Threats to the Information Infrastructure INTELLECTUAL PROPERTY AND LEGAL RISKS IN INFORMATION TECHNOLOGY (IT) By: John M. Carroll, B.S.I.E., M.A., Dr. Eng. Sci., Ll.B., P.Eng. Introduction Whenever a person or company causes loss to another because of negligence, unfair practices, or malice, the aggrieved one has the right to seek compensation from the offender. Whether or not compensation would be granted, and in what amount, was traditionally determined by a civil court or an administrative tribunal. Now there are alternative methods of resolving a dispute, including arbitration and mediation. This tutorial focuses on activities uniquely under the control of an IT department, that are at risk for culpable losses, and which of those risks are likely. An IT enterprise can avail itself of these legal remedies as part of its own security posture, both to avoid liability and to seek compensation for loss. This chapter will deal neither with common incidents such as slip-and-fall or motor vehicle accidents, nor with corporate-level incidents such as restraint of trade by unlawful monopoly, or with tax problems, or with anything of a criminal nature. The causes of action to be discussed in this tutorial include: 1. Breach of Confidence and/or Breach of Trust-Like Fiduciary Duty. 2. Patent Infringement 3. Trademark ( In Canada, Trade Mark) Infringement 4. Copyright Infringement 5. Defamation (Libel or Slander) 6. Invasion of Privacy 7. Denial of Human Rights (e.g. Unlawful Discrimination) 8. Unjust Dismissal 9. Specific Workplace Injuries (e.g. Carpal Tunnel Syndrome) 10. Errors, Omissions, and Contract Defaults Threats to the Information Infrastructure Remedies available to injured parties and costs to defendants: Injunctions Prohibition from doing certain work Money Damages (General, Specific, Aggravated, Punitive) Imposition of a constructive trust Legal Costs (yours, and theirs) Administrative fines Orders to deliver up property Increased insurance premiums, or cancellation Orders for specific performance Orders for remedial action (e.g. work orders) Waste of productive time by employees involved Adverse publicity The law is made up of constitutions, common law, statutes, regulations, by-laws, policy statements, and findings in previous cases. It varies greatly from jurisdiction to jurisdiction. This chapter will not cite specific cases or statutes, but will deal with general principles. Any serious legal matter should be referred to a law firm that has access to the pertinent research facilities and that maintains awareness of new legislation, amendments to existing legislation, regulations, administrative policy, and binding decisions of superior or appellate courts (precedents). Some general principles that will hold true anywhere are: 1. All cases are ultimately decided on the basis of what a reasonable person could reasonably have foreseen in the circumstances. If you have a feeling you are doing something wrong that could unlawfully hurt somebody, you probably are. So stop doing it. If you believe you have been unfairly injured in business, you may have a cause of legal action against the offender. 2. Settle any legal matter at the lowest level of adjudication possible: mutually agreed settlement, mediation, arbitration, administrative tribunal, small claims court, civil court (judge only), Threats to the Information Infrastructure civil court (judge and jury), and appeal courts -- roughly in that order. The higher the court, the greater your potential loss. Never turn down a reasonable settlement. It can cost you "big bucks". 3. Put everything of possible legal significance in writing: names, dates, times, places; who said or did what to whom, and how much money changed hands. 4. Take immediate action if anything significant happens. Causes of action you may have can fail because of statutory limitations. Causes someone may have against you can ultimately cost you more money because of prejudgment interest. 5. When you consult a lawyer, bring in all your evidence. Don't equivocate or leave out important facts. Breach of Confidence or Breach of Trust President Calvin Coolidge said: "The business of America is business". Today it could be said “The business of America is Information Technology”. A major challenge of Computer Security is protecting the confidentiality, integrity, and availability of information resident in, or processed by, computers or other tools of Information Technology (IT). Information is a kind of property with several peculiar attributes: Information is capable of universal possession and infinite reproduction. It can be stolen from its creator without deprivation, and restitution is not usually a remedy. There is never a scarcity of information. The law of supply and demand does not apply to information. The only law of economics that applies to information is analogous to Gresham's Law of currency: "Bad money always drives out the good." Similarly, incorrect or trivial information can obscure important information, and can make even essential information suspect. Information overload is one of the principal evils of the Internet, and has been since Internet was ARPAnet. In a denial-of-service attack, a flood of enticing misinformation, because it has to be read, is infinitely more wasteful of IT resources than garbage that is obviously meaningless. Moreover, many search engines can be defeated by cleverly sprinkling keywords at any web site where one wants to increase artificially the number of hits. Threats to the Information Infrastructure C. I. A. Attributes of information that make it either valuable or useless: Confidentiality -imparts a positive quality of scarcity to specific information, and empowers its creator or custodian to control its distribution, thus enhancing its value. Typical kinds of confidential information are trade secrets, business plans, and private information concerning or describing a named individual. Integrity -ensures that information has not been corrupted by errors or unauthorized alteration, thus preventing it from losing its value. As long as a pristine copy is kept under conditions of confidentiality, integrity can always be ensured by comparison. Availability -provides for immediate access to information. Three elements are necessary if a case of breach of confidence is to succeed in court: 1. The information itself must have the necessary quality of confidence about it. 2. The information must have been imparted under circumstances carrying an obligation of confidence. 3. There must have been unauthorized use of the information. Quality of confidence Information that exists in the public domain and is public knowledge cannot provide the foundation for proceedings for breach of confidence. No matter how confidential the circumstances of communication, there can be no confidence in revealing to others something which is already public knowledge. However, something that has been constructed from materials in the public domain by application of human skill and ingenuity may possess the quality of confidentiality. It depends upon the thing itself and not on the quality of the constituent parts. The mere simplicity of an idea does not prevent it from being confidential. Where information is partly public and partly private, the recipient must be careful to distinguish between the two parts and although free to use the former must take no advantage of the latter. Threats to the Information Infrastructure Circumstances importing an Obligation of Confidence There can be no binding obligation of confidence if information is blurted out in public or under circumstances which negate any duty of holding it confidential. In a well developed jurisdiction there are guides and tests that aid in determining confidentiality. If no such guides and tests exist, then the test is one of reasonableness: "Would any reasonable person standing in the shoes of the recipient of information realize on any reasonable grounds that the information was being imparted in confidence?" Where privileged information of a commercial or industrial nature is given on a business-like basis with some common purpose in mind, the recipient will be bound by a heavy obligation of confidence. Detriment to the communicator The recipient must not use confidential information, imparted under circumstances of confidence, to the detriment either of the communicator or of a person or organization, the communicator would wish to protect. A person receiving confidential information should not use it as a springboard for activities detrimental to the person who made the confidential communication. If a person wishes to use public information received under conditions of confidentiality, the person should go to a public source to get it. A law-abiding citizen could commission someone else to make the discovery anew without providing any specific help (the "white room" approach). The recipient would then be at liberty to make use of new ideas to make improvements and, possibly, turn a failure into a triumph. However, the recipient must not build the superstructure if forbidden to use the foundation. A law-abiding citizen who has received confidential information pertinent to a joint venture must accept that when negotiations break down he or she should withdraw from the field in question until the informant or somebody else has put the information into the public domain. The fundamental question is: "Is the information common knowledge in the industry?" Threats to the Information Infrastructure Breach of Confidentiality –versus- Breach of Trust: Breach of confidentiality usually occurs in dealings with employees, and less frequently with representatives of suppliers, customers, or potential business partners. It is best controlled by having a possible recipient of confidential information agree to be bound by an employment contract or non-disclosure agreement. Then any legal action for breach of confidentiality can be one for breach of contract, which is an action generally well understood in law. A typical employment contract with a professional employee might include some or all of the following provisions in addition to provisions relating to salary and working conditions: In consideration of this Agreement and the employment thereby created, the employee agrees: 1 To devote full time and attention to the business of the employer. 2. To use best efforts to keep informed of and acquainted with all matters pertaining to his or her duties. 3. To give the Company or its Agent(s) all such available information as may be required. 4. To attend at any place for the purposes of experiments, demonstrations, consultations, or conferences as may from time to time be requested by the Company. 5. To take all precautions to keep secret all records, knowledge, or information that may come into the employee’s possession which may be of value to the Company; and shall take like precautions to prevent such records, knowledge, or information from passing into the possession of any person(s) or company not specifically authorized in writing by the Company to receive them. 6. That the said records, knowledge, or information gleaned or discovered by the employee shall be the exclusive property of the Company and any new application thereof that shall be conceived by, or become known to, the employee during working hours using the materials of the employer shall forthwith be communicated fully by the employee to the Company or as the Company may direct. 7. At the expense of the Company, to take all steps necessary, and to do all such acts and things as the Company may consider necessary. and required. To assign any patents when granted to the Company, and to enable the Company to derive full benefit of any or all of such information or inventions, patents, protections, and improvements as shall be derivable therefrom. Threats to the Information Infrastructure 8. That in the event of any patents being taken out in the name of the employee, with or without any other names, the employee shall thereafter at the request and cost of the Company transfer the same to the Company, or as the Company may direct. 9. Not to enter the employment of, nor to act in a professional capacity for, any individual or company competing with the Company for the period of one year (or some other legal period) after leaving the employ of the Company, and not at any time to make disclosure of any knowledge of confidential information belonging to the Company. Because the last provision could be construed by some judges as a restraint of trade, the time during which a former employee may be restricted in subsequent employment, if an employee may be restricted at all, varies from jurisdiction to jurisdiction IT enterprises may be doubly vulnerable to the consequences of corruption or unauthorized dissemination of confidential information. Not only must they safeguard their own computer program code, business plans and records, and other information, but they may also be custodians and processors of client information, or licensed users of supplier information. As such they could be liable in negligence to their clients or suppliers if such information is mishandled. Threats come from casual visitors, hackers, staff (including customer and supplier representatives) and fiduciaries -- such as: lawyers, consultants and financial advisors, corporate officers and directors. Threats from casual visitors can be controlled by basic physical security. Hackers are a criminal matter but their depredations can be controlled by measures such as those described in many security handbooks Staff derelictions can be minimized by training and by employment contracts or non-disclosure agreements. Appropriate action for breach of contract would usually be termination of relationship without compensation to the offender. However, in cases of serious loss, a former employer is entitled to sue an offender for breach of contract and to get a court order for specific performance, such as assigning patents taken out in the employee's name for discoveries made on Company time using Company resources. Threats to the Information Infrastructure The former employer could also sue for money damages, counsel fees, and an order to return all Company property in the ex-employee's possession, and an injunction to prevent the ex-employee from working for a competitor. However, such actions against an individual are seldom worth their cost. It is unlikely that the ex-employee would have enough money so that the injured Company could recoup its legal costs. Of course there remains the option of suing whomever encouraged the employee to defect and profited thereby. However, it might be difficult to prove that such a backer was not "a bona fide purchaser for value without notice". Besides, there are at least three defenses the offender could raise: (1) The employment contract was invalid because it cast too wide a net and deprived me of the right to ply my trade and make a living. (2) The breach of contract was not committed in bad faith, e.g. "I hit the wrong key and suddenly all my files were gone.” (3) I didn't know the information was confidential. If the offender is a fiduciary, the situation may be different. A senior manager, who quits with notice, takes a department or two along, gets backing from some venture capitalist, and sets up as a competitor, can wreck, and in some cases has wrecked, a well-established corporation. In this case, court action may be essential to save the enterprise. All avenues of remedy open to the injured company in the case of the defecting employee are still open. In addition, the action now becomes one for breach of trust and a court may grant the additional remedy of the constructive trust. Here the fiduciary is deemed to be a trustee of the confidential information held for Company as beneficiary, and the liability to account does not depend upon proof of bad faith. The general rule of equity is that no one who has duties of a fiduciary nature (the word fiduciary literally means "devoted follower") is allowed to enter into engagements in which the fiduciary has, or can have, a personal interest conflicting with those whose interests the fiduciary is bound to protect. If that person holds any property so acquired, that person is bound to account for it to the beneficiary. The reaping of a profit by a person at a Company's expense when that person held a position of trust is adequate grounds to hold the person accountable. The profit must be disgorged even if it was not gained at the expense of the Company, on the ground that a trustee must not be allowed to use that position to make a profit, even though it was not open to the Company to do so. Threats to the Information Infrastructure We seldom see a new company being bound by court order to cough up its profits to another as a result of breach of trust by one of its founding principals to a former employer. A lawsuit like this could drag on for decades and cost millions in preoccupation of personnel on both sides, and because of bad publicity, as well as high legal costs. Often, a private settlement is reached in which the injured company is compensated by a transfer of shares from the new corporation to the former employer. Trade Secrets A trade secret is information including formulas, patterns, compilations, programs, devices, methods, techniques, or processes that derive economic value from not being generally known, and not readily ascertainable through proper means, by other persons who can obtain economic value from their disclosure. Property rights exist in trade secrets only as long as they are kept under conditions of confidentiality. In addition to imparting the information only to those who need to know, representations of trade secrets must be kept in a reasonably secure environment. This may include: 1. Secure storage of paper, tape or disk copies in vaults, safes or file cabinets locked with a bar and a three-combination padlock. 2. Secure storage of electronic copies may require measures such as: 3. Dual file passwords: personal and project. Should be at least 8 bytes long and randomly selected from the whole ASCII set. 4. File encryption using a single-key block-product cipher, such as DES or a public-key exponentiating cipher such as RSA. One-time tape or disk ciphers afford highest security but even they are subject to successful cryptanalysis, as are all ciphers. 5. Background screening of employees, confidentiality agreements, and security training are all essential. 6. Confidential areas should be secured with security-grade lock sets, alarmed and/or guarded, and regularly swept electronically for clandestine radio or television transmitters. Registered Information Property rights exist in information registered with national agencies. They include patents, trade marks, and copyrights. Some countries also allow Threats to the Information Infrastructure registration of trade dress, such as distinctive packaging; or industrial designs, such as distinctive patterning applied to products. Patent Infringement A patent is a monopoly granted by the national government in one or more countries for a term of 17 to 22 years, depending on country and subject matter that allows an inventor to exploit and profit from an invention. New drugs usually get a longer time to compensate for the time spent in clinically testing them. The term of a patent can be extended only by making patentable innovations to the product. Patentees can sell their patent rights to anyone they choose or they can license anyone to use, sell, or produce the invention. The government does not monitor patent infringement, but patentees have the right to sue anyone they discover making, using or selling the invention, or any integral part of it, without authority, during the term of the patent and within the country that granted the patent. Patentees can also sue anyone who induces a third party to infringe. The remedy for patent infringement is damages to the patentee and any person holding under the patent for any losses suffered as a result of the infringement; and a court order enjoining further infringement. The infringement must have been done in the ordinary course of business, knowingly, and for the infringers’ own benefit and to the damage of the patent holder. Patent holders have an obligation to work their patents in the country which granted the patent. If they do not do so for a stated period of time, an interested party can complain to the Commissioner of Patents for a license to work the invention. Other abuses of a patent include: (1) Failing to meet demand for the patented article. (2) Manufacturing under the patent abroad and importing the patented articles. (3) The patented rights becoming prejudicial to industry in the granting country. Following a complaint, the Commissioner may: (1) Grant a compulsory non-exclusive license to a competitor. (2) Grant a compulsory exclusive license. (3) Revoke the patent. Threats to the Information Infrastructure There are at least four acts not constituting infringements 1. The government that granted the patent can exploit the invention for its own uses, although they usually compensate the patentee. 2. Anyone can make a copy of the invention for his or her own amusement, if no practical application is involved. 3. Any person can construct a patented article, as an experiment, for the purpose of improving on it. 4. The invention can be used on board a foreign vessel or aircraft as long as it is used exclusively for the needs of the vessel or aircraft. To be granted a patent, the subject matter must be an invention. An invention is defined as a new and useful art, process, machine, manufacture, or composition of matter, or any new and useful improvement therein. Art means a method of accomplishing change in the character or condition of material objects. Process means performance of an operation to produce a result. Machine means a mechanical device or combination of mechanical powers and devices which function to produce a new result. Manufacture means an object or instrument created by the exercise of mechanical forces. Composition of Matter means chemical compounds, compositions and substances. Whether or not computer software can be patented is an open question. One answer is: "Yes, but only if it is an integral part of an invention". Many things cannot be patented: Methods, plans and business schemes. Arrangement of words in a newspaper. A product which has no saleable character. Any invention with an illicit or immoral object. Abstract theorems, scientific principles or laws of nature. Threats to the Information Infrastructure Something obvious to a person with ordinary skill in the art. A mere new use for a known contrivance. The mere carrying forward of an original thought. A change only in form, proportion or degree. Doing the same thing in the same way, by the same means, but with better results. A different combination of old devices unless it results in a specific product that can be realized in no other way. Most importantly: Absolute novelty is required for an invention to be patentable. Grant of a patent can be barred for any invention that has been disclosed to the public anywhere in the world before the date of filing for a patent. Disclosure with the mark “patent pending” as allowed in the U.S., or taking advantage of the "one-year grace period" as allowed in Canada, have resulted in refusal of patents in some other countries. Trade Mark Infringement There are two kinds of trade marks: common law and registered. Common-law trade-marks extend no further than the geographical area in which the trade mark is being used, and in contiguous areas. The owner of a registered trade mark can sue for infringement if it is discovered that someone else is using it. Trade marks are used as an indication of origin, distinguishing goods from other's goods, and as an indication of quality. To be registered, a trade mark must be sufficiently distinctive so that it is capable of distinguishing the wares or services of the holder from the wares and services of others. The object is that potential customers must not be confused. In determining whether a trade mark is confusing, a court or the Registrar will usually consider: Inherent distinctiveness of the trade mark. Length of time the trade mark has been in use. Nature of the wares, services or business. Nature of the trade. Threats to the Information Infrastructure Degree of resemblance to other trade marks or names in appearance, sound, or idea suggested. Whether the trades mark is weak or strong: a distinctive mark; a mark in a crowded field; or a mark in common usage. Whether use of the trade mark is restricted geographically. Failure to use a registered trade mark can lead to loss of rights to it. Rights to a trade mark also must be enforced by the owner by calling attention to misuse. This includes sending legal letters to publishers who use the trade mark in a generic sense without capitalization, or without following with an encircled capital "TM", or “T” in Canada. Alternatively, after five years of use the owner can request the trade mark be expunged or modified. Copyright Infringement Copyright is a legal system that gives proprietary rights and privileges to creators, to reward them for their intellectual labor, and to encourage them to keep creating. Copyright includes both economic and moral rights. Economic rights control reproduction and public performance and manifest themselves in the marketplace. Moral rights enable owners to claim authorship and restrain others from distorting or mutilating their work. Infringement results when someone uses copyright material without the required permission or without paying required fees or royalties. Copyright is often assigned for consideration to publishers or employers. In the United States copyright vests immediately and automatically upon reduction of the work to a tangible form, but if a copyright is not officially registered, there can be no suit for infringement, and there can be no claim for statutory damages. It is permissible to register a copyright after an infringement, with an intention to sue. In some countries copyright vests with the author immediately on creation. Under the Berne Convention of 1886 the term of copyright protection is for the lifetime of the author plus 50 years and can be extended. In the United States, the term of protection is during the author’s life and for 70 years thereafter. If the work is one done for hire, the term is 95 years after first publication, or 120 years from date of creation, whichever is shorter. Adaptations of an existing work or any substantial part thereof, translation, transformation, and reproduction in another form without extensive alterations, additions or abridgements require permission. Threats to the Information Infrastructure Copyright protects the expression of an idea, but not the idea itself. The only essential quality a work must have is originality. Questions of quality, usefulness or good taste are not relevant. A work includes the title thereof when the title is original and distinctive. The following kinds of work are eligible for copyright: artistic works, collective works, dramatic works, literary works, and musical works, graphical and pictorial works, and sound recordings. A collective work is any work written in distinct parts by different authors. They include: dictionaries, encyclopedias, and handbooks. A literary work includes tables, compilations and computer programs. Computer programs are defined as sets of instructions or statements, expressed, fixed or embodied in any manner (including semiconductor or intermetallic chips or their equivalent), that is to be used directly or indirectly in a computer to bring about a desired result. Copyright in a work is deemed to be infringed by any person who sells or lets for hire, or by way of trade exposes or offers for sale or hire; or imports for sale or hire into the country granting the copyright; any work that to his or her knowledge infringes copyright, or would infringe copyright were it made within the granting country. In the US, the “Fair Use” provision of the Copyright Act lists the limitations on exclusive rights. Certain uses are not infringements of copyright. These uses include, research, teaching, criticism, comments, and news reporting. In a trial, at least four factors would be considered in determining fair use: 1) whether or not the use was for commercial purposes. 2) the nature of the copyrighted work. 3) whether the amount of copied material was insubstantial in comparison to the original, and whether it adds sufficient new material to alter substantially the copyrighted work. 4) The extent to which the infringing work has diminished or destroyed the market value, or its potential market value. In some countries, lack of knowledge is a possible defense to claims of copyright infringement That is one reason why, although it is no longer required in the US, it is still customary to include a copyright notice with each work. The notice must show an © (encircled “C”), the year of the copyright, and the name of the copyright holder. The word “Copyright” may be used with the © (encircled “C”), or it may replace it. Also, in accordance with the Buenos Aires Convention, the words “All Rights Reserved” should be added. Threats to the Information Infrastructure Once copyright material becomes widely distributed without objection, it becomes part of the common intellectual domain and it may be difficult for the author to realize even the moral right of authorship. Then, to paraphrase Kipling, you may live to see: "The truth you have written twisted by knaves to set a trap for fools." Copyright is a civil matter and must be policed by the copyright holder. Remedy for infringement is a temporary or permanent injunction against copying the protected work, money damages for the loss suffered by the copyright holder, and possibly a court order to deliver up copies made and the plates used to print them. Defamation There are two modes of defamation: slander is oral; libel is written. Libel is much more serious: it is permanent and much easier to prove. Defamation historically was narrowly defined. It was limited to falsely asserting that a person was guilty of a felony, infected with a loathsome disease, or incompetent in his trade. Today, depending upon the jurisdiction and the circumstances defamation can be any statement that tends to diminish a person in the eyes of others, -or even- makes a person feel badly about himself. In some jurisdictions, truth alone is not a justification for publishing a libel, -nor is a person who publishes a falsehood necessarily guilty of libel. Honest belief is one defense against an accusation of defamation. Another defense is that the © (encircled “C”) to convey a different meaning than was ascribed to his statement. Still another defense is justification -- the publisher's position justified his making an accusation. Other defenses are fair comment and qualified privilege. On the other hand, proof of malice is fatal to the defenses of fair comment and qualified privilege. Malice refers to the state of mind of the defendant. Courts have held that the plea of different meaning would ring hollow unless the defendant were able to © (encircled “C”). Even the defense of justification fails if a case is pursued recklessly or without foundation. Threats to the Information Infrastructure Finally, the defense of honest belief is still subject to the reasonable man test. The remedy for defamation can range from a simple apology, as when a name is misspelled or a caption switched in a newspaper story, to significant money damages. As in other civil litigation, damages are based on a reasonable attempt to measure in money terms the loss and injury the plaintiff has suffered. In defamation cases at least four kinds of damages have been found to be appropriate: general special aggravated punitive. These would be awarded in addition to the costs of the action. General damages are what might reasonably be expected in a loss and in some jurisdictions are subject to a “cap”. Special damages are damages that have a sufficient causal link to some loss-causing event such as the defendant's loss of his job. Aggravated damages may be appropriate where the defendant's conduct has been particularly high-handed or oppressive, thereby causing the plaintiff's humiliation and anxiety arising from the libelous statement. Punitive damages can be awarded in situations where the defendant's misconduct is so malicious, oppressive and high-handed that it offends the court's sense of decency. They are awarded to punish the defendant. It is a means whereby the jury or judge can express outrage at the egregious conduct of the defendant. Invasion of Privacy Privacy information is information which concerns or describes an identifiable individual. Since the 1970's there has been growing concern that the potential for linking computer data banks of privacy information would severely and unfairly affect the lives of individuals. The proposition was advanced that each individual should have the right to determine when and to Threats to the Information Infrastructure whom privacy information about that individual should flow. No over-reaching right to privacy ever evolved, although some restrictions were imposed on handling consumer credit and medical information, and on acquiring privacy information by clandestine electronic monitoring. As a practical matter, anyone who wants a benefit such as social assistance, disability benefits, a line of credit, insurance, admission to a learned profession, or employment in a position of trust will be required to sign a privacy release. For example, a general release might take the form: To: [record keeper]: I [applicant] for [benefit sought] hereby authorize, direct, and consent to your disclosing and releasing to [adjudicator] all information, documents and records of any kind in your possession or control and relating to me, and this shall be your good and sufficient authority for so doing. This Consent shall remain in effect unless and until you receive written revocation of said Consent. Dated at [place] this [number] day of [month], [year] Applicant [signature] Date of Birth [year/month/day] Witness [signature]. Medical consent forms are more specific, requesting information on past and present health and potential for rehabilitation. Mental health forms anticipate possible incapacity and provide for execution by trustees. Forms dealing with minor children provide for consent of legal guardians. Some forms use Social Security Numbers and/or residential address to identify subjects, as well as DOB. The important thing for sites processing privacy information is that consent forms be signed witnessed and kept on hand. Human Rights In some jurisdictions special commissions exist to police unlawful discrimination in certain situations against persons deemed to be especially vulnerable, in addition to due process of law. These commissions may be empowered to investigate complaints, convene boards of inquiry, award damages, order granting of benefits refused, and levy administrative fines. Threats to the Information Infrastructure Rights typically enforced include the following: Provision of services, goods, and facilities Freedom from harassment in the workplace by employer, agents, or other employees. Right to refuse to infringe the rights of another person. Attempts to infringe or to do indirectly anything that infringes on a right. Freedom from reprisal or threat of same. Employment. Occupancy of accommodation. Freedom from harassment by landlord, agents, or other occupants. Right to contract. Freedom from sexual solicitation by persons in a position to grant or deny a benefit or advancement. Right to claim and enforce claims, to institute proceedings and participate in them. Almost all of the rights listed above have rather obvious relevance to computer security, particularly in regard to privacy and the workplace environment as affected by the Internet. Prudent managers will take all necessary steps to ensure that personnel are not only physically secure, but that none of their rights are curtailed or abrogated. Specific characteristics deemed to make persons vulnerable: Race. Ancestry. Place of origin. Color. Ethnic origin. Citizenship. Creed. Sex. Threats to the Information Infrastructure Sexual orientation. Age Marital status. Family status. Handicap. Receipt of social assistance. Record of offenses. Unjust Dismissal The principle of employment at will is still alive and well in the modern workplace. There are just more players than the employer and employee. These include: fair labor standards boards, unemployment insurance carriers, unions, and civil courts. Widespread “down-sizing” in the 1990's, and carried over into the new millennium, gave rise to employment law as a popular practice option. An employee who has been terminated and believes the termination is unjust can choose to sue the employer in several forums, including charging infringement of human rights, as described above. Rarely will a court or administrative tribunal order an employer to rehire a terminated employee, for the simple reason that it seldom works well for either party. The object of these actions usually is to maximize termination pay in lieu of notice; and to word termination papers such that the terminated worker will not be denied unemployment benefits. In some jurisdictions, unemployment benefits are withheld for persons discharged for their own misconduct or for an improper quit. Proper quits can be limited to: health and safety concerns with medical evidence, following a spouse to another area, physical or mental impairment, family emergencies, serious personality conflict, or quitting for a job offer that was withdrawn. Avoiding actions for unjust dismissal should begin before hiring. Every enterprise should have a professional human relations department. At the very least, the HR staff should check references of job candidates, and obtain certified education transcripts. Background screening should be required for positions of trust. Work rules should be explicit and explained to all new employees, who should acknowledge them in writing. New employees should Threats to the Information Infrastructure be required to sign confidentiality agreements, patent disclosure and assignment agreements, copyright assignments, and privacy consents. There should be a probationary period for new employees, subject to labor standards law and collective agreements. A mentor should be assigned and required to write a report at the end of the period. All infractions of work rules and disciplinary actions should be carefully documented. The employee should acknowledge each report and should be permitted to file a reply. Good labor management will pay off in many ways: lower hiring costs, improved morale and productivity, fewer termination pay-outs, and, in some jurisdictions, lower payroll taxes. Workplace Injuries Compared to some industries, IT is a relatively benign environment. That does not mean some people do not get hurt. Improving workplace health and safety will cut the costs of workplace disability insurance and workers' compensation charges plus enhancing productivity by continuance of tenure and reduced absenteeism. The most common cause of IT worker injury is carpal tunnel syndrome. It seems mostly to affect workers who type for long periods of time at computer keyboards. Incidence can be reduced by providing padded wrist supports, adjusting the relative heights of the monitor screen, keyboard, and operator's chair for the most comfortable position for the worker. Frequent short breaks also seem to help. Repetitive strain injury to the shoulder seems to be more common than would be expected. It is caused by frequently reaching above shoulder height. It is wise to reduce the height of shelving in cubicles and put the most frequently used manuals on the lower shelves. Glare from monitor screens seems to cause migraines in some workers. Anti-glare screens can help, as can monitors that can be tipped to the most advantageous viewing position for the worker. Choice of background and text colors can also be personalized to suit. Probably at least 5% of all workers over 40 have some degree of degenerative disc disease in the lower back. Provision of ergonomic chairs for these workers and arranging for them to stand and walk around every half hour or so can reduce absences and avoid disability claims for aggravation of their injuries. Many office workers have relatively poor muscular development. There is no excuse for them to participate in activities like moving computer equipment and furniture. There should be personnel that specialize in this kind of activity, Threats to the Information Infrastructure and sufficient carts and dollies for them to carry out their work safely. There should be no occurrences of hernias or slipped inter-vertebral discs in an IT shop. Epicondylitis or “tennis elbow” is another common cause of disability. It is caused by making quick moves to lift moderately heavy things at arms length. Some sensible workplace planning should eliminate the need for moves such as these in an IT setting. Stress appears to be responsible for much impairment by mental illnesses such as clinical depression, excessive anxiety, or panic attacks. The workplace is only one source of stress. However, it is wise to be able to refer workers who appear to be stressed out to independent counselors to whom they can talk in confidence. This is a relatively inexpensive "perk" that can help keep some of the most valuable employees working at peak performance. Counseling is only part of the help needed, however. Changes or simply rotation of duties should often go hand-in-hand with counseling. Errors, Omissions and Contract Defaults In no industry, especially one as complex as IT, can every adverse eventuality be prevented or even anticipated. Everybody makes mistakes sometimes. There are some well known precautions that every IT enterprise ought to take all the time. These range from high-level functions such as competent project management, to lower-level safeguards including: use of check sums, batch counts, serial numbering of documents, virus scanners, continuous tape backup, control of internet access, restriction of E-mail to designated machines, spelling and grammar checkers - to mention a few. In spite of all efforts, project management may be unable to meet contractual delivery dates or functional specifications, and safeguards may not prove to be totally effective. Wherever possible, and economically feasible, insurance should be in effect to compensate for losses caused by errors and omissions, and by business interruptions. Some of the available coverage includes: Errors and omissions Property damage Bodily injury Lost profits, and expenses, during shut-downs Threats to the Information Infrastructure Liabilities for products and services Copyright and patent infringement Privacy violations Summary This tutorial has presented information about those activities generally under the control of IT personnel, -and- which are at risk for losses due to legal liabilities. The individual causes for legal action, and some of the available remedies have been discussed. However, the information contained in this tutorial is provided for information only. It is not legal advice and it is not to be considered as a replacement or substitute for a competent attorney. Nor is the information static; it varies from time to time, and from place to place. In any specific situation, neither action nor inaction should be based on information in this Web site, but rather on appropriate legal and professional counsel. Reference Web Sites: http://www.uspto.gov/ (US government information and searches on patents and trademarks) http://www.loc.gov/copyright (US government information and searches on copyrights) http://www.scl.org/default.asp (Society for Computers and Law) http://www.a-ten.com/alz/claw.htm (Extensive list of books on computers and the law) http://www.lectlaw.com/inll/95.htm (Internet Law Library, Computers and the Law) http://library.lp.findlaw.com/computerstechnologylaw.html (Library of Computer and Technology Law)