Security's Everyman

Security's Everyman

Wednesday, February 28, 2007

Who is responsible?

I ran across this last week and it brought back a memory of something similar (sort of) that I ran across when I was consulting. It also raised my ire because of the concepts that this guy is using to try and win his lawsuit against IBM.

First the story. I was consulting for a small company that had customers from all over the world. They received business related emails from any country that that has a computer. It was request to buy items, get more info, etc. The problem was that every spammer in the world had their address book. They received spam in every conceivable language and on EVERY conceivable (and inconceivable) topic. When I got there they had no spam filter in place and all of their users used MS Outlook and they all used the preview pane (maybe pain is a better spelling). You can imagine what happened. They were hammered with spam that included VERY GRAPHIC sexual content. When I saw this is was shocked and in total disbelief that they had not taken any steps to control this. Actually, bringing me in was their first step. Their previous consulting firm was unable to even realize that this was a problem. This wasn't even the reason they brought me in. I originally came to investigate why their new Windows 2000 AD domain wasn't working properly. Anyway, I noticed all of this porn email as I was doing a general survey of the company. I immediately brought it to the attention of management and explained the risk of possible virus infection, but also the potential for a lawsuit. They didn't realize that they were leaving themselves open to possible legal action for their inaction on this.

Now for my personal responsibility rant. Companies should do all that they can and that is reasonable to protect their employees and data from harm. I do believe that porn can and does cause harm to people. IBM did the right thing in confronting this when it was first discovered. If they were not doing anything to prevent this content from being accessed then they should have. That still does NOT release James Pacenza from being responsible for his own actions. There are plenty of other ways to deal with post-traumatic stress disorder. It is not IBM's fault that he visited this chat room. It is not IBM's fault that he didn't find a better way to deal with his problem. They warned him and he chose to continue in his actions. He knew the consequences. As long as IBM wasn't actively encouraging this action and as long as they had reasonable controls in place to ensure that he wasn't unduly subjected to inappropriate content then it's not their fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.