[unisog] justification

Patrick Nolan pnolan01 at nycap.rr.com
Wed Feb 12 16:25:40 GMT 2003

RIAA is in legally in touch with many Universities about what they think is legally allowable on their networks. Perhaps some admins will post the relevant info. It is a fact that one major U is responding to the threatened litigation and potential liability with traffic throttling solutions and policy development and implementation.

As far as liability and standards related to, say, a U's e-commerce related sites, here's a great settlement link;
August 28, 2002 

fwiw, last year there was also an information leak that allowed the names of prozac(?) users to know each other's e-mail addresses, there was another 6 figure settlement in that case. And if your universities health services database unintentionally disclosed, say, information relative to the mental health treatment of students and faculty (HIPPA applies), that'd sure be funny and certainly result in some liability ( ; ^ ).


----- Original Message ----- 
From: "Mark Newman" <mnx at utk.edu>
To: <unisog at sans.org>
Sent: Wednesday, February 12, 2003 10:00 AM
Subject: [unisog] justification

> Pardon me if this seems like an audacious thing to ask...
> Does anyone care to mention any specific incidents that caused your
> organization financial loss or to be in a legally liable position
> because of failure to implement some form of information security
> policy, device, etc.?
> We are seeking justification for expenditure. Our organization doesn't
> care if implementing this or that meets standards. Our organization is,
> like most, concerned with legal/financial liability and other much less
> tangible losses (like prestige) resulting from security incidents.  
> Not asking anyone to "air any dirty laundry" but, even any general
> anecdotes would be very helpful to us in pleading our case.
> Thank you,
> Mark Newman
> University of Tennessee

More information about the unisog mailing list