What legal gotchas should a sysadmin be familiar with?

untagged

What legal issues should you research as a sysadmin to avoid you, or your employer, being accused of negligence, or of violating privacy, etc?

While laws vary from country to country and state to state, it could still be enlightening if you have an example of a law which you, or someone you know, has broken without realizing it.


Solution 1:

It largely varies on a few things like what industry you're in (the following applies to the USA only)...

  • Health Care: HIPAA
  • Education: FERPA
  • If your company is traded with the SEC: Sarbanes Oxley
  • If your company does credit card transactions - PCI DSS

A lot of the smaller jobs I've worked have been pretty bad about PCI DSS storing CC info in plaintext, publicly accessible database server... basics that were just neglected.

Solution 2:

The following applies to the USA only;

CIPA: Children's Internet Protection Act

Specially if you're employed by an state or federal educational entity: http://www.fcc.gov/cgb/consumerfacts/cipa.html

FOIA: Freedom of Information Act

Again if you're employed by a government entity: http://www.fcc.gov/foia/

FERPA: Family Educational Rights and Privacy Act

Education: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html

Solution 3:

Be aware of the legal side of network analysis and intrusion detection. Some places, an unauthorized use of nmap can be considered a crime, as can trying to break into systems for security (non-malicious) purposes.

Be aware of software licensing issues, both for end users (if you deal with them) and for your servers and other sysadmins. Know the possible ramifications if you choose to run pirated software on a business server.

Be aware of privacy laws for your place of business, on the local, state, and federal law. Know what info you are and aren't allowed to store. Also know what info you are and aren't allowed to look at, both in legal terms and as laid down by your company guidelines.

On the flip side, be aware of information retention laws for your place of business. Know what info you're required to keep, how long you need to keep it, and who you have to divulge it to when requested. Be able to draw the line between privacy and complying with regulations (and know when to stand up for one or the other).

Solution 4:

I'm in the UK, and I'd say the most important laws to an average ecommerce business would be:

  • The Data Protection Act
  • Distance Selling Regulations and Trade Descriptions Act
  • Certain parts of The Companies Act - for example you have to have your registered company number and address on a business website even if you don't sell anything. I've seen that one broken many times.
  • PCI Compliance (ok, not a law but important)

Related

Is execution of sync(8) still required before shutting down linux?
Which ports for IPSEC/LT2P?
The Cryolator disappears after using the Dogmeat glitch
I Need Help With My Parachute in Kerbal Space Program
How is the Selenitic Age solvable in Myst?
VaultMP - Player creation with BaseID and NetworkID failed error
Why is my spawner changing into a pig spawner after its first spawn?
What is a good way to go about getting the Skilled Huntress achievement in Dead by daylight?
Minecraft Detect If A Mob Has NoAai Set To 1
Will my data transfer from offline user to online?
Is Avenging Spirit the first game that features a possession gameplay mechanic?
Where can I break down mutagens?