would be clear, as would an assessment of responsibility and liability. However, with today’s technology and the wide-open vistas of the world wide web, theft can occur from an transnational distance over invisible lines by processes barely comprehensible to those responsible for security. The 19th century scrivener under contract to his employer performed certain services and incurred certain duties and responsibilities.

Doubtless, to a certain degree (perhaps depending upon who held the key) he was responsible for the safeguard of his newly copied documents. Likewise the modern employee owes similar duties and responsibilities; however, in the cyber age of information, the protection of data and information, securing it from being lost in the ocean of the web, is a more complicated issue, a more difficult task and raises questions that have yet to be resolved in this protean and ever-burgeoning area of business law.

First, a word concerning definition and semantics: The terms “responsibility” and “liability” tend to get laced in the TV screenwriter’s daisy-chain of legalese in much the same way as Hamilton Burger couldn’t help himself from objecting in every episode of “Perry Mason” with the contradictory charge of “irrelevant, incompetent and immaterial. ” What one gains in the impressive sound of “lawyer-words” is lost to meaning and precision.

The distinction is important to present issues insofar as responsibility means the capacity, so far as this is a matter of a man’s mind or will, which normal people have to control their actions and conform to law. It describes the duties a person takes on which are general for any party to an agreement, a contract for consideration. Liability, on the other hand, is the quality or state of being legally obligated or accountable.

It is a legal responsibility owed to another or society enforceable by civil remedy or punishment. Liability is a more serious matter in that it is ultimately an assessment by some given authority (judge, jury, and arbitrator) that one’s failure of responsibility is of such a nature as to incur the greater duty to make amends or remedy as determined by the specific facts of the matter.

In short, liabilities denote some failure of responsibility; however, all failures of responsibility do not necessarily result in the imposition of liability. At its most basic level the law is about the management of relationships, the identification, assessment and balancing of the rights, interest, duties and responsibilities of the parties to the relationship. The law assesses the relative merits of argument when these respective interests come into conflict.

In the arena of cyber space, cyber theft, cyber torts, the many relationships between and among several parties raise a plethora of issues, a multitude of arguments. The primary relationship exists between the employer and the employee. The relationship rests in the employment contract; however, depending upon the conduct of the parties other areas of law may come into play: harassment, negligence, cyber tort, trespass, theft, etc.

The focus on the employment contract as setting forth certain responsibilities for either party in the age of cyber-data, the portability of laptops, and the ephemeral nature of recorded data, the questions, among others, raised are to what extent an employer can direct and restrict the conduct of an employee when those directives and restrictions bounce up against the employee’s competing interests in the ownership of personal property (his or her laptop) or the employee’s right to come and go as he/she pleases in a free society without having to exercise extraordinary care concerning the contents of his/her laptop, outside the office, beyond office hours. Just how far can the four corners of the employment contract stretch to govern employee conduct, responsibilities and the imposition of potential liabilities during the employee’s personal time? (The issues concerning the use and the restrictions on use of the employee’s personal laptop in the workplace during work hours is the easier analysis with the weight of authority siding with the employer’s right to impose restrictions deemed necessary for security and employee performance. )

Analogies to the this predicament which in general asks to what degree an employer, as a condition of the employment contract, can direct the employee’s “after-hours” life, can be found in similar issues raised by those employment contracts which include a 24/hour non-smoking clause (in the interest of health costs, insurance premiums) or the ban on any office romance, inside or outside the office. What responsibilities does an employee incur with the pervasive use of laptop computers, which in a physical sense are portable items of personal property, but also carry a volume of information that once would have been stored in several warehouses or file rooms? Simply stated, employees are probably more of a security risk than an asset.

By virtue of technology’s advance, employees have been placed in a precarious position of being guardians at the gate of treasure when the gate and the treasure are often invisible and invaded by invisible means. Perimeter security doesn’t work anymore. The airwaves are filled with rogue access points, and people are bringing infected laptops in and out of the enterprise. “A number of companies … are revising their policies about how employees should handle confidential data stored on computers. Many employees are facing new restrictions on who can take confidential records out of the office and are receiving special training on how to keep data secure.

Workers found violating security policies are being disciplined or even dismissed. ” The next relationship is a sub-set of the first. It looks at the situation in which an employee, having agreed to whatever conditions, duties, responsibilities, set forth in the employment contract and the statement of company policies, exhibits negligence, even gross negligence in the care and handling of his laptop, resulting in its physical theft. Assume the laptop’s hard drive contains something equivalent to the recipe for Coca-Cola, and the implications of loss to the company are self-evident. In this hypothetical the employee has failed in his responsibilities to the company. And yet what are the company’s remedies?

As referenced above, they can discipline or dismiss the employee, and then sit back and watch as Company Z manufactures a soda as good as their own. The issue as to whether they can hold the employee liable is dwarfed by the issue of remedies. One fired employee will not return the secret formula. Assume the employee’s conduct was criminal. He gets ten years, community service, and a lien on his property (a double-wide outside of Macon) in the amount of ten million dollars. Company Z is still making a fortune manufacturing a cola as good as the original. The failure of remedy only serves to point the aggrieved party downstream to search out other remedies (i. e. , deep pockets), civil and criminal, for their loss.

And yet, even then, assuming the best case scenario for Company Z (meaning the likely imposition of civil remedies and criminal fines/punishment) any litigator knows that at that advanced stage of litigation with large companies and big firms on the clock, the process is exceedingly slow and absent injunctions against the offending party – the secret’s now likely to be in the hands of Companies A, B, C and D. These hypothetical only points up the extreme seriousness of the necessity for a company’s defense against attacks from outside, and the disturbing acknowledgment that said defense is not wholly within the company’s control. Companies have instituted policies to stress, express and maximize an employee’s responsibility, even imposing certain liabilities on the failure of such duties; all to minimize and the limit the risk of hacking and theft.

But the 20th century world of “hard copy” (and what that implies) is about to pass by commerce as businesses enter a new age of information-gathering and information-conveyance. The substance of current information is as rock-solid, as valuable as ever, however the “thing itself” – what used to be the paper and the ink scribbles on the paper, i. e. , the thing that carried the information are now words on screens that can all too easily disappear onto invisible hard drives that move by means of invisible wires cast about the world in an invisible matrix – rendering the whole chain of custody as ephemeral as vapor, vulnerable to the peculiar talents of a new kind of thief, who’s comfortable with the notion of theft as an intellectual rather than a physical activity. So, who’s vulnerable? “Anybody who has data. ”

Another issue that arises out of the various relationships involved is this: Given the current state of affairs regarding the risk and threat of data theft, cyber theft, laptop theft, floppy disk theft, companies, for some time, have been on constructive (if not express) notice that there are individuals among us, peculiar perhaps in their pursuits, talented and brilliant in ways often unknown to current Baby-Boom age management, who derive pleasure and more likely profit from infecting the web and its offshoots with viruses. The following hypothetical presents itself: Hacker X in a basement in Queens has been hired by Rogue Company Z, competitor of large and established Company A, to infect Company A’s computers with a virus that will disable Company A, thereby enhancing competitor Rogue Company Z’s position in the shared market.

Hacker X is to be a paid a good deal of money and not because he’s stupid. He knows from experience that a direct assault on Company A is more likely to lead a trail back to himself and Rogue Company Z. Therefore Hacker X studies the interlocking systems of Company A with client companies and determines he can attack Company A through out of state Company Client. On a given Monday Company Client’s workers go to work and discover that their system has crashed with a virus that will spread through a given network, affecting several companies down line, including Company A, the prime target. The issues are what duties did Company Client have to notify entities down line?

As a practical matter, is there time for Company Client to notify other companies down line? What duty does any company, such as Company Client have, not only towards itself, but to companies down the line who will suffer impairment from the traveling virus? And most importantly do the companies down line have a cause of action against Company Client for breach of some duty in failing to protect itself (and therefore others) from virus infestation. The questions are not rhetorical. They are real and fact sensitive. One can envision a circumstance in which a company is so lax in its security that it all but screams for hackers to have their way.

Such a security failure might very well be deemed a breach of duty to other companies in the zone of danger (its length and breadth however defined). And yet all we are left with are the questions: What laws or what standards govern? Are they state laws? And if so do they give rise to conflict of laws problems? Are they Federal laws? Who sets the standards codified by the legislation? Does the current state of common law (tort and contract) anticipate the advantageous application of old principles in new clothes? On analysis, it appears that when all is said and done, the essential “bottom line” issue will devolve about the areas of remedies and insurance.

Analysis of responsibilities, their breach and consequent liabilities can fill courtrooms with boxes of pleadings; however, when the issues are finally resolved and liability is determined, who, in this day of multi-billion dollar cyber secrets will have the funds, the deep pockets, to make the aggrieved party whole. The resort to insurance opens another area of analysis which for now remains without the boundaries of discussion proscribed herein; however, one can only imagine the super-layer of responsibilities to be imposed on companies and their employees by insurance contract, drafted water-tight, so as to minimize risk of theft in a high risk environment.

Don't let plagiarism ruin your grade

Run a free check or have your essay done for you

Check my essay Hire Writer