White Paper: Legal Liabilities of an IT Professional February 11, 2008

INTRODUCTION

As an IT Security Professional your main focus is to provide confidentiality, integrity, and availability (CIA) of sensitive company and client information. This means that the information is only seen by its intended viewer, it is not tampered with, and available when requested (Bell, G. 2001). This can be a daunting task when faced with vast amounts of information that needs secured. If you overlook something, will you be held liable? What happens if you fail to properly do your job and it results in loss of intellectual property, trade secrets, or your client’s bank account information? Thus, It is important to understand the duty of care that is expected of you as an IT professional in order to avoid legal liability. This is why I have chosen to research the legal liabilities of an IT professional and give a more clear assessment of what standards apply.

OVERVIEW

A professional is defined as a person who, “has more than average skills and abilities.” When a professional is sued they are held to a higher standard than an ordinary person because they are expected to know better. Recognized professionals can be sued for malpractice while ordinary individuals can only be sued for negligence (Professional Negligence, 2007). Furthermore, recognized professionals such as doctors, lawyers, or accountants can be sued for malpractice if they fail to provide a sufficient standard of care and the results are tortuous (Malpractice, 2007). Recognized professions require practitioners to meet certain universal requirements and there is a standard certification process. Because there is no universally agreed upon certification process, there are no clear standards for IT professionals. IT professionals are currently not considered professionals in regards to legal liability and therefore not subject to malpractice lawsuits.

ANALYSIS

Since IT professionals are not subject to malpractice, only negligence suits can be brought against an IT professional. In order to prove negligence the claimant must show that there was a duty of care owed to them and that the duty of care has been breached (Breach of duty in English law, 2007). The claimant bears the burden of proof to show that there was a duty of care owed, and a breach of that duty of care caused some harm to the claimant. The court uses a test to find if the defendant was negligent. This test examines what a reasonable person would have done in the same situation (Roe v Minister of Health, 2007).

Origins

There are several cases that identify the origin of the reasonable person test. In 1837 the famous English tort case, Vaughan v. Menlove, first used the reasonable person test to find if a defendant was liable for negligence (Vaughan v. Menlove, 2007). The 1954 case of Roe v Minister of Health involved proving that a medical professional failed to meet the required duty of care. It was shown that a reasonable medical professional would not have foreseen the subsequent harm and therefore was not liable (Roe v Minister of Health, 2007). These cases set a precedence for negligence suits today.

Evolution

Since the inception of negligence cases there have been many critical changes. In 1957, the Bolam test was introduced after the case of Bolam v Friern Hospital Management Committee showed that a higher duty of care is owed by an individual with skills and abilities in excess of an ordinary person (Bolam Test, 2007). This case first identifies the professional standard of care (Standard of Care, 2007).

Current Applications

Many of the mentioned historical cases are referenced today in modern negligence cases. Currently, the Bolam test is being used to determine whether a doctor is liable for medical malpractice (Bolam Test, 2007). The “hand rule”, or Calculus of Negligence, is used today in the United States to determine the responsibility of a person to take precautions. If the cost to avoid harm is less than the cost of that harm then the precautions should be taken (Calculus of Negligence, 2007). This clearly applies to IT applications. Many precautions are taken by businesses to prevent information security loss. Using the hand rule if the cost of preventing information loss is less than the cost of losing that data, then the precautions should be taken.

ASSESSMENT

Clearly many historic cases, although unrelated in subject matter, are applicable to cyberlaw. Furthermore, many of the same rules of law that apply to written contracts also apply to electronic contracts. The liability of an IT professional is similar to that of any professional. An IT professional has more than average skills and abilities in specific areas, therefore the IT professional will be held to a higher standard than an ordinary individual. At this time there is no universal licensing of IT professionals due to the vast areas of expertise and quickly changing technologies. This is a good thing for IT professionals in terms of legal liability. IT professionals can be held liable for negligence, but not malpractice which poses a much more severe consequence.

CLOSING REMARKS

The IT professional faces many challenges to ensure information is C.I.A. while limiting liability. Liability can not be eliminated but can be mitigated through following good information security practices and procedures. If precautions are used effectively and the hand rule is applied, then risk of negligence is minimal. No policies should be a replacement for good common sense. If the IT professional is actively involved in day to day operations and notices something that could result in a security breach, then it should be addressed immediately. Paying attention to details is essential to all professionals and especially important for IT applications where security is key.

REFERENCES

Bell, G. (2001). Information Security Risk & Assessment. Retrieved December 4, 2007, from http://www.sis.uncc.edu/LIISP/slides01/Greg-Bell.pdf

Roe_v_Minister_of_Health. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Roe_v_Minister_of_Health

Vaughn_v._Menlove. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Vaughn_v._Menlove

Malpractice. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Malpractice

Bolam_Test. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Bolam_Test

Calculus_of_negligence. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Calculus_of_negligence

Breach_of_duty_in_English_law. (2007, December). Wikipedia. Retrieved December 4, 2007, from http://en.wikipedia.org/wiki/Breach_of_duty_in_English_law