What legal issues should you research as a sysadmin to avoid you, or your employer, being accused of negligence, or of violating privacy, etc?
While laws vary from country to country and state to state, it could still be enlightening if you have an example of a law which you, or someone you know, has broken without realizing it.
It largely varies on a few things like what industry you're in (the following applies to the USA only)...
A lot of the smaller jobs I've worked have been pretty bad about PCI DSS storing CC info in plaintext, publicly accessible database server... basics that were just neglected.
The following applies to the USA only;
CIPA: Children's Internet Protection Act
Specially if you're employed by an state or federal educational entity: http://www.fcc.gov/cgb/consumerfacts/cipa.html
FOIA: Freedom of Information Act
Again if you're employed by a government entity: http://www.fcc.gov/foia/
FERPA: Family Educational Rights and Privacy Act
Education: http://www.ed.gov/policy/gen/guid/fpco/ferpa/index.html
Be aware of the legal side of network analysis and intrusion detection. Some places, an unauthorized use of
nmapcan be considered a crime, as can trying to break into systems for security (non-malicious) purposes.Be aware of software licensing issues, both for end users (if you deal with them) and for your servers and other sysadmins. Know the possible ramifications if you choose to run pirated software on a business server.
Be aware of privacy laws for your place of business, on the local, state, and federal law. Know what info you are and aren't allowed to store. Also know what info you are and aren't allowed to look at, both in legal terms and as laid down by your company guidelines.
On the flip side, be aware of information retention laws for your place of business. Know what info you're required to keep, how long you need to keep it, and who you have to divulge it to when requested. Be able to draw the line between privacy and complying with regulations (and know when to stand up for one or the other).
I'm in the UK, and I'd say the most important laws to an average ecommerce business would be:
This question can actually only be answered if you tell us where you are located.
Personally I consider the SysAdmin to be the person that is in charge of each and every bit of data, thus carries the largest risk when data is lost/exposed/abused (Even if you won't face legal consequences your boss will come to you and you will have to explain why on earth the data could get out of your company).
I personally make sure that:
Other things I make sure:
These points aren't about snooping around in files or anything like that, it's just about the regular chatting with colleagues and co-workers and trying to fit together the different pieces.
Talk about nothing nothing means to not participate in the chatting from a certain point, people come to me regularly with requests about lost passwords, files to be restored or other stuff. That could lead back to ceertain opinions about otherwise hard working people, I don't want that.
This can be in terms of talking from person to person, company mails or posters with friendly reminders that there's a party in the company that could access all data.
These aren't exactly examples of laws colleagues or I stumbled over. But that is the part where "Talk about nothing" comes to play. Sorry to disappoint you with examples.
Your Data Protection legislation. Your employer's AUP - know it inside out - it applies to you too!
There are various state legislationss concerning PII (Personally Identifiable Information) in the event of a data breach. California's 1386 requires that everybody who as affected by the data breach (compromise of their information) must be notified. Many other states have similar provisions.
Also as a clarification on PCI-DSS, that is not a strictly legal requirement, the card brands (MasterCard, Visa, Discover, AmEx) require their merchant banks to require the vendors to adhere to PCI-DSS. If you violate PCI, you won't prosecuted legally, however you can be fined thousands of dollars a day (or more) by your merchant bank while you are in violation. If you don't come into compliance, you will eventually lose your ability to do credit card transactions, which would be a kiss of death for most online retailers.
PCI DSS for customers who take credit cards, and the chance that every time you enable logging that you might be required to produce those logs in the future. Sometimes it is better not to have recorded anything.
E-discovery is a big "gotcha." These are the requirements in the US to preserve electronic information in the event of a lawsuit, and to make it available to the other party.
The sysadmin should spend some time with the company's lawyers BEFORE the first time the company is sued so that you have a plan in place to comply with these requirements if you ever have to. Failure to preserve all the necessary electronic records (and in the right way) immediately upon a lawsuit coming up and hurt the company tremendously (including losing a lawsuit that might not otherwise have been lost).
In a policing or crown council environment, you need to be careful when handling digital evidence. The last thing you want is to be required to testify in court when all you did was help convert some sort of media from one format to another.