IT Employment

Who is liable when computer tech swipes files?


I am going to blog tomorrow about the five worst places to work in the US. But while looking into the companies on the list, I came across a series of articles written by the folks at consumerist.com about a "sting" they purportedly conducted on Best Buy's Geek Squads across the country.They apparently loaded a computer with porn and rigged it to make a video of itself. The video captured "every cursor movement, every program opened, every file accessed." They took the computer to less than a dozen Geek Squads. Apparently most places were fine but then they caught one guy copying the pornographic images to his company-issued thumb drive.

Of course, this doesn't prove Best Buy is some kind of covert, satanic porn distributor as much as it proves they have an employee with questionable morals. And that I guess that can happen to just about any company.

I was more intrigued by the discussion that followed this "news flash." Most readers--many of whom repair computers--expressed no shock that this goes on. One guy even said that stealing porn is the only perk to the job.

Some readers suggested that everyone just calm down, that if you take your computer to get it fixed, the content of your hard drive is fair game. They suggested that you "learn to live with it or fix it yourself."

One guy said that if you take your computer in to get something simple done, like have iTunes installed, then the tech has no business exploring you're My Documents folder. But how can you ensure that they won't? How can you ensure that they won't go into your bank files and start copying down account numbers? Would the company be liable in a case like that?

What if you yourself are a tech working on someone's computer and you come across some data or pictures that may be illegal like child porn? Are you legally obligated to report it?

It's a complicated question that I'm sure won't be sufficiently answered until a few court cases set precedent.

About

Toni Bowers is Managing Editor of TechRepublic and is the award-winning blogger of the Career Management blog. She has edited newsletters, books, and web sites pertaining to software, IT career, and IT management issues.

30 comments
retro77
retro77

"What if you yourself are a tech working on someone???s computer and you come across some data or pictures that may be illegal like child porn? Are you legally obligated to report it?" YES!!! If its illegal, then its your responsibility as a professional to report it. That???s just sick and all the child porn ppl should be burned! [literally set on fire]

SisLin
SisLin

Like anything in this country; it is up to you to protect your assets. The argument of who is liable will not prevent any of it from happening...just like identity theft. What needs to be done is precautions. If you have files on you pc that are unprotected, you are opening yourself up. Yes, passwords can be broken, but like a car alarm, usually it is enough deterrent. If it is a pro, it does not matter how much you try to prevent it, they will get it. So do yourself a favor and learn what you can do to protect your property.

Dr_Zinj
Dr_Zinj

A lot depends on the situation. First of all, the technician duping the files is liable for his or her own actions. If he or she is employed by a company to perform computer maintenance, and does the misdeeds in the course of their job, then the company usually is also liable. If the computer is a company owned asset, there are probably company policies about what is allowed on it. You are probably required to report the presence of unauthorized files to management for their action. A thorough description of the circumstances under which you found the files, and your actions may make a big difference in whether you have legal action taken against you. In any case where unlawful activity is taking place, either within your company, or at a customer's location, you have a duty as a member of our society to report it. If it is within your company, then you are technically covered under whistleblowers laws. Unfortuately, you're still likely to be canned and possibly blacklisted for reporting it to the cops; the suits will find some pretext to get rid of you.

NickNielsen
NickNielsen

The tech swiping the files is stealing data. He should be held accountable for his actions. End of story. I don't see employer liability unless the tech has been caught stealing data in the past. At that point, the employer has not taken reasonable steps to protect its customers. And didn't we have the discussion about what to report last year? Are we about to kick that carcass again?

nentech
nentech

The most important thing to remember when working on or using a pc that is not your own is the law Stealing some ones data is still theft Copying software is almost always illegal If you do not report illegal data or software you may be breaking the law It may be hard to prove you did not find or see something illegal when you backed up or fixed the pc If you back it up on your equipment you take the risk of have something illegal on it If you back it up on the company or someone else's equipment they take the risk The customer/user/owner should be asked if there is anything illegal on the pc They should be told what will happen if illegal software or data is found Anyone who handles the pc that needs repair can be responsible for not reporting anything illegal contained on it So to anyone reading this be very careful Always ask the person who gives it to you if there is a chance of anything illegal

allen
allen

AS A Computer Tech for over 20 Years in my company it is my responsibility not to pry in on my customers privacy we are here to fix a problem repair their computer. not see what is not it. you are not supposd to look through their hard drive to see what is no it. just fix the problem and keep a happy Customer

gor82
gor82

Being a tech that used to work for a company that is famous for its Bars i can say that two things matter when in comes to personal files. If you dont want us to have it ERASE IT ! and two if i see child porn i consider it my personal duty to call the police. NO ONE SHOULD EVER HURT CHILDREN

w2ktechman
w2ktechman

Answers from my perspective! Although I have no doubt that this goes on, this is a bad situation. Tech's should be held liable for their behavior when on another persons system. They should not copy data unless it is part of the 'fix' (like backing it up), or unless requested. The company may be held liable if it can be proved that the tech did, in fact copy data and use it for personal gain (like ID theft, credit card fraud, etc.). The company did 'hire' this person. I rarely 'come across' an individuals personal content. Even when looking for data to recover or backup. I see folders, and copy them. If I am cloning the drive, I do not even see those. It is rare that I come across personal files and bad content. However it does happen. If I found something that was truly illegal (like child porn) I would report it to my manager and IT security at my company. Many people do not have a team like IT security to report to. These people should report to management and HR. The Police SHOULD be involved in any investigation from then on.

BALTHOR
BALTHOR

Best Buy is a high tech paradise.If you want high tech they've got it at Best Buy.Some judge in a court room may want to know what a Geek is.

Locrian_Lyric
Locrian_Lyric

ESPECIALLY if it's children being exploited.

Freebird54
Freebird54

with that is: How qualified are you to recognize child porn? The definition of it varies considerably, even as the ages involved. Then there is the difficulty of determining those ages. Then - what if it is the guy's vacation pictures of his family at a naturist park? When you consider what false suspicions can do to someone's life (especially nowadays) be VERRRRY careful about what you report - and to where! Another stray thought - possessing 'child porn' is the only crime known where it is illegal to be a witness to the actual crime - CREATING the stuff!! More time should be spent on finding the creators, and people who are profiting from this - than on those who happen to have it. Yes - it is unfortunately possible to have it and not know about it - whether from compromise of your system, or from a targeted attack on you (disgruntled employee, the guy you got promoted over, the guy who thinks you stole his girlfriend, the guy you cut off on the freeway, and he works down the hall....) A can of worms that a tech should NOT be asked to get into the middle of. Perhaps inform the 'owner' of the system that you accidentally located 'questionable or unusual materials' and ask if they want it deleted?

w2ktechman
w2ktechman

is that you should involve management, and it is actually, in many cases up to them to bring in the Police. There may be other liability factors involved that you are un-aware of. I agree, the Police should be involved, especially in child porn cases. But, unless you are the 'top dog', it should go through HR and management, or, in a larger org. IT security. If your company has policies regarding this as well, it may be beneficial to review them.

Dr Dij
Dr Dij

they may not have followed best practices in security or hiring or outsourcing. But in the end, if someone commits any crime, is your company liable for it just for the reason that it was committed? I don't think so. Maybe liable for not following best practices, etc. But a criminal can comit unforseeable acts. They have no control over that. Even with best practices, data theft by insiders is rampant. While bulk may be due to laxness, very many are targeted thefts. Foreign govts for example groom workers so that when an opening in XYZ company occurs, that is a govt contractor or has patent or technology info they want occurs, chances are this person will be hired. And after that can be dirt easy to get data as many companies don't even lock down USB drives. I could bring in a thumb sized drive with 4 gigs or bring in one of my two 300 gig seagate usb drives and suck the company data dry. I liked what happend with visa processor who had trojans thru carelessness, they essentially went out of biz as no merchant wanted to run cards thru them.

Locrian_Lyric
Locrian_Lyric

Porn is an obvious bait. Sadly, people think "Ah, it's just porn, what's the harm!" WRONG! As you said, it's passwords, ss#s, credit card numbers, potentially embarassing personal information... a wealth of data that could be exploited for personal gain. The company CAN and SHOULD be held liable if they are unwilling to curb the habbits of their employees!

lesko
lesko

I agree that you should report it but doesn't that prove that you were looking into places you were not supposed to ? Unless they have the illegal files stored in the same area as the spyware or other things you were supposed to fix this falls into the same ethical category as the original post

w2ktechman
w2ktechman

but your last statement was stupid (my opinion). Yes, a can of worms could be opened, but, this is not up to you as the tech to take the full brunt of it. As the tech, as I have stated, you should report it to your company, and they will investigate and/or bring the police into it.

Locrian_Lyric
Locrian_Lyric

If I were in that situation, I would document the following. 1)What I was doing at the time. 2)How I found it. 3)Where I found it. 4)When I found it. 5)When I reported it to management. 6)When I followed up with management. 7)When I went to the police if management refused to act. AND I would keep these notes at home

w2ktechman
w2ktechman

the company MAY be liable and Tech's should be held liable for their behavior when on another persons system And for the final Answers from my perspective! I am not an attorney, nor am I very familiar with Law and Legal issues. So, I try not to state too many 'for sure' items outside of my area(s) of expertise. As far as not directly calling the police, many companies DO have policies in place in which the employee should not directly call the police, and that they contact security, IT security, HR, or Legal if something is found. Also, you may not want youer manager to find out in an awkward way, or totally surprised. Your manager is supposed to be there to handle these types of issues as well. However, you can also state that you will be expecting a detective to contact you for details.

DantheBestMan
DantheBestMan

to remain silent and be thought a fool, than open your mouth and remove all doubt.

nentech
nentech

If you are going to reply to someone?s post that you read all of it including the linked documents I have seen so many people argue a point, which was already stated in the documents they did not even bother to read The problem faced by the law and many other groups is the definition porn Kiddie porn is very difficult because people become emotional and lose perspective His links showed this problem You wrote ?minors being forced to engage in acts is pretty clear-cut? I could look at that as a child being told to clean his room and think you were an idiot Then you wrote ?kiddie porn is illegal, period.? Were you arguing or trying to add weight to your argument I could think you were saying NickNielsen had said it was not illegal and again think you were stupid I know you are not but I hope you get what I am trying to say It always pays to read all of a post including any referenced information if you intend to reply It also pays to read the post it replies to I have seen people attack you in the TR forums because you make some simple mistake Such as not reading the reply or post or topic fully I am just trying to show you some good ways to post I can usually work out what you are trying to say But some people struggle to understand some of your posts Also I tend to think most people are misunderstood and not the evil b**teds that others try to make them out to be PS it is harder to get your message across if the other person thinks you?re an idiot

NickNielsen
NickNielsen

You just kind of skated right around it and never addressed it. Why bother to even post?

Locrian_Lyric
Locrian_Lyric

I do not click on links, nor was that my point.

Locrian_Lyric
Locrian_Lyric

"While performing a thorough scan, I found that there were a number of problems in the system directory. While investigating, I noted that there were a number of JPEGs with the title 'lolita'. Did not open files, reported to superiors:"

Freebird54
Freebird54

And you still are in the middle of it - pr responsible for ruining someone's life. Even the possibility of a suspicion seems to be enough to do that these days - and that includes being the subject of an investigation. Also - what if you ARE the company. Do you report it to yourself? (sorry - couldn't resist). It is NOT an easy thing to make 'rules' on is the point that I want to get across. Hopefully someone will try to be pretty sure of what they are seeing before passing it up the line! In these days of tracking nearly everything, could we not track payments to sites that have illegal things on them? Or put 'suspects' on a watch list to see if they actually do anything - pay for anything? I hate witchhunts, no matter how well-intentioned. Disclaimer: I would be more likely to flatten a guy that I suspected was mistreating a child than report him - that way it is known he is paying SOMETHING for the crime....(and it might be more likely to stop him, too!)

Locrian_Lyric
Locrian_Lyric

the finger pointing all goes to the low man on the totem pole.

w2ktechman
w2ktechman

It is important to document these items.