Raise your hand if you have a degree in law. Not many folks in IT do, despite the fact that legal issues increasingly play a huge role in enterprise environments. So for those IT managers not ready to give up their careers to practice for the bar exam, we’ve compiled some of the biggest technology-related challenges that could turn into a court case.
IT Contracts: Better to be safe than sorry
IT managers often have to outsource work to an IT contractor. But according to some legal experts, many IT procurement contracts contain large holes that leave organizations susceptible to major legal headaches. “Problems can occur if a contractor comes in and invents some kind of code during the course of helping you out,” Don Johnston, a lawyer at Toronto-based Aird and Berlis LLP and president of the Canadian IT Law Association, said. “Now that code is not part of his or her job description, so it belongs to the contracting company and not to you. Under the Copyright Act, there’s no room for implied licences. So while you have the right to use the code going forward, you can’t lay claim to owning it.”
In some cases, Johnston said, the consultant would even be able to object to modifications on the code. These scenarios typically arise in relation to Web development, he said, where a consultant may like a site he created and wants to use it for another client.
“It is still extremely common for the parties not to define the IT goods or services that are being procured,” said Duncan Card, an outsourcing lawyer at Toronto-based firm Bennett Jones, said. “Services are often very poorly defined, with no sense of whether or not a deliverable outcome is required or if the services are mere consulting and advisory services.”
What to do: make sure the specs are very detailed
Card said IT managers need to understand that most IT procurement contracts contain legal issues at the heart of their governance obligations, risk management duties, dispute resolution rights, intellectual property and confidentiality rights. The most sensible solution, he said, is to make sure the contract is as encompassing as possible. “As for hardware and software, each contract should clearly state the operational, functional and technical specifications and requirements of IT goods to define the goods being procured, as the basis for the warranty being provided, and to set the threshold for acceptance testing,” Card said. “That failure is probably the leading cause of dispute and litigation.”
E-discovery: Are you prepared when Lady Justice comes knocking?
With the rise of new technologies, there has been an explosion of new electronic data. All of this needs to be securely stored, which presents another challenge for many IT administrators – especially if a subpoena is knocking at your door.
E-discovery is already playing a major role in court cases across the United States and many Canadian IT managers can also expect to feel its impact over the next few years. But Johnston said that the majority of Canadian enterprises are way behind the e-discovery curve, and the companies that do have policies in place are neglecting to enforce them. “I don’t think even the best run companies from an IT point-of-view have proper policies and procedures to handle e-discovery,” he said. “And it will only continue to grow. It brought down President Clinton and it didn’t do Lord Black any good either, so it could really affect any business.”
What to do: write a document retention policy
But like anything in IT, it’s never too late to get started. Card said that maintaining business and operational records as well as having a solid IT infrastructure to store the data is crucial to protecting yourself when a legal proceeding occurs.
“They have to have reliable IT systems that satisfy reasonable standards of security, controlled access, maintenance, use and operational reliability,” Card said. “They should also regularly test their IT systems to ensure that the information electronically stored is reliable, accurate and complete.”
According to Johnston, the worst nightmare for any business is to produce a whole bunch of embarrassing, irrelevant or old material in the e-discovery process. One of the easiest ways to avoid this is to enact a clear document retention policy that outlines how long data is kept and how they are classified.
“For example, we’re going to retain contracts in electronic format for the life of the contract, after which it’ll be destroyed,” Johnston said. “Based on this system, you have a positive methodology for dealing with all this data. Some companies can even have fun with it and have a document destruction day with pizza, pop and balloons for the kids.”
San Diego, Calif.-based Websense Inc.’s Data Discover tool aims at identifying confidential data and where it resides in the enterprise. Fiaaz Walji, country manager at Websense Canada, said having a data leakage product that can identify all forms of data – including structured data such as credit card numbers, and unstructured data such as marketing plans or proprietary formulas – can help give organizations the upper hand in e-discovery. IT managers can indicate what type of data they want to monitor as well as what kind of data movement should trigger a security alert.
“So, HR moving personnel records might not be of great concern.” Walji said. “But somebody in HR moving personnel records to MySpace using Instant Messenger would raise a red flag.”
Employees: Protection for them and against them
And while keeping track of where personal data is going might be a big part of e-discovery, it is an enormous part of protecting yourself against potential legal challenges with your employees.
“In Alberta, there’s such a hot job market right now and employees are quite demanding and flighty at times,” Wayne Bonaguro, IT manager at Carpenter Canada in Calgary, said. “This is especially true at the entry or intermediate level. They’ll blow you off so fast because they know they can walk down the block and before they hit the next bus stop get a job.”
With this mobile workforce, he said, comes portable data. “With the various portable media and memory sticks around nowadays, it’s getting really hard to control what slides out of the building,” Bonaguro said. “Protecting personal information of our employees, in the midst of the high turnover rates we’ve had, can be a logistics nightmare.”
For other IT managers, such as Brian Stephen, IT manager at Options: Services to Communities, securing personal information can also extend to the people who use the computers in his Surrey, B.C.-based mental health centres.
“In order to collect government funding, we’re required to provide statistics to the government about our health centre use, but without any of the personal information attached to it,” he said. “If we were to accidentally ‘out’ one of our clients as a Hepatitis B or C person and that became public knowledge because of poor security on our part, we’d be facing massive liability issues.”
What to do: Monitor outgoing e-mail
The solution, he said, is to focus extra attention on security and regularly test all your IT systems for potential holes. But in cases where employees might be actively trying to take information with them after leaving the company, Stephen said, a more direct approach might have to be taken. “When I was with a branded company, one of the things I’d always done when running the mail servers was that with any e-mail that goes to a competitor, a business rule was in place that sends it to me as well,” he said. “This is helpful if a salesman is about to leave and you want to make sure he isn’t forwarding the company’s top secrets away.”
Fraser Mann, a lawyer specializing in technology and intellectual property law at Toronto’s Miller Thomson LLP, agreed, saying that part of having a good policy in place is having the right to monitor any kind of e-mail communication where you have grounds to suspect confidential information is being exchanged. “As long as we’re talking about the employer’s e-mail system, then the employer does have a right to monitor that,” he said.
And as an IT manager, if you ever find yourself in the position of having to let go of one of your own staff, Johnston recommends you approaching the situation quickly and quietly. “You never give an IT guy notice that you’re going to terminate them,” he said. “It almost works like an arrest. Two guys go into his office and take him down to the boss. In the meantime, other people have to go in and change the passwords in the system to cut off his access.”
Web 2.0:Time drain or legal liability?
Social networking sites like Facebook, MySpace and LinkedIn could be a few reasons why your company might have to let an employee go. But besides draining the productivity of your employees, Web 2.0 may actually give you legal headaches as well. “Let’s say an employee has a bad day at work and goes home to their MySpace page and writes what they really think about their boss and employer,” Johnston said. “Once this stuff is written, it won’t die. It gets picked up on search engines.”
Whether it’s sensitive data or a potentially libellous tirade, much of what gets posted to social networking sites make their way into the public domain. And while some IT managers might simply hope it doesn’t happen to them, most legal experts don’t see this as an indefensible problem.
What to do: Get non-disclosure agreements signed
“One key is to make sure that all employees are signed up with non-disclosure agreements, which governs the use of company’s sensitive information,” Johnston said. “Another element is a non-solicitation clause – either in regards to other employers or other clients and customers.” A different take on the issue – especially agencies that offer online services – is the damage that can be done from non-employees.
“We work with a whole range of disenfranchised people, such as the homeless, abused women, and battered children, who come in to our mental health centres and use our computers,” Stephen said. “Sometimes they can put us in situations where they put out incorrect information on blogs or hit up a dating site. If we’re allowing them the mechanism to use those Web 2.0 services, we’re the ones with the deep pockets and at risk to be sued if any damages arise.”
For other IT managers like Bonaguro, the only solution might be draconian measures in protecting your company.
“All we can do is block them from using our computers and technology to access these sites or making comments there,” he said. “Once they go home, they can do almost anything they want, but on our systems, users who want to go to a particular site have to pre-register for access to certain Web pages. We don’t have the manpower to constantly police this, so it allows the employee to only access the sites they need.”
Pirated equipment: How to avoid getting duped
And while being overly cautious with Web 2.0 is certainly a great lesson to live by, avoiding unintentionally buying counterfeit software and hardware is an even better one. Earlier this year, a Markham, Ont.-based hardware reseller was charged by the RCMP for allegedly selling large quantities of counterfeit Cisco equipment. Approximately $2 million of counterfeit parts were seized and it was reported that many companies we’re duped.
“We call it the grey market, they’d come here and have no warranty because they’re either totally counterfeit or they were side-door, mass-produced stuff,” Bonaguro said. “I get solicited all the time and usually the red flag is the price. If it’s 30 per cent of what it should be, it’s probably too good to be true.”
From a lawyer’s perspective, Card said the best way to avoid buying knock-off equipment is to do your research and hire an IT lawyer to help. “Hire a specialized IT lawyer, and do the due diligence enquires they can help you with,” Card said. “Also, make sure all the normal contract terms are included and ensure that the risk management provisions protect the IT consumer. If Cisco were to go after the IT consumer based on that pirated software, then indemnities will help as long as the distributor is solvent.”
But for smaller firms who may not be able to afford a specialized consultant, many experts simply advise to stick with the authorized vendors. “Most hardware companies have a published list of authorized vendors and they encourage customers to only buy these partners,” Ram Manchi, president of the Alliance for Gray Market and Counterfeit Abatement (AGMA), said. “If customers choose to buy outside the channel they run the risk of getting a product that isn’t genuine.”
What to do: Beware of deep discounts
But despite this advice, many in the used hardware community stress that not all resellers outside of the channel are a bad option.
Colin Williams, owner of Montara, Calif.-based Coastside Networking, said companies who want to avoid getting duped by counterfeit resellers should be weary of unrealistically large discounts.
“It’s like walking down the street and being offered a Rolex watch for $100. It’s very tempting, but it’s probably fake,” Williams said. “You typically get 15 to 20 per cent off the list price. If you’re a big time corporate company, you might get a 30 to 35 per cent discount. But if a dealer is offering a small company a huge discount like that, it’s an automatic red flag.”
Adding to the problem, he said, is the increasing sophistication of the “knock-off” hardware. The only thing separating a real Cisco router and duplicate might be a very minor physical imperfections or a missing stamp on a card.
“The quality of counterfeiting has certainly gone up in recent years as they’re really getting very good at this,” Williams said. “It’s not just the hardware itself, but even the boxes, the labeling and the holograms on the packaging are being accurately duplicated. So, it’s a constant education process for the dealers and we have to share information amongst ourselves.”
And like any of the legal challenges IT managers may face, keeping up-to-date and informed of the law and how to protect yourself will keep you and your company out of the headlines.