Firewall Wizards mailing list archives
RE: Legal Liability under 1986 ECPA
From: "R. DuFresne" <dufresne () sysinfo com>
Date: Wed, 30 Jan 2002 20:01:30 -0500 (EST)
On Wed, 30 Jan 2002, Jermaine Howard wrote:
-----Original Message----- From: firewall-wizards-admin () nfr com [mailto:firewall-wizards-admin () nfr com]On Behalf Of Steven M. Bellovin Sent: Monday, January 28, 2002 9:05 PM To: Jeff Newton Cc: firewall-wizards () nfr com Subject: Re: [fw-wiz] Legal Liability under 1986 ECPA In message <3C5597DF.6FAC747 () pmc-sierra com>, Jeff Newton writes:I'm pushing my company to require a signed AUP, rather than simply posting the security policy on their intranet. I was hoping to cite specific court cases to management illustrating the consequences of not obtaining employee signage. Administrators, managment, and security analysts have supposedly been held liable for scanning/sniffing,etc actions if employee permission isn't first obtained as per the 1986 Electronic Communications Privacy Act. Does anyone have specific case references?It's a complex question with minimal case law. I included the information I could find in Chapter 12 of "Firewalls and Internet Security" (see the URL below), but there's no clear answer. The Justice Department does recommend a warning banner, but the legal need is shakey. This is especially true for corporate nets, where the entire net and the computers on it are owned by the company, and the legislative history of the ECPA clearly shows that Congress did not intend to protect employees in that situation. That said, ask a lawyer. Yeah I would agree with that statement above. Our company has all the employees when hired in read and sign our company policy (which I do believe will hold more weight in court than a post on the intranet). In it it gives our network admin. the right to access any data going through the firewall and being accessed by corporate equipment ie. desktops, servers, etc. There is plenty more but from what I have seen that "contract" permits me to monitor our equipment with that worry.
Perhaps I've been reading security info lists like SANS and and the truesecure list incorrectly these past years, but, I was under the impression the courts had well sorted out that companies have the right to scan e-mails and data on their systems without issue. Are not corporate assests, even laptops some users take home nights and weekends really the assests of the company and allow them full rights to what is contained or passed via them, especially via the corporate LAN/WAN? Thanks, Ron DuFresne -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com "Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart testing, only testing, and damn good at it too! _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Legal Liability under 1986 ECPA Jeff Newton (Jan 28)
- Re: Legal Liability under 1986 ECPA John Adams (Jan 29)
- <Possible follow-ups>
- RE: Legal Liability under 1986 ECPA Ames, Neil (Jan 28)
- Re: Legal Liability under 1986 ECPA Steven M. Bellovin (Jan 29)
- Re: Legal Liability under 1986 ECPA Jody C. Patilla (Jan 30)
- RE: Legal Liability under 1986 ECPA Jermaine Howard (Jan 30)
- RE: Legal Liability under 1986 ECPA R. DuFresne (Jan 31)