Penetration Testing mailing list archives
Re: Handling Sysads resignation/termination
From: Michael Hammer <dotzero () gmail com>
Date: Thu, 4 Aug 2005 10:26:56 -0400
On 8/4/05, Thor (Hammer of God) <thor () hammerofgod com> wrote:
No, it's not. I don't want to sound too harsh here, but this is not good advise... Well, to be more specific, it is not good "legal" advise. Requiring someone to sign a document in order to receive severance benefits could easily constitutes a state of duress (as I already said in my first email.) It doesn't cut to the heart of intent at all, it cuts to the heart of "I signed what they forced me to sign so that I would get my last check so that I could feed my family." Additionally, in some states (note that this perspective is from a US mentality) signing a document exacting performance (regardless of direction) in exchange for benefits could actually be considered an employment contract, thus giving the to-be-terminated employee more rights to employment benefits than originally offered -- even in "at will employment" states according to citations of specific case law I've read regarding the matter.
Perhaps I should clarify. This is not advice from myself but the implementation from our attorneys. Notice that I said severance package being offered. That is not the same as holding up someones final check. Case law may provide precedent but decisions are usually written as narrowly as possible. While Stare Decisis is an important principle I would point out that it is not ironclad. Please note the opinion in United States v. Washington, 872 F.2d 874, 880 (9th Cir. 1989). Case law is not immutable. If that were true then we (in the U.S.) would still be handling race relations on the basis of Dredd Scott vs Sanford. Seeing as you reference case law that you have read and given your earlier comments about getting legal advice from lawyers and not techies, I presume we are to assume you are a member of the bar. If not, I'd ask on what basis you consider yourself competent to declare it to be bad legal advice? I would also point out that your logic as to duress is fundamentally flawed. One could use the same argument for agreements required as a condition of employment (by your logic). "I signed what they forced me to sign so that I would get my first check so that I could feed my family."
But of course, you need to check with your lawyer on this point. I don't take technology advise from my lawyer, and I would suggest to readers of this post that they don't take legal advise from technologists either.
If he had wanted advice from lawyers then he would have (should have?) posted to legal-advice@
That *must* be addressed at employment. NDA's and NC's need to be signed coming into employment, not leaving it. But again, check with your lawyer on that.
Again, I should perhaps clarify. You are correct that one should have those in place upfront. The purpose of having a document signed at departure indicating the obligation to adhere to NDAs,non-competes and IP agreements is to make it clear that any acts were not accidental and that the issues were discussed.
This process does not have to be done in a heavy handed way but should be done in a way that makes it clear that the company is paying attention.Making someone sign something to get their final check *IS* heavy handed, no matter how nice you try to make it. Addressing aspects of system state and security is something you build into the employment policy (not contract, unless you really want a contract) when people get hired, not when they are terminated or willfully leave employment.
You are really hung up on that final check issue. Again, please go back and read what I wrote. I did not say that a persons final paycheck should be contigent on anything. That would be a serious no-no in most legal jurisdictions. I said "any severence package being offered". Final checks are compensation and not a severence package. My personal perspective is that I'm a hired gun. When my employer no longer wants my services I'll find somewhere else to roost. Not a big deal. If I choose to go somewhere else I always try to give reasonable notice and help whomever is stepping in get up to speed before I leave. The IT community (particularly security)in most bergs is relatively small and people talk. It's the nature of the beast. My only concern when I depart would be limitations from an IP agreement and I have found that most employers, if they want you bad enough will adjust (within reason) IP agreements if asked. NDAs are normal and non-competes are relatively meaningless if they are overly broad (This has been made clear in case law). As Irvin is an outside consultant he needs to be careful in what he states and how he states it(I do hope he has E&O coverage) vis a vis the contracting party. As I pointed out in my prior post, there is no way that he can prove the negative (certify that the departing employee didn't leave anything nasty behind) without entirely rebuilding each system and app from scratch. At best he can provide a list of steps to follow that would be considered reasonable and appropriate (there's that industry standard issue again). There are departure checklists available from various sources and I'm surprised that a financial institution wouldn't be aware of them. A financial company likely falls under GLBA (and SOX) at a minimum. They almost certainly have an outside auditor they could turn to (all of the large ones and most mid-range ones have practices for auditing IT controls). Just a few random thoughts. Time to reset the registers and focus on other things. Mike ------------------------------------------------------------------------------ FREE WHITE PAPER - Wireless LAN Security: What Hackers Know That You Don't Learn the hacker's secrets that compromise wireless LANs. Secure your WLAN by understanding these threats, available hacking tools and proven countermeasures. Defend your WLAN against man-in-the-Middle attacks and session hijacking, denial-of-service, rogue access points, identity thefts and MAC spoofing. Request your complimentary white paper at: http://www.securityfocus.com/sponsor/AirDefense_pen-test_050801 -------------------------------------------------------------------------------
Current thread:
- Handling Sysads resignation/termination Irvin Temp (Aug 02)
- Re: Handling Sysads resignation/termination Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 02)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 03)
- Re: Handling Sysads resignation/termination Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 03)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 03)
- Re: Handling Sysads resignation/termination Michael Hammer (Aug 03)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 04)
- Re: Handling Sysads resignation/termination Michael Hammer (Aug 04)
- RE: Handling Sysads resignation/termination Erin Carroll (Aug 04)
- Re: Handling Sysads resignation/termination Thor (Hammer of God) (Aug 03)
- Re: Handling Sysads resignation/termination Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (Aug 02)
- RE: Handling Sysads resignation/termination Solomon (Aug 03)
- RE: Handling Sysads resignation/termination Irvin Temp (Aug 04)
- Message not available
- RE: Handling Sysads resignation/termination Mark Teicher (Aug 04)
- <Possible follow-ups>
- Re: Handling Sysads resignation/termination spyteknow007 (Aug 04)
- Re: Handling Sysads resignation/termination Irvin Temp (Aug 04)