November 18, 2013
Information technology professionals play a critical role in the operations of virtually all sectors and industries. As they perform their work, they are also held accountable for their conduct by a range of legal duties and obligations. The case of Terry Childs in California illustrates the liability they face when they fail to comply with those responsibilities.
Terry Childs was an information technology professional who worked for the city and government of San Francisco. In an apparent effort to make his role in the city’s technology operations more critical, he attempted to structure operations so that he was the only person who had knowledge of all of the different passwords used by the city’s computer system.
When others became aware of this effort, they ordered Childs to disclose the passwords. He consistently refused. The city then suspended him from his job, and the state of California initiated legal action against him under the state’s computer crime law.
California law makes it a criminal offense to knowingly disrupt the operations of a computer network. Other states, the federal government, and numerous other countries enforce similar laws.
Childs was convicted and sentenced to four years in prison and ordered to pay $1.4 million in restitution. The conviction was upheld on appeal.
The Childs case is extreme as his actions were apparently part of a blatant attempt to make his role essential to the operations of the city’s computer system. His conduct was extraordinary, and there will likely be few who engage in similar conduct.
His case does, however, illustrate a significant source of potential legal liability faced by all information technology professionals. To the extent that intentional conduct by computer professionals results in disruption of computer systems or services, or impedes access to those systems or services, the individuals involved can face legal liability.
The concepts of service disruption and impediments to access have potentially broad scope. For example, one could conceivably argue that the introduction and use of secret surveillance technologies into computer and communications networks constitutes a form of service disruption. Under such an interpretation, it could be possible that the information technology professionals involved in those activities might face liability under existing laws against computer system abuse.
As the role of information technology professionals becomes increasingly significant for a wide range of applications, the legal constraints directed toward those professionals are likely to become more highly visible and significant. Information technology professionals should recognize that laws primarily intended to address abusive conduct undertaken by malicious outsiders are also applicable to the authorized users of the networks to the extent that those users engage in unreasonable or inappropriate activities.