Network Security as a Legal Issue

Consider the following scenario: An employee of Company X uses his computer (without authorization) to scan the Internet and eventually finds a server that belongs to Company Y that he is able to take control of using a documented exploit. The employee then uses that server to break into the database server at Insurance Company Z and steals the medical records of a celebrity containing sensitive and potentially damaging personal information. The stolen information is later distributed to the public. Who is responsible? Of course, the employee is ultimately responsible, but probably lacks the financial resources that make it worthwhile for the celebrity to seek legal recourse. However, companies X, Y, and Z could possibly become involved in legal action as a result of this theft.

Just as a person expects that a bank would take "reasonable steps" to ensure that her money is kept secure, organizations are expected to ensure that personal information is kept secure from public access. Many of the definitions for reasonable care are being created today, and these definitions constantly change in this fast-paced and fluid environment. The security policy mentioned earlier in this chapter is defined by RFC 2196, also known as the Internet Engineering Task Force's (IETF) Site Security Handbook.



0 0

Post a comment