Executives liable for computer crime?

["Wood, Tom D" <TDW6 () pge com>]

I have been given the dubious task of writing a paper that justifies the
costs behind deploying a strong authentication system to complement a
proposed dial-up solution. There seems to be some still of the opinion that
static passwords are an acceptable method of authenticating remote users.

So, while doing some research I ran across a white paper outlining Federal
Regulations written in 1991 that effectively hold CEO's (and senior
management) liable for any activity "on" or "through" their network, e.g.
bad guy island hops from your network to the target network and does
unspeakable things, CEO of the network in the middle can be held partially
liable for the unspeakable things.

The article also mentions the Federal Sentencing Organizational Guidelines,
which are claimed to contain a "Mandatory point system" for Federal judges
to follow in determining appropriate punishments.

It then suggests that if a CEO could demonstrate that he/she had made a
"good-faith effort" in securing their network through an "effective"
security program (and still got hacked), the judge would have some latitude
in mitigating the fine and/or sentence.

Comments? Does anyone have knowledge of these guidelines, and have they ever
actually been inforced? Do we know if the courts have defined exactly what a
"good-faith" effort is?

cheers...

Tom Wood
ETPM Advanced Systems Group
tdw6 () pge com

I am NOT a pessimist! It wouldn't work anyhow