Firewall Wizards mailing list archives
Executives liable for computer crime?
From: "Wood, Tom D" <TDW6 () pge com>
Date: Wed, 19 Aug 1998 13:04:57 -0700
I have been given the dubious task of writing a paper that justifies the costs behind deploying a strong authentication system to complement a proposed dial-up solution. There seems to be some still of the opinion that static passwords are an acceptable method of authenticating remote users. So, while doing some research I ran across a white paper outlining Federal Regulations written in 1991 that effectively hold CEO's (and senior management) liable for any activity "on" or "through" their network, e.g. bad guy island hops from your network to the target network and does unspeakable things, CEO of the network in the middle can be held partially liable for the unspeakable things. The article also mentions the Federal Sentencing Organizational Guidelines, which are claimed to contain a "Mandatory point system" for Federal judges to follow in determining appropriate punishments. It then suggests that if a CEO could demonstrate that he/she had made a "good-faith effort" in securing their network through an "effective" security program (and still got hacked), the judge would have some latitude in mitigating the fine and/or sentence. Comments? Does anyone have knowledge of these guidelines, and have they ever actually been inforced? Do we know if the courts have defined exactly what a "good-faith" effort is? cheers... Tom Wood ETPM Advanced Systems Group tdw6 () pge com I am NOT a pessimist! It wouldn't work anyhow
Current thread:
- Executives liable for computer crime? Wood, Tom D (Aug 19)