IT Manager's Legal Guide: Data Handling and Security: Page 3

Posted September 18, 2008

David Strom

David Strom

(Page 3 of 3)

Certainly, there will continue to be cases of stolen or lost laptops with customer data on them. Mine was lifted from the trunk of my car in a shopping center while I was eating dinner one night: fortunately, most of the data was encrypted, thanks to Lotus Notes. But this begs the question, why don't more enterprises have encryption policies?

TIP: If you don't have a policy for whole disk encryption of your laptops, now is the time to formulate one. Maro says, “It's not a question of if you will lose a laptop; it's a question of when." This hasn't been an issue for his shop because he encrypts each laptop's hard drive. "All of our laptops have PGP's whole disk encryption on them before they are issued to the employee. I wouldn't want someone leaving a company car downtown unattended with the keys in it, the same goes for our data."


An entire industry has evolved over the notion of eDiscovery, the ability to archive important electronic documents that may pertain to pending legal actions such as lawsuits.

Sadly, the off-the-shelf email and document management tools don't really have the ability to archive particular messages or documents that are subpoenaed, or to collect them easily based other legal actions. Most of these tools and applications have no security models that can match the needs of the lawyers, and the individual messages have to be manually sorted or copied to be preserved. One IT manager at a law firm mentioned that "There is no mechanism in our document management systems that can export then associate detailed document metadata such as who viewed and edited the document, and for how long."

TIP: Consider any litigation support as part of your next email and document archival solution. Also consider who has access to this archive, including any help desk and support staff, and whether that access will pollute any potential evidence chain in a pending legal matter involving the archived data.


As you can see, the changing legal landscape bears continued vigilance and IT managers have to stay on top of compliance and liability issues, even for those laws that may not directly involved corporate data usage. “It is getting harder and harder to keep up with legislation because every state is different. It is like a giant spider web,” says O’Berry.

Alice Stitelman, an expert in email usage and legal matters, says: "What you don't know about legal computer issues can hurt you. Many business users mistakenly believe that their data is private--whether it be on their laptop, cell phone, or mobile device. In fact, they should have no expectation of privacy. Users have much less control over who reads their data than they may realize. Companies need to develop policies and procedures around these issues, if they haven't already. Also, they need to be very clear in how they communicate those critical policies and procedures to their employees."

Page 3 of 3

Previous Page
1 2 3

Tags: Facebook, wireless, FCC, FTC, policy

0 Comments (click to add your comment)
Comment and Contribute


(Maximum characters: 1200). You have characters left.