July 19, 2010, 10:34 AM — As an IT pro, you could get in legal trouble without even realizing it. You may be liable for civil damages, criminal fines, and/or jail time if, while doing your job, you intentionally or accidentally breach contracts or violate laws. It doesn't have to be criminal behavior; there are lots of noncriminal actions, called torts, that you can accidentally stumble over.
This kind of inadvertent legal trouble actually happens to IT pros. For example, one client I represent in a copyright infringement case went to a construction site, measured the kitchen, then went back to his office and created a kitchen equipment drawing using AutoCAD. Sounds innocent, doesn't it? Yet he is now a defendant in a federal lawsuit, as is his employer for infringing the copyright of the architect, even though he made his own drawings rather than use the architect's drawings. In the United States, for better or worse, anybody can sue anyone else -- and they frequently do.
[ Follow the latest developments and insights on current technologies with the InfoWorld Daily newsletter and the Tech Watch blog. ]
So how can you get in legal trouble without even knowing it? Let me describe some specific instances where IT pros could unwittingly find themselves in legal trouble by just doing their job.
Confidentiality and privacy violations You need to be wary of how you treat confidential information, so an understanding of privacy laws is essential. Information could be considered confidential because the owner of the material contractually requires protection of the knowledge by those with access to it. State or federal laws dictate whether information is considered private and whether there is an obligation to protect certain types of information about individuals.
An example is HIPAA, the law governing the use of medical information, which lists 18 data elements that may not be made public. As an IT pro, you should be aware -- in a general sense -- of the origins of the data stored on your IT systems. For example, privacy laws vary widely across companies, so if you access or manage information systems that include data from, say, the European Union, different laws and requirements may apply than if your business handles only U.S. data.
As companies deal more and more globally, it's easier and easier to have information from different regions, each with its own rules. The E.U.'s Data Protection Directive, for example, permits individuals to access computers that have information about them and requires the holder of that data to modify it as requested. Canada and Japan have similar laws relating to personal data.
In the United States, the general rule is that employees are not entitled to privacy for emails accessed through email systems provided by the employer. On June 17, the U.S. Supreme Court voted 9-0 that employees should likewise not expect any privacy for text messages accessed using employer-provided equipment. However, employees can expect their emails and text messages to remain private if accessed only on their personal equipment. An employee using a personal iPhone or PC for work email could expect personal emails on that device to be private but not emails accessed from the corporate email system; many courts have ruled in the United States that the use of corporate email systems mean that the employee should expect no privacy.
Another area in which you should be careful: You should not access confidential information for personal use. That sounds obvious, but some courts may think that reviewing confidential information is not an innocent activity and assume there's an intent for personal use. You should have a specific business reason to review such information. On the other hand, one federal appeals court overturned the conviction of an IRS employee for reviewing taxpayer information inappropriately because that employee did not actually use the information.
