RE: Legal Liability under 1986 ECPA

["R. DuFresne" <dufresne () sysinfo com>]

On Wed, 30 Jan 2002,  Jermaine Howard wrote:

> -----Original Message-----
> From: firewall-wizards-admin () nfr com
> [mailto:firewall-wizards-admin () nfr com]On Behalf Of Steven M. Bellovin
> Sent: Monday, January 28, 2002 9:05 PM
> To: Jeff Newton
> Cc: firewall-wizards () nfr com
> Subject: Re: [fw-wiz] Legal Liability under 1986 ECPA
>
>
> In message <3C5597DF.6FAC747 () pmc-sierra com>, Jeff Newton writes:
> > I'm pushing my company to require a signed AUP, rather than simply
> > posting the security policy on their intranet.  I was hoping to cite
> > specific court cases to management illustrating the consequences of not
> > obtaining employee signage.
> >
> > Administrators, managment, and security analysts have supposedly been
> > held liable for scanning/sniffing,etc actions if employee permission
> > isn't first obtained as per the 1986 Electronic Communications Privacy
> > Act.
> >
> > Does anyone have specific case references?
>
> It's a complex question with minimal case law.  I included the
> information I could find in Chapter 12 of "Firewalls and Internet
> Security" (see the URL below), but there's no clear answer.  The
> Justice Department does recommend a warning banner, but the legal
> need is shakey.  This is especially true for corporate nets, where the
> entire net and the computers on it are owned by the company, and the
> legislative history of the ECPA clearly shows that Congress did not
> intend to protect employees in that situation.
>
> That said, ask a lawyer.
>
>
>   Yeah I would agree with that statement above. Our company has all the
> employees
> when hired in read and sign our company policy (which I do believe will hold
> more
> weight in court than a post on the intranet). In it it gives our network
> admin. the
> right to access any data going through the firewall and being accessed by
> corporate
> equipment ie. desktops, servers, etc. There is plenty more but from what I
> have seen
> that "contract" permits me to monitor our equipment with that worry.


Perhaps I've been reading security info lists like SANS and and the
truesecure list incorrectly these past years, but, I was under the
impression the courts had well sorted out that companies have the right to
scan e-mails and data on their systems without issue.  Are not corporate
assests, even laptops some users take home nights and weekends really the
assests of the company and allow them full rights to what is contained or
passed via them, especially via the corporate LAN/WAN?

Thanks,

Ron DuFresne
-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity.  It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation."
                -- Johnny Hart

testing, only testing, and damn good at it too!

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards