Thursday, October 30, 2008

Liability for Withholding Passwords

Update (6/8/10): Terry Childs was found guilty of one felony count of denying computer services.

Does your company have a clear policy concerning who may receive admin passwords? The city of San Francisco apparently has some problems in this area.

Terry Childs

IT manager Terry Childs was arrested earlier this year for refusing to provide administrative passwords for the city's computer network. The city alleges that he was setting up a network that he could take over remotely and take down at his whim - Mr. Childs claims that the policies of the city did not allow him to provide the passwords to his managers and that once he turned them over to the Mayor, the management simply didn't understand the technology enough to understand how to use them.

Apparently out of fear that his release will result in a melt down of the city's computer network, the judge in the case has set bail at 5 million dollars, as opposed to a lower bail such as one million as is common for murder suspects.

Password Policies

While the facts are clearly in dispute, the case demonstrates: 1) the need to thoughtfully consider your password policies and those of companies you are dealing with, 2) the need to have clear documentation on systems available for others to understand how your systems operates, and the need to consider whether to make sure that your contracts address liability issues related password and access issues.

For a good article discussing the case go to www.infoworld.com