TAM data encrypted?

Marie (Zionkowski) Gozikowski · June 05, 2012, 10:44:16 AM

E&O time again.... going over things, and I am wondering... If someone gets by our security and into our server, can they read our dbf's, or does TAM automatically encrypt them?

Thanks!

Todd Arnold · June 05, 2012, 11:12:24 AM

They can read your dbf's. No automatic encryption in TAM.

Marie (Zionkowski) Gozikowski · June 05, 2012, 11:13:39 AM

I was afraid of that... I seem to remember that there is a way to turn on encryption, correct? What are the pros and cons of this?

Bloody Jack Kidd · June 05, 2012, 11:14:41 AM

an encryption/decryption engine would have to be added and it would create significant processing overhead

Alice Mooney · June 05, 2012, 11:16:44 AM

I believe the encryption available in Tam is for attachments only.

Marie (Zionkowski) Gozikowski · June 05, 2012, 11:23:30 AM

Thanks everyone :-)

Gene Foraker · June 06, 2012, 11:01:03 AM

I think the proper E&O answer is to not let the bad guys into your system.

Seriously. I think you are expected to perform due diligence and proper controls. You really aren't legally liable if you don't perform a negligent act or fail to act properly.

Andrew Carrick · June 06, 2012, 11:31:37 AM

Our docs are encrypted (via Homebase setting) and I can't open pdfs directly so I'm guessing they too are encrypted.

Marie (Zionkowski) Gozikowski · June 07, 2012, 11:05:55 AM

Gene,

We do a lot here to try and keep our info private and our system secure. However, as you know, there is no perfect solution (unless you go back to paper and pen). Also, I am not a security guru, and we are a small agency. As much as I would like, we just can't afford to spend thousands and thousands of dollars for absolute state-of-the-art defenses. So, I would assume that any determined hacker could bypass the defense we have in place. I think this is typical for most small businesses.

It is an interesting question though... what actually is due diligence? Does it differ between a small agency like ours and a large, multi-location conglomerate? Anyone have a list or article of what a reasonable (and legally sufficient) system defense requires?

Hans Manhave · June 07, 2012, 11:45:04 AM

'due diligence' is defined by the feeling of the public/judge/lawyer/media/expert at hand. Much like other things. We can "plant" articles, studies, white papers now so when they are referred to next year, they will be accepted as authoritative. Maybe an "industry" publication can serve as a platform for this.

Jeff Zylstra · June 07, 2012, 12:07:30 PM

I'd say that due diligence is taking proactive steps to safeguard the data to the best of your abilities, whatever those abilities may be. I'd say a business class firewall, anti-virus that is kept up to date with weekly scans, good physical security of data and computers, good password enforcement and timely changes of passwords, etc.... I'd have something in writing with scheduled checks and then follow it. You can't be responsible for something you don't have knowledge of.

Hans Manhave · June 07, 2012, 12:52:42 PM

Quote from: Jeff Zylstra on June 07, 2012, 12:07:30 PM
You can't be responsible for something you don't have knowledge of.

But you can! Ignorance of the law is no excuse etc. This goes for the people who drive into this town with a dog in the bed of their pickup (not allowed), but the next town has no problem with that, and many other things.

Marie (Zionkowski) Gozikowski · June 07, 2012, 03:57:09 PM

Nothing like an E&O review (or taking an E&O class, for that matter) to make you worry about all the things that might go wrong.

We do all the standard things listed here to safeguard our data, and most days I do not overly stress about it. But E&O time..... ugh :-)

All about balancing security with ease of doing business, I guess.

Jeff Zylstra · June 07, 2012, 05:00:51 PM

Quote from: Doofus Drake on June 07, 2012, 12:52:42 PM
Quote from: Jeff Zylstra on June 07, 2012, 12:07:30 PM
You can't be responsible for something you don't have knowledge of.

But you can! Ignorance of the law is no excuse etc. This goes for the people who drive into this town with a dog in the bed of their pickup (not allowed), but the next town has no problem with that, and many other things.

You are correct. Ignorance of the law is no excuse, but I think this would fall under ignorance of technology and computers, and thankfully that's not a crime. Can you imagine the jail overcrowding if it were!

Gene Foraker · June 15, 2012, 02:10:28 PM

I haven't read the thread since my last post weeks ago.

What was on my mind was the fact that you aren't responsible for things outside your control. If Tom Cruise and his Mission Impossible team decide to break into your office and steal the server, then you are unlikely to be held responsible as long as you took normal expected precautions to safeguard the data.

Years ago one of my law courses discussed liability and the "Prudent Man" rule. You have a duty to protect the data against expected and normal risks. The degree of care will be different for a small agency and a large national brokerage.

Yes, the duty you are held to can and will be decided by a judge and jury, but is not unlimited.