Lawyer warns IT to stay out of drafting policy

01.03.2005
Von Michael Crawford

Corporate IT policy, HR and governance issues are no place for IT and should be left to the experts, a leading IT lawyer and one-time adviser to Richard Alston has warned.

According to telco and IT policy consultant Andre Stein, corporate policy for effective computer use is failing because corporations are either doctoring their own policies or passing the task onto the IT manager.

Stein told Computerworld responsibility for corporate policy legally resides with senior executives, human resources and legal departments, adding IT managers should not try to create policies for their organization that relate to corporate governance.

He said IT managers should not be left with the responsibility of writing policies. "They are criminally liable if they breach either state or federal laws about handling personal or financial information, and they are not legal and policy experts," Stein said.

"This is a significant issue because of the legal and financial risk involved, particularly now as directors can be held criminally liable for unauthorized use access or use of the network. The promise of jail terms is starting to focus their minds, but it is a slow process.

"I dealt with one organization in the banking sector which had taken its policy directly from an organization in the health sector, and then done a find and replace with its own name," Stein said.

Another example is that of Tobacco giant Phillip Morris where an employee was fired and then re-instated on the basis the company engaged in poor computer practices by using common passwords, Stein said. Director of IT client and online services at Charles Sturt University, Philip Sefton, said it is out of their particular area of expertise for IT managers to write legally binding documents, with corporate governance now pushing polices on IT and computer use over to legal officers.

"The future for policies is that the legal officers will continue to have a hand in developing them," Sefton said.

"The IT department knows information technology and the legal officers know the law. But where is the balance saying you can make a student sign an indemnity document before logging on to the network? In my experience it hasn"t happened as yet, but legal officers state that you have to be prepared.

"Due to corporate governance, the legal team now want a hand in writing computer-use policies. In the past it was good enough for the IT department to produce something in common sense language. Now because of the amount of litigation, writing policy is out of depth for IT people."

An IT manager of a global company, who spoke on the basis of anonymity, said in his organization IT managers write the policy, but the legal team sign off on it. Once the policy is written, the IT department sends a copy to legal representatives locally and internationally.

"The IT department and the legal department never write a policy together - we write it and submit it to them to either approve or knock it back," he said.