The Way Business Is Moving published by
Issue Date: August 2004

The open network or an open door to prosecution?

1 August 2004

Thanks to the principle of 'vicarious liability', an organisation is legally responsible for nearly every action that takes place on (or from) its network by employees.
Over the same period, the increasing openness of corporate networks (with the introduction of Web access, e-mail, and now instant messaging) together with the proliferation of home computing, has led many users to become relatively advanced computer operators.
While this growth in IT sophistication and employee computer-literacy undoubtedly has benefits for the organisation, it has also introduced a number of new risks to the corporate network.
The easy access to Internet and e-mail content provided enjoyed by many employees, coupled with the ease with which software can be introduced directly to computers means that virtually all networks, whether by accident or design, become the resting place for applications and files that they were never intended to play host to.
Left uncontrolled, a potentially vast catalogue of unauthorised files and software can quickly accumulate. While on the surface, the dangers associated with these rogue inhabitants of the network might seem confined to wasted storage, reduced network bandwidth and diminished employee productivity; the real risks to the organisation can be much worse.
The employer's problem
Thanks to the principle of 'vicarious liability', an organisation is legally responsible for nearly every action that takes place on (or from) its network by employees. This doctrine can still apply even if the member of staff concerned was not authorised to carry out the action in question. In plain English this means that organisations and their directors can, in the eyes of the law, be held liable for actions they had no personal part in.
This is why many professional risk analysts now regard mis-use of an organisation's corporate network as a distinct issue in its own right, requiring specific management attention as part of the overall risk management strategy of the corporation.
While organisations can never hope to effectively guard against every possible mis-use of the corporate network (this is, after all, limited only by the human imagination), it is possible to identify with some accuracy the 'usual suspects' which present the most common threats on the network.
Unlicensed software
Whether through ignorance or deliberate risk-taking, unlicensed software already exists on the vast majority of corporate networks. Some sources suggest up to a quarter of US and UK software could be unlicensed (a figure that rises steeply in Eastern Europe and Asian countries such as Malaysia).
When an organisation 'buys software', in reality it enters into an agreement with the vendor to use a certain number of instances of the application. The software itself is not purchased and the copyright remains with the original publisher. To complicate matters further, many licences are 'bought' for a time-limited period, after which they are no longer valid.
If the organisation installs more copies of the software than it has paid for, or continues to use an application beyond the period of the licence agreement, then it is in direct violation of copyright and is subject to the full weight of the law.
Which is not to say that all copyright infringements are deliberate. Unlicensed software can exist on an organisation's network for a range of reasons. While in some cases the organisation may mistakenly believe that it has removed software that in reality it is still using, the most common cause of unauthorised software proliferation is employees acting on their own initiative without the approval of those responsible for purchasing licences.
This ranges from a one-off copy made by an employee to enable them to work on two machines, to large scale copying where multiple installations are achieved from one disk without the appropriate licence fee being paid. Likewise, organisations can either deliberately or unknowingly become involved in using counterfeit software which exists in respect of the products supplied by most major software vendors.
Finally, there is an increasing trend for employees to download software direct from the Internet. While many applications obtained from the Internet may be perceived as 'free', in reality most of them need to be licensed in much the same way as packaged software bought off-the-shelf.
Getting tough on licence abuse
While in the recent past, the threat of legal action has often been thought a hollow one, many software vendors, together with industry watchdogs such as FAST (Federation Against Software Theft) and BSA (Business Software Alliance), are promising a tougher time for offending organisations in 2004 and beyond.
The BSA, which is funded by software vendors including Microsoft, Symantec and Adobe, has already pursued thousands of legal actions. In May 2004 alone, it levied more than $1 million in fines to US organisations found to be in breach of copyright laws.
No matter how the problem has arisen, the doctrine of vicarious liability will ensure that the organisation is standing in the employees' shoes when the litigation starts. In most cases, organisations caught using unlicensed software will face back-payment licence fees at punitive levels together with damages at the discretion of the court. Where there has been a deliberate attempt to evade payment of a licence fee or to use pirate software, the organisation and its principals open themselves to the prospect of a criminal prosecution resulting in (at best) heavy fines and even imprisonment.
Coupled with the inevitable reputational damage and subsequent loss of customers, the results of a criminal case can literally put an organisation out of business.
Taking charge
Historically, the only way organisations have been able to get a corporate-wide picture of the software and data on their networks was to conduct a physical audit of each and every machine. No wonder then that the time and disruptions associated with such an exercise led many companies to forego auditing in favour of less burdensome tasks.
But what if you could automatically search the corporate network for all PCs, software and file types from a single central server? IT Asset Management solutions, such as Centennial Discovery, enable organisations to create a clear global view of the entire corporate IT estate by automatically finding and auditing all IT assets on the network.
Suddenly, licence managers can reconcile the deployed copies of Adobe Acrobat against the number of licences physically held by the organisation; network administrators can spot which laptops are holding the biggest Jimi Hendrix collections and directors can get an accurate picture of their personal legal exposure.
The last exercise alone is often all it takes to secure board approval for an IT discovery project!
No more legwork
Centennial Discovery uses patent-pending technology to automatically find all devices attached to the network. This means that no matter how a PC, server or laptop is connected to the network (WAN, LAN, VPN, dial-in etc), Centennial Discovery will always find it.
As soon as it is installed on just a single machine, the inventory solution will start searching the network for other devices - including PCs, servers, switches, printers and firewalls - building a current and complete view of the corporate IT estate. Even when Centennial Discovery has found all the machines on the network, it continues to keep a look out for new devices being added, and alerts administrators accordingly.
Having identified a PC, a Centennial Discovery client agent then performs a full audit of the machine, recording everything from the serial number to a complete list of all software executables and file types located on the hard disk. To make it easy for IT managers to visualise where assets reside in the organisation, Centennial Discovery will even track the physical location of each device.
Once deployed, a full corporate-wide software and file audit can be achieved without physically leaving the IT department. And you can perform an audit as often as you like; safe in the knowledge that Centennial Discovery's network-friendly design will ensure that network performance remains at optimum levels.
Pre-emptive strike
With organisations like the BSA and FAST publicly stating their intent to bring criminal prosecutions against organisations found to be using unlicensed software and the number of tribunals brought against employers for misuse of corporate IT resources on the increase, the case for reducing a company's legal exposure is clear.
But taking charge of IT use can have clear benefits for the business too. According to analyst firms such as the META Group, an effective IT asset management strategy can reduce an organisation's software spend by up to 30% - a significant saving which can undoubtedly be put to good use in other areas of IT.
Brian Little, channel development manager, Centennial
Brian Little, channel development manager, Centennial
For more information contact Centennial, 083 604 0603,
Vicarious liability
"An employer is vicariously liable for negligent acts or omissions by his employee in the course of employment whether or not such act or omission was specifically authorised by the employer. To avoid vicarious liability, an employer must demonstrate either that the employee was not negligent in that the employee was reasonably careful or that the employee was acting in his own right rather than on the employer's business."

Others who read this also read these articles

Search Site


Previous Issues