His graduate-level college courses in information security and forensics taught him how to properly preserve electronic evidence so that it is admissible in U.K. courts. For the information from a laptop to be admissible, he says, the hard drive needs to be removed and cloned, and then the clone is examined while the original evidence is left untouched.
But his bosses aren't interested in that. "The process my managers want me to follow is inappropriate," he says -- namely, they advise him to skip the cloning step and examine the hard drive straight off. "It's highly unlikely that they would ever be able to bring a successful prosecution [because] they insist on using a practice that would invalidate any evidence obtained as a result."
Daryl is an exception when it comes to legal knowledge among IT professionals. It's more common that the IT manager doesn't know how to correctly preserve evidence, and probably doesn't even know what information might be legally relevant, says Jason M. Shinn, an attorney with Lipson, Neilson, Cole, Seltzer & Garin PC who specializes in electronic discovery and technology issues in employment law.
That's why both in-house legal counsel and HR should be involved in monitoring activity, he advises.
The Conscientious Objector
"Our department philosophy is that if the users fear us, the job gets 10 times harder," says Dan Olson, IT director at Farstad Oil Inc., a Minot, N.D., company with 500 employees. "Fear leads to coverup and spin. When we are trying to find [the cause of] a problem, what we need is the truth."
Fear of IT used to be a problem at Farstad. In the mid-1990s, after a manager caught an employee spending too much time in online chat rooms, IT was directed to monitor employees and report whenever they were doing anything non-work-related on their PCs.
"We had never agreed to that, nor were we consulted on it," Olson says. He mostly ignored the directive, partly because it was never a written policy, but even so, "the next two years were miserable for [IT], as everyone feared that we would assume they were guilty until proven innocent."
At one point, Farstad management became concerned that employees were using IM, a popular communication method among the company's scattered locations, for personal business. A memo cautioning employees about this caused even more upset among them, says Olson. "I remember one time carrying boxes through accounts receivable and people clicking their mice and quickly closing windows as I walked by."
That fear was counterproductive, says Olson. If employees' PCs caught a virus, for example, Olson would have trouble getting them to tell him what they had been doing or what Web sites they had visited.