Can employees be solely blamed for data loss?

Networking/Security Forums -> Computer Forensics and Incident Response

Author: chaand PostPosted: Fri Apr 25, 2008 5:15 pm    Post subject: Can employees be solely blamed for data loss?
    ----
Hello everyone, I really need some robust info and would be thankful if someone could help me out please!

I work in UK for a scientific firm. The computer I work on is stand-alone (not connected to other computers for data backup). 2 weeks ago the computer hard disk crashed & there was significant data loss. The data DID NOT contain any personal/sensitive information. It was just loads of technical data. Data recovery experts couldn't retrieve everything.

Since then my boss has been blaming me as to why I didn't back up data on blank CDs and DVDs that are in the office. He is washing off his hands from his responsibility to provide a continuous backup system. I only backed up some crucial bits, but that's just a fraction.

The boss has made my life a hell and I am agonising wayyy too much, so I found another job and am about to quit this one. But boss says I MUST hand over all the data before I go, which I can't, as it has been destroyed!

What can I do now?? I am so worried! What is the worst he can do to me REALISTICALLY if I left just like that? Would truly appreciate answers from legal experts or those who've seen similar cases b4.

Author: graycatLocation: London, UK PostPosted: Fri Apr 25, 2008 5:17 pm    Post subject:
    ----
does the IT / data / backup / DR policy state that you have to backup all the data yourself? if not, you're in the clear as far as I can see.

Author: chaand PostPosted: Fri Apr 25, 2008 5:33 pm    Post subject:
    ----
I wasn't handed any specific documents outlining such rules. But after this happened, I dug deep into the company website and I found some "guidelines" within the Code of Practice where it says data "should" be backed up on CDs. Two things I should re-emphasize: (1) I was not given this document explicitly, I had to dig deep into the website to find it and (2) the word they use is "should", not "must".

Author: graycatLocation: London, UK PostPosted: Fri Apr 25, 2008 5:47 pm    Post subject:
    ----
unless they can prove you have seen it, understood it and signed it then as far as I can see, it's not a binding guideline or policy.

Of course, that's just my opinion and shouldn't be taken as legal or even sane sometimes Smile lol

Author: chaand PostPosted: Fri Apr 25, 2008 6:15 pm    Post subject:
    ----
Yeah sure, I understand, you're just trying to help me out. And thanks a lot for your replies, which cheered me up a bit actually - after days of agonising and feeling guilty! Cheers! Very Happy

Author: ThePsykoLocation: California PostPosted: Fri Apr 25, 2008 6:41 pm    Post subject:
    ----
If it makes you feel any better, I agree with Graycat - unless they informed you of this ahead of time, and have written proof that they did, you're on pretty solid ground. I would double check and make sure that you didn't sign something stating you agreed to review all policies and such that are available on the company website (odd place to put such things unless it's an intranet I would think?)

Author: PhiBerLocation: Your MBR PostPosted: Mon Apr 28, 2008 5:22 pm    Post subject:
    ----
I am no legal expert, but this sounds like something the I.T. or DR department would be responsible for. As mentioned, if you were unaware of the policy then it would be pretty hard to litigate.

Author: Fracker PostPosted: Fri May 02, 2008 8:45 am    Post subject:
    ----
Most of the IT Security Guy if give the responsibility to the User, they include in employee induction programs, most likely they introduce a line.

For Company Information Security Policy, check the website.

Wink we know how to put our own blame to the helpless users

Author: PhiBerLocation: Your MBR PostPosted: Fri May 02, 2008 5:19 pm    Post subject:
    ----
Fracker wrote:
we know how to put our own blame to the helpless users


Yes, IT workers like you give all of us a bad rep.

Author: larsmhansenLocation: Boston, MA, USA PostPosted: Fri May 02, 2008 7:21 pm    Post subject:
    ----
Hard drive failure is an "act of God", and an employee should not be held responsible for data loss cause by such failure.

If a stand-alone machine is the store valuable information, then the IT dept. must provide a reasonable means of backing this data up. CDs or DVD's are hardly "reasonable", as the process is often manual, they provide insufficient storage space, and are too time consuming for the end user. Also, the end user should have been trained in using the backup software, regardless of its nature.

Author: Fracker PostPosted: Sat May 03, 2008 6:42 am    Post subject:
    ----
PhiBer wrote:
Fracker wrote:
we know how to put our own blame to the helpless users


Yes, IT workers like you give all of us a bad rep.


Shocked , I just told the reality That happens in many organizations.

@Person Above me

The topic starter said they have provided the backup policy as well as the mean, unless the employee wont ask for the facilities how come the IT guy will know that He has Valuable Information on his system. also when IT Security mentioned that for Company Security Policy you have to go on the website or web portal. Than it become employee responsibility as per Legal.

But yes, it shouldn't be like that, many organization form an Employee Induction program where they involve the IT Security into it. And every employee has to read and sign the acceptable Use policy.

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Fri May 30, 2008 9:36 am    Post subject:
    ----
i do not know what stands in US , but in E.U. i think you have to sign a paper given describing policy and guidelines on how to use , backup, handle in general network resources, along with privillege rights and security measures from user's side.

So unless there is no such signed document by the user, it is only user's word against the IT's dpt one.

A variation though of it, is if the company has made the first browser's page to be an Internal Webpage with guides mentioned as above. It that exists, it also stands as a legal fact for the user.

In any other case, there is no proof that user sould have complied with policies of the company. Unless of course his actions violate , general laws, like Warez or other of the same nature , where both user and IT persons considered equally guilty for that.

My advice... consult with a lawyer to give you proper guides on this, since you wont find anything here more than oppinions , which wont stand as responsible legal statements.


Gandalf

Author: ThePsykoLocation: California PostPosted: Fri May 30, 2008 5:32 pm    Post subject:
    ----
The_Real_Gandalf wrote:
... like Warez or other of the same nature


The thing about that is it's going to be hard to prove with the drive gone Smile

Author: The_Real_GandalfLocation: Athens,Greece PostPosted: Mon Jun 02, 2008 9:47 am    Post subject:
    ----
nope.. not really..

Routrer's logs could identify if there was any connection or activity , that was made by this Terminal's IP, which indicate warez or porn files existance, on this "disappeared disk" of his.

Gandalf



Networking/Security Forums -> Computer Forensics and Incident Response


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group