As an IT pro, you could get in legal trouble without even realizing it. You may be liable for civil damages, criminal fines, and/or jail time if, while doing your job, you intentionally or accidentally breach contracts or violate laws. It doesn’t have to be criminal behavior; there are lots of noncriminal actions, called torts, that you can accidentally stumble over.
This kind of inadvertent legal trouble actually happens to IT pros. For example, one client I represent in a copyright infringement case went to a construction site, measured the kitchen, then went back to his office and created a kitchen equipment drawing using AutoCAD. Sounds innocent, doesn’t it? Yet he is now a defendant in a federal lawsuit, as is his employer for infringing the copyright of the architect, even though he made his own drawings rather than use the architect’s drawings. In the United States, for better or worse, anybody can sue anyone else — and they frequently do.
So how can you get in legal trouble without even knowing it? Let me describe some specific instances where IT pros could unwittingly find themselves in legal trouble by just doing their job.
Confidentiality and privacy violations
You need to be wary of how you treat confidential information, so an understanding of privacy laws is essential. Information could be considered confidential because the owner of the material contractually requires protection of the knowledge by those with access to it. State or federal laws dictate whether information is considered private and whether there is an obligation to protect certain types of information about individuals.
An example is HIPAA, the law governing the use of medical information, which lists 18 data elements that may not be made public. As an IT pro, you should be aware — in a general sense — of the origins of the data stored on your IT systems. For example, privacy laws vary widely across companies, so if you access or manage information systems that include data from, say, the European Union, different laws and requirements may apply than if your business handles only U.S. data.
As companies deal more and more globally, it’s easier and easier to have information from different regions, each with its own rules. The E.U.’s Data Protection Directive, for example, permits individuals to access computers that have information about them and requires the holder of that data to modify it as requested. Canada and Japan have similar laws relating to personal data.
In the United States, the general rule is that employees are not entitled to privacy for emails accessed through email systems provided by the employer. On June 17, the U.S. Supreme Court voted 9-0 that employees should likewise not expect any privacy for text messages accessed using employer-provided equipment. However, employees can expect their emails and text messages to remain private if accessed only on their personal equipment. An employee using a personal iPhone or PC for work email could expect personal emails on that device to be private but not emails accessed from the corporate email system; many courts have ruled in the United States that the use of corporate email systems mean that the employee should expect no privacy.
Another area in which you should be careful: You should not access confidential information for personal use. That sounds obvious, but some courts may think that reviewing confidential information is not an innocent activity and assume there’s an intent for personal use. You should have a specific business reason to review such information. On the other hand, one federal appeals court overturned the conviction of an IRS employee for reviewing taxpayer information inappropriately because that employee did not actually use the information.
In the United States, possession of child pornography is a crime, and there are no ifs, ands, or buts for this issue. If you find child pornography on computers at work, you could also be guilty of a crime if you do not turn in the person possessing the child pornography. This fact puts a big burden on each IT professional to be vigilant for child pornography. But note that the U.S. Supreme Court decided that an animated video featuring cartoon characters of kids was not child pornography because there were only computer-generated characters.
Adult pornography is a different matter: It is not automatically a crime to possess adult porn in the United States, and it is not a crime at all in many countries. In the United States, the tricky part about porn is the concept of community standards, which leaves the decision to each locality as to what is pornographic. That can make it hard to have a standard across multiple locations, and even in one location, it requires IT pros to have a sense of what is acceptable or not to the community (the employees, for example) as opposed to what is personally acceptable. Ultimately, the company’s policies should determine the standard, not individual IT pros, and IT pros should know what those policies are.
The body that governs website domain names, the International Corporation for Assigned Names and Numbers, recently adopted an .xxx top-level domain for porn sites, which should make tracking behavior of this sort much easier.
Copyright and source code violations
Most everyone is aware that the “software police” (from the Business Software Alliance and the Software and Information Industry Association) routinely bring claims against companies that make illegal copies of software and thus violate the U.S. Copyright Act. IT pros can be personally liable for making illegal copies because the person making the copy is technically the infringer. For the most part, the “software police” present infringement claims to employers, but if the dispute is not resolved and litigation ensues, the individual IT pro who made illegal copies may have personal liability.
IT pros who have access to source code should make it a routine practice to verify that their employers have a proper license. If the source code was not properly licensed, or there are some limits on who may access the source code, you might have liability. Why? Because such improper use could be considered misappropriation of a trade secret, and any individuals who have access to the source code — not just the employer company — can become parties to a lawsuit. Trust me, it happens: CA is an example of a company that for years has sued individuals for misappropriation of trade secrets by using source code improperly.
Several federal agencies monitor financial records for public and private companies, including the Securities and Exchange Commission, Department of Justice, Internal Revenue Service, and the bankruptcy courts. Thus, if you create fictitious financial records, without question you may be personally liable. So if an employer asks you to do something suspicious with financial records — such as creating a shadow set of financial statements, setting up fake accounts, and writing checks inappropriately — you may have personal exposure for your behavior, such as fines and/or jail terms. It doesn’t matter that an executive told you to do it or that you didn’t realize what was going on.
Use the smell test
There is no question that judges and juries are not technically savvy enough to understand what IT pros do on a day-to-day basis. That lack of understanding can lead them to conclude you’re at fault or should have known better. After all, many people think anyone technical is a whiz kid or brainiac on any topic.
To avoid legal problems, the best advice for IT pros is to be wary of what does not pass the smell test. If something seems wrong, it probably is. Use your intuition and judgment to avoid becoming embroiled in criminal misbehavior, breaching contracts, or committing torts. When in doubt, consult an attorney who understands IT and the Internet.