E&O time again.... going over things, and I am wondering... If someone gets by our security and into our server, can they read our dbf's, or does TAM automatically encrypt them?
Thanks!
They can read your dbf's. No automatic encryption in TAM.
I was afraid of that... I seem to remember that there is a way to turn on encryption, correct? What are the pros and cons of this?
an encryption/decryption engine would have to be added and it would create significant processing overhead
I believe the encryption available in Tam is for attachments only.
Thanks everyone :-)
I think the proper E&O answer is to not let the bad guys into your system.
Seriously. I think you are expected to perform due diligence and proper controls. You really aren't legally liable if you don't perform a negligent act or fail to act properly.
Our docs are encrypted (via Homebase setting) and I can't open pdfs directly so I'm guessing they too are encrypted.
Gene,
We do a lot here to try and keep our info private and our system secure. However, as you know, there is no perfect solution (unless you go back to paper and pen). Also, I am not a security guru, and we are a small agency. As much as I would like, we just can't afford to spend thousands and thousands of dollars for absolute state-of-the-art defenses. So, I would assume that any determined hacker could bypass the defense we have in place. I think this is typical for most small businesses.
It is an interesting question though... what actually is due diligence? Does it differ between a small agency like ours and a large, multi-location conglomerate? Anyone have a list or article of what a reasonable (and legally sufficient) system defense requires?
'due diligence' is defined by the feeling of the public/judge/lawyer/media/expert at hand. Much like other things. We can "plant" articles, studies, white papers now so when they are referred to next year, they will be accepted as authoritative. Maybe an "industry" publication can serve as a platform for this.
I'd say that due diligence is taking proactive steps to safeguard the data to the best of your abilities, whatever those abilities may be. I'd say a business class firewall, anti-virus that is kept up to date with weekly scans, good physical security of data and computers, good password enforcement and timely changes of passwords, etc.... I'd have something in writing with scheduled checks and then follow it. You can't be responsible for something you don't have knowledge of.
Quote from: Jeff Zylstra on June 07, 2012, 12:07:30 PM
You can't be responsible for something you don't have knowledge of.
But you can! Ignorance of the law is no excuse etc. This goes for the people who drive into this town with a dog in the bed of their pickup (not allowed), but the next town has no problem with that, and many other things.
Nothing like an E&O review (or taking an E&O class, for that matter) to make you worry about all the things that might go wrong.
We do all the standard things listed here to safeguard our data, and most days I do not overly stress about it. But E&O time..... ugh :-)
All about balancing security with ease of doing business, I guess.
Quote from: Doofus Drake on June 07, 2012, 12:52:42 PM
Quote from: Jeff Zylstra on June 07, 2012, 12:07:30 PM
You can't be responsible for something you don't have knowledge of.
But you can! Ignorance of the law is no excuse etc. This goes for the people who drive into this town with a dog in the bed of their pickup (not allowed), but the next town has no problem with that, and many other things.
You are correct. Ignorance of the law is no excuse, but I think this would fall under ignorance of technology and computers, and thankfully that's not a crime. Can you imagine the jail overcrowding if it were!
I haven't read the thread since my last post weeks ago.
What was on my mind was the fact that you aren't responsible for things outside your control. If Tom Cruise and his Mission Impossible team decide to break into your office and steal the server, then you are unlikely to be held responsible as long as you took normal expected precautions to safeguard the data.
Years ago one of my law courses discussed liability and the "Prudent Man" rule. You have a duty to protect the data against expected and normal risks. The degree of care will be different for a small agency and a large national brokerage.
Yes, the duty you are held to can and will be decided by a judge and jury, but is not unlimited.