KeyInformationLiability Issues
Key Information
Liability Issues Facing
Managers: Software
Piracy, Proprietary
Databases, and
Individual Rights to
1
Privacy
By: Detmar W. Straub Jr.
Rosann Webb Collins
Information and Decision Sciences
Department
Curtis L. Carlson School of
Management
University of Minnesota
271 19th Avenue South
Minneapolis,
Minnesota 55455
Abstract
Thelegal status of information in its electronic
forms of programsanddata and the rights of individuals to keep private someinformation about
themselvesis not clearly defined in the current
patchwork of old and new legislation on computer-basedinformation. As information usagein
organizations increases, there is a need to
minimize the information liabilities of managers
andtheir organizations.This article identifies key
issues, reviews relevant laws, andhighlights implications for information managers.The discussion centers on the protection of inteflectual
property rights concerning programs and data
andthe protection of individual rights to privacy
of information stored in computer-based
systems.
Specific methods can help an organization
establishing satisfactory legal postureto deal with
these issues.
1Funding
for thisworkwasprovided
by the Councilon
Library
Resources.
Keywords: Legal aspects of computing, protecting the information resource, copyright infringement, software piracy,
proprietary databases, commercial
databases, intellectual
property
rights, individual rights to privacy, informationliabilities
ACMCategories: K.4.1, K.5, K.5.1, K.5.m
Introduction
As organizations
become more information-intensive, managersfind themselves in a
fascinating but baffling world of sophisticatedinformation technologies(IT). It is a world increasingly characterized by technological advances
that stimulate exponential increases in knowledge, complexity, and turbulence (Huber, 1984;
Straub and Wetherbe, 1989).
Duringthe first three decadesof computerization,
the IT environment was muchsimpler. Programs
and data were internally producedand centrally
managed. Today, however, knowledge workers
mustlook beyondthe firm to satisfy their information needs. Developmentssuch as executive
information systems, computer networks, electronic bulletin boards, and end-user computing
demonstratethe scopeof this change. Also indicative of this transformationis the needof top
managersfor information external to the organization (Jones and McLeod, 1986; Sprague and
McNurlin, 1986). Table 1 showsthis diversity of
information and programsnowincluded in organizational information systems.
In responseto this technological change, laws
concerning information use have also undergone
dramatic change. Unfortunately, the evolving
legal environment has becomea patchwork of
newandreappliedlawsthat offer little clarity on
underlying issues. While public awarenessof the
vulnerability of information systemsto misuseis
periodically aroused by media coverageof specific incidents,there is a lack of persistentinterest
in this issue (Hoffer and Straub, 1989). To compound the problem, no broadly held ethical
framework for proper use of computer systems
exists.
Eventhough this environmentis ill-defined and
turbulent, organizations are still liable for the
MIS Quarterly~June
1990 143
KeyInformationLiability Issues
Table 1. Information Commodities
Commodities
Data,Text,
Images
Programs
DataFileson
Employees,
Customers,
etc.
Internal
Company-Owned
Correspondence
Commodities or Produced
Programs
Company-Owned
or Produced
Graphics
Commercial
Programs
-- Lotus1-2-3
--dBase
Ill Plus
External
-- dBase
Commodities programs
Public Domain
Programs
-- Freeware
Commercial
Data
-- DowJones
-- Graphics
Libraries
-- Dialog,BRS,
Medline
Public Domain
Data
-- Census
Data
misuse of information; management
is therefore
responsible for protecting the information resource. There is evidencethat the potential for
legal liability frommisuseis significant. Civil and
criminal suits for computer-relatedmisuseof information are on the rise, a trend that highlights
the extent of the problem.
This article identifies key issues andlaws relevant to information use in organizations and proposes specific methodsfor dealing with legal
liability.
Central amongthese recommendations
is the creation of a high-level committeeresponsible for setting policy and establishing specific
proceduresthat reduce the risk of information
liability.
Managerial Responsibility
for InformationLiability
In the past decadeor so organizations have been
held liable for improperuse of information technology and will undoubtedlybe subject to suits
in the future. Theincreasingthreat of liability from
improper use of information technology is indicated by the growth in numbers of computerrelated lawsuits from about 600 in 1981to 3,500
by mid-1984. Manyobservers expect the recent
court decisions have set precedents that will
engendera flood of lawsuits by individuals or
companiesin situations similar to those in the
144 MIS Quarterly/June
1990
precedent-setting cases (Goldstein, 1986). This
trend is also reflected in the growingsophistication of attorneys, prosecutors, andjudges in computer-related civil and criminal cases. The National Center for ComputerCrime Data (BloomBecker, 1988); for example, indicates that the
proportion of cases in somestates referred on
to prosecution tripled between1987 and 1988.
IS managershave had and will continue to have
oversightresponsibility for informationliability. IS
managerswho have failed to secure computerbased information have beenheld both accountable by the organizationandlegally liable (Bequai,
1984; Brickman, 1983; McKibben,1983). In some
organizations this responsibility is an explicit
charge. In others, becauseIS managersare the
corporate officers with the most extensive and
most intimate knowledgeof systems, programs,
and data, top management
looks informally to IS
to monitor policy and legal issues dealing with
information and computersystems(Freed, 1969).
To achieve these ends, IS managers maywork
closely with organizational legal staff in developing organizational policy for information technology use. IS managementresponsibility
also
extends to dissemination of the approvedinformation policy to the organization. For these
reasons, IS managersmust be aware of the legal
liabilities that can incur as a result of internal
misuse of data and programs.
General managers,too, have a responsibility to
protect information. Trends such as end-user
computing, the downsizing of computerapplications to departmental or end-user systems, and
increased access to external and corporate
databases dramatically increase the risk of
misuse of computer facilities
and resources.
Given the decentralization of information resourcesthat are reflected in these trends, it is
clear that general management,as well as IS
management,
will needto be better versed in the
possible negative legal consequencesof using
computers.
Three main areas of concern for all managers
are: (1) howto provide functionality while respecting the intellectual propertyrights of external program creators; (2) how to acquire and utilize
external information without violating licensing
contracts or infringing on copyrights; and(3) how
to collect and disseminate information on individuals while respecting individual rights to
privacy. This article outlines these three primary
KeyInformation
Liability Issues
sourcesof informationliability andrecommends
effective methods
for achievinga satisfactory
legal posture.Eachareaof concern
is illustrated
witha scenariodepictinga situationthat is typical
of whata manager
will face nowor in the future.
In eachscenario,the organizationandits managersareexposed
to significantlegalliability; i.e.,
civil lawsuitscouldbesuccessfully
pursued
to the
detriment of the organization by softwareand
databasevendorsor by private parties.
In addressing
theseissues,the intent is to confine the discussionto three majorproblems
that
confront managers.Unquestionablythere are
manyother circumstances
in whichthe organization canbeheldlegally liable for misuse
of information.Organizations
canbeheld legally liable
whenthey sell inaccurateinformation,especially whenthis informationis a primaryproduct,as
in the caseof online databases
or expertsystems
(Mykytyn,et al., 1990). Jeppensen-Sanderson,
Inc., a U.S.air navigationchart maker,for example, washeld liable for inaccuraciesin its maps
(LaPlante, 1986). Discussionof problemareas
like these, however,lies outside of the domain
of this article.
The Current Status of Ethics
and the Law
Therewouldbe less needfor an exactinglyclear
legal environment
if a long-standing
well-established set of ethics governed
the numerous
transactions betweenprovidersof informationproducts and consumers.
Concernsabout violations
of intellectualpropertyrights andindividualrights
of privacy are importantprecisely because
there
are no clear-cut ethical frameworks
in the computing professionsor in the workplace
to guide.
conduct. While both the ACMand DPMA
have
adoptedcodesof professional conductand the
curriculum committeesof those organizations
recommend
inclusion of ethics in coursework,
manyschoolsstill do not teachcomputer
ethics
(Couger,1989). Moreover,two national studies
haveestablishedthat few companies
provideemployeeswritten guidelineson "technoethics"
(Bequai, 1987). TheNational Association of Accountantsfoundthat only 52 percentof the companies surveyedhad guidelines on the use of
computers,
andof theseonly 22percenthadwritten guidelines(Bequai, 1987). TheEducational
Fundsfor Individual Rights foundthat over 90
percentof the companies
had no guidelines on
ethical use of computers(Bequai,1987). While
a written codeof conduct
doesnot carry the force
of legal sanction, sucha codedoesmorethan
define whatis right or wrong:it reducesthe
possibilities of ethical conflicts (Parker,1988).
Thereis also the same
lack of clarity in the law
of informationuse, whichhasevolvedpiecemeal
overthe last three decades.
Althoughrecentpublicity aboutcomputer
viruses andother computer
abuseincidents mayhave served to heighten
generalsocial awareness
of the potential dangers
associatedwith useof computers,
the lawin this
areasremainsin a formativestage. Theprivacy
of electroniccommunications
is a casein point.
In the legislative history of the ElectronicsCommunicationsPrivacyActs, critical distinctions
were madebetweenforms of information. The
1968act covered only voice communications,
havinga legislative intent whichspecifically excluded digital communications
betweenhumans
or computers.The1986act, though,explicitly
includeddigital, data, andvideocommunications
andhada sectiondevotedto electronic mail issues.Because
the 1986act still makes
distinctions amongforms of communication
basedon
differences in technology, each newcommunication technology
will requirerevisionof the law
(Burnside,1987).Theprivacy law for electronic
communications
is adequateonly until the next
technologicalinnovationoccurs.
In sum,the law is fragmented,and public concern over real andpotential computer
abuses
has
not coalescedinto widely held societal norms.
Ideally boththelawandethicsin this areashould
reflect generalsocial valuesandshouldinteract
to guidepractice (McFarlan,1988),but this has
not happened.
Managers
responsiblefor information usein an organization,therefore,mustdevelop an understandingof the current, albeit
ambiguous,
legal contextin order to proactively
respond
to identifiableliabilities.
Protection of Intellectual
Property Rights
Thefirst facet of informationliability of concern
to managers
is intellectual propertyrights. By
1789the Founding
Fathershadput into law a way
to protectoriginal worksthat areessentiallycreations of the intellect. Thepurposes
of this constitutional provision wasto allow creators of
original worksto enjoydueeconomic
returns. In
Article I, Section 8, the U.S. Constitution
MIS Quarterly/June 1990 145
KeyInformation/Liability
Issues
authorizes Congressto "promotethe progress
of scienceanduseful arts by securingfor limited
timesto authorsandinventorsthe exclusiveright
to their respective writings and discoveries."
Fromthis foundation,U.S. law guaranteeing
intellectual propertyrights hasevolved.
Whereasstatutes and case law surrounding
tangiblecreations(like inventions)andworks
original authorship(like literary expression)
have
stabilized in recentyears,a greatdeal of uncertainty still surrounds
the applicationof existing
law to computerized
informationthat is, by its
very nature, electronic in form. Creationssuch
as programsand databasesallow manipulation
or compilationof informationin newwaysthat are
useful to societyandshould,hence,beprotected.
Yetit is unclearhowsuchprotectioncancontinue
to be providedin a rapidly evolvinginformation
society. Currentlegal systemsandconceptssuch
as copyrights,patents,andtradesecretsprovide
only limited guidelinesfor the legal useof the
electronic information commodity
(Federal Library andInformationCenterCommittee,
1986).
Some
observerscontendthat specific computer
crimelegislation is not requiredandthat education of judgesandlawyersaboutcomputers
will
result in appropriateextensionof lawscovering
informationin moretraditional forms(VVharton,
1984).J urkat(1986)disagrees,arguingthat case
law andthe extent of computercrime showthat
specific legislation is needed.Thereis evidence
that the courtsare hesitantto automaticallyextendprotectionof information
in print formto that
in electronicform,especiallyfor statutesconcerning theft andinvasionof property.Computer
informationoften doesnot fit within the definition
of propertysinceit is separatefromthe medium
uponwhichit is stored(i.e., not tangible)and
doesnot needto be removedfrom the owner’s
possession
to be useful to someone
else. For example,in Wardv. SuperiorCourt of Cafifornia
(1972), the court foundthat intangible magnetic
impulsesdid not constitutean article that could
be stolen. In People v. HomeInsurance Co.
(1979)the Colorado
Supreme
Courtruled that the
accessto medical records over the phonewas
not theft becausethe records never left the
hospitalfile room.
Moreover,inherentcharacteristics of computerbasedinformation and programsmakenewlegislation difficult to specify.Machine-readable
information
is leaky,i.e., difficult to control.It is also
synergisticin that combinations
of piecesof in146 MIS Quarterly~June1990
formation maybe morevaluable than any piece
in isolation; irreversible,in that onceit is known
by an individual it is not easily returnedlike a
stolen or borrowed
physical item; andsharable,
in that morethan one personcan use the same
informationresourceat the sametime (Dreyfuss
andLeebron,1986).Informationin its traditional
forms has been viewed as both an economic
commodity
anda societal resource. Thereis no
consensuson howto measurethe value of informationor evaluatevalueaddedto an information-basedproductor service.
Bodiesof law that applyto the protectionof intellectual propertyrights are copyright,patent,
contract, andtrade secret law. Whileeachhas
limitations in dealingwith informationas a commodity, all providegroundwork
for the information managerin setting policy. Twocommon
areasof potential misuseof the informationcommodity,softwarepiracy (or unauthorized
copying
of software) and the downloading
of data from
commercial
databases,are usedhere to explore
the applicationof copyright,patent,contract,and
trade secret law to the use of information by
organizations.
Intellectual propertyrights and
softwarepiracy
Scenario
1. MaryMiles, the nutritionist at
Hilton Hospital,wasextremelypleasedwith
the diet analysis program
Nutri-7 shehad
downloaded
from the local bulletin board
system.MaryhasseenNutri-7for saleat the
vendor’sexhibit at last month’sconference
andknewit wouldbe useful for her weekly reports on the cafeteria andpatients’
menus.Evenwithout the manual, it was
easyto use. Maryenthusiastically recommended
the packageto other Hilton nutritionists andsharedcopieswith themvia the
intra-hospital network.
Employeeswhopirate software, such as Mary
Miles, place both themselvesand the organization at risk. Theorganizationincurs a potential
¯ liability if employees
gobeyond
the limits of the
law and infringe on the copyright of the owner
of the program.Theorganizationcould be held
liable for suchinfringementsundercertain conditions, such as management
knowledgeof an
infringement.It wouldalmostcertainly be held
KeyInformation
Liability Issues
liable if it in anywayaidedthe infringement
(Nimmer and Geller, 1988). Evenwhenmanagement
has no knowledge
of the infringement,the organizationmaystill beheldliable if it hadtheright
andability to controlthe activity that results in
infringementandhad somefinancial interest in
the infringing act (Hal RoachStudios, Inc. v.
RichardFeiner & Co., 1984).
Softwarepiracy, whichincludesboththe duplication of commercially
available softwareto avoid
fees and the unauthorizedcopyingof an organization’s owninternally developed
programs,is
a majorproblemtoday. Industrysourcesestimate
the lossesfrompiracy of commercial
softwareat
ov~er$1billion peryear,andmany
fear that rapidly increasinglosseswill threatenthe financial
viability of the wholesoftwareindustry(Bequai,
1987).
Of the legal issuesdiscussed
in this article, the
law and legal precedent concerningsoftware
piracy appearsto be the moststraightforward.
As wasclearly the congressional
intent, the 1976
CopyrightAct (17 U.S.C.101) definedworks
authorshipthat couldbe copyrightedin sucha
wayas to include computerprograms
fixed in a
tangible medium
(Beheshtian, 1988). The1980
revisionsto the CopyrightAct provideanexplicit
definition of a computerprogramas "a set of
statements
or instructionsto be useddirectly or
indirectly in a computer
in order to bring about
a certain result" (17 U.S.C.101)andalso establish tha the ownerof a copyof a programcan
copythat program
for archival purposes
and for
use, suchas in makinga copyonto a hard disk
(17 U.S.C.117).
Whilethere is still somedisagreement
in the
literature over the coverageof computerprogramsby copyright(especiallymicrocode),
recent
cases have supported such coverage across
types and aspects of computerprograms.The
disagreement.centers
on whethercomputerprogramsare either expressionsof an idea or the
ideaitself (Steinberg,1987).Thisdistinction
importantbecause
ideasare specifically excluded fromcopyrightprotection(17 U.S.C.101-102).
Thecourtshaveruled that evennon-literal elementsof a program,
suchas the program’sstructure, sequence,
andorganization,are protected
by copyright (WhelanAssociatesInc. v. Jaslow
DentalLaboratoryInc., 1986). Apple Computer
Inc. v. Franklin Computer
Corp. (1983) established that programs
in object code,programs
imbeddedin ROM,and operating systemsoftware
are coveredby the CopyrightAct. In NECCorporationv. Intel Corporation
(1989),a California
state court ruled that microcode
is copyrightable
eventhoughin this specific caseNEChad not
infringedonIntel’s copyright.Thecourt foundin
this casethat the similarities in the programs
underquestion were imposedby the microprocessor and hardwarearchitecture and werenot
a violation of copyright (Yochesand Levine,
1989).
Until the 1980s,computer
softwarewasnot consideredpatentable.In Diamond
v. DiehrandLutton (1981), however,the Supreme
Court ruled
that computerprogramsare patentable if they
meetthe tripartite criteria of beingnovel, unobvious, anddefinedin termsof the physicalelementsof a computer.Patents provide strong
protection because
they can be infringed by the
independentdevelopmentof equivalent programs,evenif thesedevelopment
efforts do not
produceexactcopies. Thepatentingof software
is increasingdespitethe drawbacks
of securing
a patent, i.e., considerable
expense
andthe full
disclosurerequirement,whicheliminates trade
secret protection (Jakesand Yoches,1989).
Contracts are often used to supplementthe
copyrightandpatent protectionof intellectual
property rights for computerprograms.Using
contract law to protect programs
hasthe advantageof flexibility in that well-writtenagreements
canbe tailored to governthe useof programs
by
interestedparties (Lautsch,1985).For example,
the arbitrationorderthat resolvedthe IBM-Fujitsu
dispute over use of operating systemsoftware
wasbasedon prior contractual agreements,
not
onthe copyrighted
status of the operatingsystem
(Software
Protection,1987).In the caseof SAS
Institute, Inc. v. S&H
Computer
Systems
(1985), the
court ruledthat S&Hhadviolatedits licensewith
SAS
by preparinga derivativeversionof the statistical programfor VAXcomputers.
Tradesecret law has also beenusedto protect
programs
becauseit canprotect ideas, information, andinnovations.Oftentrade secretprotection and copyright protection are usedsimultaneously for computer.software (Greguras,
1987). Tradesecret lawsare state lawsthat do
not require disclosure (as with a patent)
registration, but theyare enforcedby both state
andfederal courts(Lautsch,1985;Mylott, 1984).
U.S. courts have rules that even widely distributed computerprograms
do not forfeit trade
secret status whenthe license agreement
places
MIS Quarterly/June 1990 147
KeyInformation
Liability Issues
restrictions on useanddisclosureby the recipients (OECD,1988).
Intellectual property rights and
downloadingto databases
Scenario
2. At mostof the 50 hospitals in
the Hilton Hospitalgroup,there is active
researchon the preventionandtreatment
of diabetes.Dr. JohnPeters,a medicalinformationspecialist in CorporateInformation Services,knewthat the doctorsneeded up-to-dateinformationon the research
of other Hilton doctorsandfromthe medical community
at large. Dr. Petersset up
a diabetesdatabaseon the inter-hospital
networkandpopulatedthe databasein two
ways. All Hilton doctors reported their
researchfindings via entry into the database; in addition, eachweekDr. Peters
downloadedfrom the commercialdatabase, Medline,all citations on diabetes.
Theresearchers
at all the Hilton Hospitals
are enthusiastic users of the diabetes
database.
In this scenario, the long-term retention and
disseminationof informationcollected fromexternal sources--theresearchdata from Medline
along with internally created information-createsa potential informationliability for the
hospital. Lawsand legal precedentconcerning
the useof external informationare evolving as
moreand moreinformation becomes
available
online. Because
the lines betweenfair and unfair use of this information are not precisely
drawn,
this is anareaof potentialliability for the
organization.
Theterm "downloading"
generally refers to the
retrieval andindependent
useof informationfrom
external sources.Examples
of downloading
includecapturing bibliographic databaseseamhes
in machine-readable
form for later use. Usage
mayinclude editing andreformatting of search
results, combination
of searchresults with other
information,and/orinclusionof this information
in users’ personal databases. Subsequent
searchesof personaldatabases
rather than vendors’ online databases
result in savingsfor users
and loss of revenuefor databasevendors.
148 MIS Quarterly/June 1990
The ease with which downloadingcan be accomplishedcausesconcernfor publishers and
distributors of bibliographicinformation.2 Four
factors influencehowdata-base
distributors perceivethe downloading
of their information:(1) the
numberof databasesfrom whichinformation is
downloaded;
(2) the extent of value-added
reformattingor editing; (3) thedistributionof information to multipleusersor sites; and(4) the length
of retention of downloaded
information(Bysouth,
1985).
Existing U.S.copyrightlaw doesnot specifically
identify databases
as copyrightablenor are they
coveredin the international BerneandUniversal CopyrightConventions.
Thereare conflicting
interpretationsof the U.S.CopyrightAct concerning regulationof the useof electronic information, and "muchuncertainty surrounds the
questionof whichpracticesare legal, ethical, and
safe" (Demas,1987, p. 70). Someargue that
although bibliographic references are not
copyrightable,bibliographicdatabases
are clearly compilationsfixed in a tangible medium
and
thus covered(17 U.S.C.101; Weil andPolansky,
1986).
Lawand legal precedent are not clear as to
whetherthe retentionanddistribution of the diabetes databasedescribedin the scenariois an
infringement. Sucha database maybe considereda compilation,andthe CopyrightAct permitsa separatecopyrightfor a collectionof works
by others whenthe compiledwork constitutes
"an original workof authorship"(17 U.S.C.103).
But two recent court cases, RandMcNallyand
Company
v. Fleet Management
Systems(1986)
and WestPublishing Companyv. MeadData
Central (1986)appearto contravenethis interpretation. In thesecases,the courts ruled that
the inclusionof substantialcopyrightedmaterial
in a computer
database,evenif that information
is physicallyrearranged,
constitutesaninfringementof copyright(Koeni9, 1986).In the Westv.
MeadData Central case, WestcontestedMead’s
proposedinclusion of pagereferencesto West
legal referencebooksin Mead’sLEXISdatabase
since pagereferencesare a uniquearrangement
of cases, and therefore copyrightable (West
2 The
same
concern
is notfelt for thelaborious
copying
byhand
of bibliographic
information
fromvarious
printindexes
onto
notecards
for a personal
reference
file.
KeyInformation
Liability Issues
Publishing Companyv. MeadData Central,
1986). After lengthy state and district court
lawsuits andinjunctions prohibiting Mead’suse
of Westpagereferencesin LEXlS,the casewas
settled by a licensingagreement.
Whilethe terms
of the licensewerenot disclosed,Westofficials
reported a "sizable" fee waschargedMeadfor
the arrangement(Oberdorfer, 1988). Although
the settlementwithholdslegal opinion,the willingnessof Meadto license West’sarrangement
andthefact that the injunctionitself wasnot successfully challenged
tend to supportthe conservative view that databasesar.e copyrightable.
Therefore,substantial, unauthorizeddownloading froma commercial
copyrightedvendor,even
if that informationbecomes
part of a newcompilation, canbe consideredan infringementof
copyright (Mika and Shuman,
1988).
It is importantto add,however,
that downloading
of information for somepurposesmaybe legal.
TheFair UseExceptions
to the CopyrightStatute
of 1976state that "fair useof a copyrighted
work,
includingsuchuse[as]... reproductionin copies
or purposessuch as criticism, comment,news
reporting, teaching,scholarshipor research,is
not aninfringement
of copyright"(17 U.S.Co
107).
Fair useis establishedby the courtsandsubject
to the assessment
of relevant circumstances
and
fair useexceptions
by the court. Fourcriteria for
fair useare: (1) the useis for non-commercial
purposes;(2) the useis congruentwith the nature
of the medium;
(3) the amount
of material copied
fromthe original is not substantive;and(4) the
use doesnot damage
the marketfor the original
.work. For example,
downloading
for scientific or
researchpurposes,without long-termretention
of datafor reuse,is usuallyconsidered
fair use.
If files are transferred to create a personal
databaseandto avoidonline charges,downloading is illegal unlesscovered
by a specialarrangement betweenthe database owner and subscriber (Mika and Shuman,
1988).
In spite of the fair use criteria, inclusion of
downloadeddata in the diabetes database
scenariomaystill createaninformationliability.
Whilefair useis alwaysdetermined
by the courts
in individualsuits, the situationdescribed
in the
scenariois a researchendeavor
for non-commercial purposes
that doesnot copymostof the Medline databaseand does not damage
Medline’s
market(searchescontinueto be madeweekly).
Othercorporateuseof external data couldalso
befree fromliability. Asuseof externalinformation changesfrom the public domainto the domain of commercialprogramsand data (see
Table1), the chanceof incurring an information
liability increase.Downloading
andretention of
data from public domaindatabasesis clearly
legal, andthe censusdatabases
providedby the
government
havebeenwidely usedin this way.
But someuseof value-added
external data, such
as the downloading
andretention of the entire
full-text druginformationdatabases
fromDialog
for useby the Hilton Hospitalpharmacy,
with the
intentionof eliminatingfuture online searches
of
the database,wouldnot likely beconsidered
fair
use.
Inasmuch
as existing copyrightlaw and fair use
exceptionsare opento interpretation, contracts
havebecome
the preferred methodfor specifying terms and conditions for sale and use of
bibliographic information (Duchesne,
1986).
chain of parties is involved in the creation,
distribution, anduseof bibliographicdatabases,
including information providers, databasevendors, communications
networks,andusers (both
intermediaryanddirect users). Contractsgovern
transactionsat eachlink in the chain. Contracts
betweenusers anddatabaseproducersoften include clauses that prohibit any form of
downloading
fromdatabases
withoutspecific written consent,althoughthe producers
usually give
their permissionto download
for legitimateuses
(Demas,1987).
Becauseof such contracts betweendatabase
vendorsand subscribers, someargue that the
issue of downloading
froma centralizeddatabank
has beensettled (Garman,1986). A survey
databasevendorsmade
by the majorinformation
industryperiodicalOnlinein February
1986found
that mosthavea written downloading
policy for
subscribersand that "fair use" downloading
is
acceptableto nearly all database
vendors."Fair
use" wasdefined in the survey as downloading
informationfor one time useby or for oneperson. A majorreasonthe vendorsare willing to
acceptthis practice is that 87 percenthaveinstituted per-recordcharges.Theremainingunsettled issue concernsonly downloadingfor
multipledistributionor the retentionof downloaded data (Garman,1986).
MIS Quarterly~June 1990 149
KeyInformation
Liability Issues
ProtectingIndividual Rights
to Privacy
Scenario3. Researchon the prevention
andtreatmentof AIDSat Hilton Hospital
hadreceiveda lot of publicity from the
media.In a NewYork Timesarticle, Dr.
Judith Williams of Hilton Hospital noted
howthe computerization
of the recordsof
all patientsreceivingAIDStests andAIDS
patients’ histories helpedin understanding
commonalities
and differences in disease
symptoms.
LarryLitton, the Hilton personnel director, readthe article andthereafter
routinely usedthe databaseto screenout
job applicants whohad had an AIDStest.
Formany
people,the invasionof privacydescribed
in this scenario
constitutes
their greatestfearabout
the misuseof computer
technology.Thereis considerableconcernbecause
technologicalimprovementsgreatly increasethe capacityandeconomy
of storing andretrieving massive
amounts
of personal information in centralized databases.A
specific "right of informationprivacy,"whichextends the privacy of personal conductto data
storedabouta person,has beenadvanced,
namely that individualshavethe right tO exercisecontrol over the collection, storage,use,dissemination, andaccuracyof informationstored about
them(Freedman,
1982). Mason
(1986) identifies
four critical areasthat shouldbeprotectedby information
policies:(1) anindividual’sright to keep
dataabouthimor herselfprivate;(2) anindividual’s
right to assure
that it is accurate;
(3) anindividual’s
right to maintainownership
of it; and(4) anindividual’s right to haveaccessto it. Sincemost
organizationscreatefiles on peoplesuchas employeesandcustomers,attention shouldbe given
to the privacyrights of suchindividuals.
Thecomputer’suniquecapabilities for matching
andstatistical inferenceon large databases
increases
the threat to individual privacy. Computer
matchingis the electronic comparison
of two or
moredatabases
to reveal informationthat is commonto both data sets. Suchmatching
createsnew
information.A matchof draft registrationagainst
drivers’ license registration databases,for instance, mayidentify maledrivers whohavenot
registeredfor the draft. In government
suchmatching procedures
are limited by OMB
guidelines,but
150 MIS Quarter/y/June 1990
the" routine use" exemption
of the 1974Privacy
Act is widelyemployed
by agenciesto allowdisclosureof recordswithoutwritten consentof individuals (U.S. Congress,
OTA,1986).Surveys
determinethe extent of computermatchingproduceinconsistentresults: agenciesreported700
matches
between
19~80-1985
to the OTA,while the
OMBrecords showedonly 56 matchesbetween
1979-1984(Regan,1986). TheOTAstudy estimates
that over7 billion recordswerematched
during this period(Regan,1988).NationalSecurity
DecisionDirective145,in fact, acknowledges
the
threat fromsuchmatchingprocedures
andpermits
classifying documents
or recordsto preventelectronic combination(Simpson,1987).
Nor do statistical databases,whichare intendedto protectthe privacyof individualsby permitting queriesonlyon setsor groupsof individuals,
adequatelypreventinvasionsof privacy. As Denning, et al. (1979)prove,a very limited number
of relatively unsophisticated
queriescanelicit informationabouta specific personfrom eventhe
largest and mostcarefully securedstatistical
databases.Organizations,therefore, cannotrely on statistical databases
to protect individual
rights to privacy.
Peoplewhofeel their privacy hasin anywaybeen
violated do havelegal recourse. Althoughthe
Constitutiondoesnot explicitly definea right of
privacy, the Supreme
Courthas establishedthis
right by combining
severalconstitutional provisions, as in the Roev. Wade
(1973)decision.
a Supreme
Court case that consideredprivacy
with respect to information, Whalenv. Roe
(1977),the court uphelda New
Yorkstate statute
allowingthe retention of a database
of information aboutindividualswith prescriptionsfor certain classesof drugs.Whilethe court affirmed
that the right of privacyprotectsindividuals’interests in disclosureof personalinformation,it
held in this casethe government
couldmaintain
the information becausethe reasonwassufficiently important(a legitimateinterest in controlling dangerousdrugs) and there wasadequate
protection fromharmfuldisclosureof the data.
Besidestheseinterpretationsby the courts, there
hasalso beenlegislation to protect information
privacy rights of individuals. Lawssuchas the
PrivacyAct of 1974are specifically directed at
government
abuseof the right of privacy. However, it doesnot coverabusein the private sector (Bequai,1987),andthe Office of Technology
KeyInformation
Liability Issues
Assessment
(OTA)hasconcluded
that: (1) federal
agencyuseof newtechnologyin processingpersonal information haserodedthe protection of
the PrivacyAct; and(2) the Office of Management
andBudgetoversight is inadequateevenin protecting basic areassuchas accuracyof records
(U.S. Congress,OTA,1986).
There are legal provisions that address
unauthorizedaccessto customersand consumer
recordsstoredby federallyregulatedfinancial institutions andcredit reporting agencies
(Counterfeit AccessDevice and ComputerFraud and
AbuseAct of 1984, 1984). In addition, some
states haveenactedlawsgranting employees
accessto their personnelandmedicalrecords(Canning, 1984).
Computer
crimelegislation regardingprivacy is
particularlyinadequate.
When
it is covered
at all,
it is only protected underunauthorizedaccess
provisions, whichdo not establish a methodfor
definingprivacy(Jurkat, 1986).Sincethe Privacy
Protection Study Commission
report in 1977, a
number
of bills havebeenproposed
to createan
independent
federal privacyboard,but they have
receivedlittle attention or support(U.S. Congress, OTA,1986).
Unlike WesternEuropeancountries or Canada,
thereis no federal agency
specifically responsible for monitoringgovernment
andprivate-sector
informationPracticesandfor acting as ombudsmenfor individual citizens (Flaherty, 1984).For
example,in Sweden
the 1973Data Act protects
the confidentiality of all personalinformation
systemrecordsin both public and private sectors. (SeeU.S. Congress,OTA,1986,Appendix
F, for a reviewof severalcountries’information
policies and agencies.)
In somecases, abusive practices concerning
machine-readabledatabasesof information
aboutindividuals canbe considered
a tort, that
is, a harmfulact that doesnot involve a breach
of contract andfor Whicha civil action canbe
brought.Theright of privacyin torts is the right
of the individual to be let alone (Warrenand
Brandeis,1890).Thesetorts give individualsthe
right of action againstotherprivate individuals
for invasionof privacy. Particularly relevantto
organizationsthat collect andstore data on individualsis thetort of publicdisclosure
of private
facts, whichcoverssituations in whichprivate
facts are disclosedpublicly andin whichthe informationdisclosedis offensive andobjection-
ableto a personof ordinarysensibilities. If there
is nostatutory coverage
for a particular typeof
personalinformation held by anotherparty (as
thereis for financial andeducational
records),the
individual maynot makea claim concerninguse
of that information
(UnitedStatesv. Miller, 1976).
Thelegal situation for torts dealingwith computerizedinformation
is still unsettled,andchanging technology
will undoubtedly
result in newtorts
or rethinking of old ones(Gemignani,
1981).The
tort of negligentmisrepresentation,
for instance,
has beenapplied in Dun& Bradstreet, Inc. v.
Greenmoss
BuildersInc. (1985).In this case,the
publicationof erroneous
informationinvolvedthe
generation and disseminationof an incorrect
credit report. In court casesin OhioandGeorgia,
moreover,suppliersof computerized
information
wereheld liable for providingerroneous
information (Bequai,1984),andin 1985a police departmentwassuedbecause
of an illegal arrest based
on an inaccuracy in a computerizeddatabase
(Field andSchiller, 1986).
Theproblemof inaccurateinformationaboutindividuals storedin machine-readable
databases,
whichcanbe seenas a potential informationliability for organizations,is not trivial for two
reasons.
First, thereis evidence
that inaccuracies
are widespread.A study of commercialdatabases,in fact, hasfoundthat thereare novalidation or error-checkingprocedures
in one-fourth
of databases(VValton and Durham,1988). TRW
hasprocedures
for client reviewandcorrection
of its databases
andreportsthat of the 1 million
peoplewhoreviewtheir credit files eachyear,
350,000peoplechallengethe accuracyof their
files andabout100,000
files needto becorrected
(Bequai, 1987). A 1980study of the computerized databases
maintainedby the FBI’s Identification Divisionandthree state criminal justice
systems
foundthat only 24 percentof the records
in the FBI systemand between12 percent and
49 percent of the recordsof the state systems
werecompleteand accurate(Caporael, 1984).
Second,
the ability of individuals to detectsuch
errors is limited. Ricketts(1990)hasfoundthat
fewsubjectsin his experiments
wereableto find
evenlarge numericalerrors in computeroutput.
Implications for Managers
A variety of procedures
andpolicies are required
to reducepotentialcorporateinformationliabilities discussed
in this article. Authoritativeopinion
MIS Quarterly/June 1990 151
KeyInformation
Liability Issues
that suchpolicies and procedures
are effective
deterrents of computerabuse(Parker, 1983)
supported
by the results of a surveyof over1,200
DPMA
organizations, which foundthat information aboutpropersystemusageis a key deterrent to systemmisuse(Straub, 1987).3 Themix
of deterrentswill beuniqueto eachorganization,
varying by type and sourceof information commodityandassessed
risk of liability. Studieshave
shownthat thesepolicies are mosteffective when
they include assignments
of penalties and criminal liabilities to employees
whoviolate policies
for proper systemuse (McKibben,1983;Straub
and Nance,1990).
Protectionof intellectual property
rights
In order to providemaximum
accessto data from
commercial
databases
while protecting intellectual property rights of databasevendors,three
specific coursesof action maybe taken. First,
subscriptionsto commercial
databases
shouldbe
centrallycontrolled,not onlyfor economies
of scale
but also for monitoringemployee
useof databases.
Second,contract restrictions on downloading,
retention, anddistribution of datashouldbe provided to usersin a readableand understandable
form.Finally, organizational
informationpolicies
shouldrequireemployees
to abideby vendors’restrictions on downloading,and they should
stipulate penalties for violations of these
restrictions.
Organization-wideadoption and provision of
basicsoftwareapplicationscanhelppreventsoftwarepiracy by members
of the organization,and,
at the sametime, offer economies
of site licensing. A clearly articulatedorganizationalinformation policywill requireapproval
for acquisitionand
useof any softwarenot alreadyauthorized.The
approvalprocessshouldentail proof of purchase
or authorizationfor legitimate use. To prevent
unauthorizeduseof commercial
programsstored
on a network,networksoftwarecancontrol the
numberof users that can executea programand
record attemptsto copyprogramsfrom the net3Although Straub (1987) focused on internal information
liabilities andnot on the external, organization-to-organization
information liabilities,
empirical studies based on the
criminological theory of General Deterrence ~f~ers ample
evidenceforthe efficacyof policies and distributed information.
152 MIS Quarterly/June 1990
work(Boyer, 1988).The"isolation" of software
shouldbe closed, that is, the default condition
shouldbe "NoAccessAllowed"(Aalders,et al.,
1985).
Protection of individual rights to
privacy
Individualrights to privacycanbestbe protected
throughself-regulating policies andprocedures.
Managers
needto follow closely the development
of privacy legislation. A manager
should have
designated
responsibilityfor informationliability, andthat personshouldhavestrong connections with functional areamanagers
(Aalders,et
al., 1985).
As discussedearlier, the useof computer
matching andstatistical inferenceto retrieve personal
informationfromdatabases
is a particular threat
to privacy. Security techniquesmustbe beyond
the technological
internal securitycontrolsof access, flow, inference,andcryptography
(Denning
andDenning,
1979)to policy andtraining that encouragetrust and honestyin employees.
Personal data should be carefully stewarded
throughout
its organizational
life. In thefirst stage
of the datalife cycle, onlyinformation
that is absolutely necessary
shouldbe storedaboutstaff,
customers,andother persons.Individuals should
benotified aboutdatabeingstoredaboutthemand
its intendeduse, andtheir consentobtainedin
writing. Thedisclosureof personaldata, moreover, mustbe carefully monitoredandlimited to
authorizedpeopleusing the data for authorized
purposes.Thequality of the personaldata stored
andaudit trails of sources
anddisclosures
of data
shouldbe assured.Finally, personalinformation
can be deletedfrom the systemwhenthe information is no longer needed(Everest, 1986).
Whereappropriate, a formal mechanism
for reviewandcorrectionof informationmaybe established. In well-managedorganizations, such
administrative
activities will takeplacein anenvironmentof carefully articulated policies and
procedures.
Whileoneof the factors inhibiting policy making
in this area maybethecost and time required
for policy development,
there is evidenceof the
benefit of suchpolicies. AT&Tspent two years
developing
a policy that specifiesuniformpolicies
andpracticesonthe collection, storage,internal
KeyInformation
Liability Issues
use, andexternal disclosureof employee
information. Thepolicy, which includes a Codeof
Ethicsfor all employees,
is a voluntaryadoption
of fair information
practicesof the FederalPrivacy
Act of 1974(Canning,1984). Suchpolicies have
beenupheld by the courts. For example,the
courtssupported
the rights of Detroit Edisonand
NewJerseyBell to refuse the disclosureof employeeinformationto unionsbasedonrestrictions
in the companies’
carefully wordedprivacy policies (Finner, 1986).
Thesecasesillustrate the importanceof behaving in an anticipatorywayto informationliability
issues. Policy shouldbe morethan a reaction to
existinglawsandcasesor a checklistof requisite
procedures.It shouldbe basedon a technoethical frameworkthat addressesthree key issues:
1. Original worksof authorshiphavea sanctity
that protects their use andeconomic
rewards
to the originators
2. Majorchangesin expressionare required to
makeinformation acquiredfrom others a new
and legitimate "value-added"creation
3. Theright of information privacy should be
respectedand ensuredwith informedconsent
fromindividuals
Needfor heightened awareness
by IS and general managers
It behooves
IS managers
to be awareof the legal
environment
within whichtheir informationsystemsoperate, especially thoseareasthat pose
significant, probablerisks for the organization.
Some
of thesecircumstances,
in point of fact, are
goingto fall outsideof their managerial
control;
nevertheless,
knowledge
of the potentialliability
canallowIS managers
to disseminate
this informationto top management
and help the organization avoidcostly lawsuits. IS managers
should
seethemselvesas the key actors in monitoring
the changinglegal environment,assessingorganizationalrisk, coordinatingwith legal counsel,
and disseminating
information. IS professionals
haveboththe mentalmodelof the organization’s
information systemsand an understandingof
whatfunctions are technologicallypossible.
It is critical that general management
also
understands
the natureandpotential scopeof information
liability andthat it actsto limit organizational exposure.
Twospecific kindsof actionsare
needed:
(1) the establishment
of a high-levelcommitteeto monitorthe issueanddevelop
policy and
(2) the formulationof policies for all employees.
Committeemembers
should include IS management, legal staff, representativesfrom human
resources,andtop management.
Thepolicy seeking to limit information
liability should
behighlyvisible and widely disseminated.At the start of
employment,
eachemployee
shouldbe trained on
corporateregulationsonthe appropriateandlegal
usesof informationandinformationtechnology.
Employees
shouldcertify in writing their understandingand acceptance
of the policy. Periodic
retrainingof all employees,
inclusionof guidelines
in employeehandbooks,and discussion of new
andcontinuinginformationliability issuesin corporate communications
all serve to underscore
andmaintainthepolicy. It is particularlyimportant
that anyoffensesandresultingdiscipline bemade
knownthroughoutthe organization.Theseandthe
previoussuggestionsfor managing
information
liability are summarized
in Table2.
Valueof legal counsel
Whilethe legal postureof anysingle organization will differ fromcaseto case,whatis commonamongorganizations is the need for
managers’awareness
of the possible legal implications of their andtheir employees’
actions.
Suchawareness
of potentialliabilities shouldpromoteseekinglegal counselwhowill be able to
addressthe specifics of the caseenvironment
and the development
of suitable policies.
Theanalysisof keyareasof informationliability
in this article is only intendedto increasethe
awarenessof IS managers
and general management.It mustbe notedin the strongestpossible
termsthat this analysis is not intended as a
substitutefor legal counsel.Legalcounselshould
be retained for a variety of reasons.Theexact
statusof thelegal liability of a givenorganization
will behighly situation-specific;local andstate
lawsmaybeapplicableas well as certainindustry
regulations.Theorganization’s
legal advisorswill
be in the bestposition to assessthis liability.
Legalcounselwill also be invaluablein drawing
up internal policies that can reducethe legal
culpability of the organizationin casesof informationliability. Finally, legal counselcanhelp
keepthe organizationup to date on the expected
changes
overtimeof court interpretationsin this
area.
MIS Quarterly/June 1990 153
KeyInformation
Liability Issues
Table 2. Summary
of Organizational
Responses
to Limit InformationLiability
Overall Recommendations
for IS and
General Management
¯ Encourageheightened awareness of
potentialinformation
liabilities
¯ Establish a committee:
-- to monitorlegal developments
in this
area
-- to formulate policy for the
organization
-- to assuretraining in andenforcement
of the policy
¯ Seeklegal counselwheneverissues of
information
liability arise
Protection of Intellectual Property
Rights
¯ Adoptsoftwareon an organization-wide
basis wheneverpossible
¯ Requireauthorization for use of nonstandardsoftware
¯ Install networks
that limit useandcopying of software
¯ Establishcentralcontrolof subscriptions
to commercialdatabases
¯ Provide user training on contractual
limitations of use of databases
¯ Establishspecific penaltiesfor misuseof
software and databases
Protection of Individual Rights to
Privacy
¯ Encouragethe developmentof trusted
employees
throughpolicies and training
¯ Manage
personaldata throughoutits life
cycle
References
Aalders,J.C.H., Herschberg,
I.S. andVanZanten,
A. Handbook
for InformationSecurity(2 vols.),
North-Holland, Amsterdam,
1985.
AppleComputer
Inc. v. Frank/in Computer
Corp.,
714FederalReporter2d, 1983,pp. 1240-1255.
Beheshtian,M. "Computer
CopyrightLaw," Journal of SystemsManagement
(37:9), September
1986,pp. 6-11.
Bequai,A. Computers
+ Business= Liabilities:
A Preventive GuideforManagement,
Washington Legal Foundation,Washington,DC,1984.
154 MIS Quarterly/June 1990
Bequai,A. Technocrimes,
LexingtonBooks,Lexington, MA,1987.
BloomBecker,
J. ComputerCrime, ComputerSecurity, Computer
Ethics, National Centerfor
Computer
CrimeData, Los Angeles,CA, 1988.
Boyer, H.A. "Using Softwarein ComputerNetworks:AvoidingLiability for Copyright
Infringement,"JurimetricsJournalof Law,Scienceand
Technology
(28:3), Spring1988,pp. 275-288.
Brickman,B.K. "TheCorporateComputer:A Potential Timebomb,"
FinancialExecutive(51:4),
April 1983,p. 20.
Burnside, R.S. "TheElectronic Communications
PrivacyAct of 1986:TheChallenge
of Applying
Ambiguous
Statutory Languageto Intricate
"Telecommunication
Technologies," Rutgers
Computer& TechnologyLawJournal (13:2),
Winter 1987, pp. 451-517.
Bysouth,P.T. "StoneTabletsto FloppyDisksand
the Questionof Downloading,"
JournaloflnformationScience(1.1:3), 1985,pp. 139-142.
Canning,H.W.W.
"Protection of PersonalDatain
’the UnitedStates," TheInformationSociety
(3:2), 1984,pp. 113-130.
Caporael, L.R. "Computers,Prophecy,and Experience:A Historical Perspective,"Journalof
SocialIssues(40:3), Fall 1984,pp. 15-29.
Computer
SoftwareCopyrightAct of 1980.94Stat
3015,17 U.S.C., 1980.
CopyrightStatute of 1976.17 U.S.C., 1976.
Couger,J.D. "PreparingIS Studentsto DealWith
Ethical Issues," MISQuarterly (13:2), June
1989, pp. 211-218.
Counterfeit AccessDevicean~l ComputerFraud
andAbuseAct of 1984.18 U.S.C., 1984.
Demas,S.G. "Copyright and Legal Considerati0ns," in PublicAccess
Microcomputers
in AcademicLibraries, Howard
Curtis (ed;), American
Library Association, Chicago,iL, 1987, pp.
59-79.
Denning,D.E. andDenning,P.J." DataSecurity,"
Computing
Surveys(11:3), September
1979,pp.
227-249.
Denning,D.E., Denning,PoJ.andSchwartz,M.D.
"TheTracker:A Threatto Statistical Database
Security,"ACM
Transactionson DatabaseSystems(4:1), March1979,pp. 76-96.
Diamond
v. DiehrandLutton.450 U.S. 175, 101
S, Ct. 1048,1981.
Dreyfuss,R.C.andLeebron,D.W."Foreword:Privacy and Information Technology," Annual
SurveyofAmericanLaw1986, June 1987, pp.
495-509.
KeyInformation
Liability lssues
Duchesne,R. "Copyright, Ownershipof, in
Machine-Readable
BibliographicData," in Encyclopediaof Library andInformationScience,
Vol. 40, Allen Kent(ed.), MarcelDekker,New
York, NY, 1986,pp. 33-43.
Dun& BradstreetInc. v. Greenmoss
BuildersInc.
472 U.S. 749, 105 S. CT. 2939,1985.
Everest, G.C.DatabaseManagement:
Objectives,
System Functions, and Administration,
McGraw-Hill,NewYork, NY, 1986.
FederalLibrary andInformationCenterCommittee. "TheInternationalFlowof Scientific and
TechnicalInformation," Government
Information Quarterly(3:2), 1986,pp. 163-178.
Fields, A.R.andSchiller, Z."ElectronicDataCould
MakeTroublefor the Law," BusinessWeek,October 27, 1986,pp. 128, 132.
Finner, W."Privacyof Employment
Records
in the
Private Sector," AnnualSurveyof American
Law1986, June 1987, pp. 569-585.
Flaherty,D. H o Privacyand
DataProtection:An
ternational Bibliography,Knowledge
Industry,
WhitePlains, NY,1984.
Freed, R.N. "ComputerFraud--A Management
Trap," Business Horizons, June 1969, pp.
25-30.
Freedman,
R. "TheRight of Privacyin the Ageof
ComputerData andProcessing," TexasTech
LawReview(13), 1982, pp. 1361-1363.
Garman,
N. "Downloading...Still a Live Issue?"
Online(10:4), July 1986,pp. 15-25.
Gemignani,M.C. Lawand the Computer,CBI
Publishing, Boston,MA,1981.
Goldstein,M.L. "Information Law:Meetthe New
Entrepreneur,"Industry Week,April 28, 1986,
pp. 65-67.
Gregurgas,
F.M."Intellectual PropertyProtection
in the USA,"InformationAge(9:4), October
1987, pp. 215-219.
Hal RoachStudios,Inc. v. RichardFiener& Co.
1984CopyrightLawDecisions(CCH)para. 25,
709S.D.N.Y., 1984.
Hoffer, J. andStraub,D., Jr. "The9 to 5 Underground:Are YouPolicing ComputerCrimes?"
Sloan Management
Review (30:4), Summer
1989,pp. 35-44.
Huber,G.P. "TheNatureand Designof Post-Industrial Organizations,"Management
Science
(30:8), August1984,pp. 928-951.
J akes,J.M.andYoches, E.R."LegallySpeakin g:
BasicPrinciplesof PatentProtectionfor Computer Software," Communications
of the ACM
(32:8), August1989,pp. 922-924.
Jones,J.W. andMcLeod,
R., Jr. "TheStructure
of ExecutiveInformationSystems:AnExploratory Analysis," Decision Sciences(17:2),
Spring 1986,pp. 220-248.
Jurkat, M.A. "Computer
CrimeLegislation: Survey and Analysis," AnnualSurveyof American
Law1986, June 1987, pp. 511-544.
Koenig, C.F. "RecentCopyright Developments
Relating to ComputerSoftware and Databases,"Journalof the Computer
LawAssociation, Fall 1986,pp. 5-10.
LaPlante,A. "Liability in the InformationAge,"
InfoWorld, August18, 1986,pp. 37-38.
Lautsch, J.C. AmericanStandardHandbook
of
Software BusinessLaw, RestonPublishing,
Reston, VA, 1985.
Mason,R.O."Four Ethical Issuesof the Information Age," MISQuarterly (10:1), March
1986,pp. 4-12.
McFarlan,F.W."Editor’s Comments,"
MISQuarterly (12:1), March1988,pp. iii-vi.
McKibben,W.L. "WhoGets the Blamefor ComputerCrime?"Infosystems
(5:7), July 1983,pp.
34-36.
Mika, J.J. and Shuman,
B.A. "Legal IssuesAffecting Libraries and Librarians," American
Libraries (108), February1988,pp. 108-112.
Mylott, T.R. Computer
Lawfor Computer
Professionals, Prentice-Hall, Englewood
Cliffs, NJ,
1984.
Mykytyn,K., Mykytyn,P.P., Jr. and Slinkman,
C.W."Expert Systems:A Questionof Liability?" MISQuarterly (14;1), March1990, pp.
27-42.
NECCorporation v. Intel Corporation.
C-94-20799-WPG,
N.D. CA, 10 U.S.P.Q. 2d
1177, 1989.
Nimmer,M.B. and Geller, P.E. International
CopyrightLawandPractice, MatthewBender,
Albany; NY, 1988.
OECD
(Organisation for EconomicCo-Operation
and Development).Computer-Related
Crime:
Analysisof Legal Policy, OECD,
Paris, 1986.
Oberdorfer,D. "West,Mead
to Settle Disputes,"
Star Tribune(Minneapolis),July 22, 1988,
1D.
Crime,Scribner,
Parker,D.B. Fighting Computer
New York, NY, 1983.
Parker,D.B. "Ethicsfor InformationSystems
Personnel," Journalof InformationSystems
Management(5:3), Summer
1988, pp. 44-48.
Peoplev. HomeInsurance Co. 197 Colo. 260,
591 P.2d 1036, 1979.
MIS Quarterly/June 1990 155
KeyInformation
Liability Issues
RandMcNally & Co. v. Fleet Management
Systems,Inc. N.D.II1., 1986.
Regan,P.M. "Privacy, Government
Information,
and Technology," Public Administration
Review, November/December1986, pp.
629-634.
Regan,P.M. "FromPaperDossiersto Electronic
Dossiers:Gapsin the PrivacyAct of 1974,"Ofrice: Technologyand People(3), 1988, pp.
279-296.
Ricketts, J.A. "Powers-of-Ten Information
Biases,"MISQuarterly(14:1),March1990,pp.
63-77.
Roev. Wade.410U.So113, 153, 93 S. Ct. 705,
727, 1973.
SASInstitute Inc. vo S&HComputer
Systems.
605
F. Supp.816, 225 U.S.P.Q.916, 1985.
Simpson,J. "Information Management:
Issues
for the Late 80s," ASLIBInformation,September 1987, pp. 215-219.
Sprague,R.H. and McNurlin, B.C. Information
SystemsManagement
in Practice, PrenticeHall, Englewood
Cliffs, NJ, 1986.
Steinberg, R. "NECv. INTEL:TheBattle over
CopyrightProtection for Microcode,"Jurimetrics Journal (27:2), Winter 1987, pp.
173-199.
Straub, D.W.,Jr. "Controlling Computer
Abuse:
AnEmpiricalStudyof Effective SecurityCountermeasures," Proceedings of the Eighth
International Conference
on InformationSystems, December
6-9, 1987,Pittsburgh, PA,pp.
277-289.
Straub, D.W.,Jr. and Nance,W.D."Discovering
and Disciplining Computer
Abusein Organizations: A Field Study," MISQuarterly(14:1),
March1990, pp. 45-60.
Straub, D.W.,Jr. and Wetherbe,
J.C. "Information Technologies
for the 1990’s:AnOrganizational Impact Perspective," Communications
of the ACM(32:11), November1989, pp.
1328-1339,
U.S. Congress,Office of TechnologyAssessment. Federal Government Information
Technology:Electronic RecordSystemsand
Individual Privacy, OTA-CIT-296,
U.S. GovernmentPrinting Office, Washington,
D.C., June
1986.
UnitedStatesv. Miller. 425 U.S. 435, 1976.
Walton,C. and Durham,
A. "Information Systems
Liability," Journal of SystemsManagement
(39:10), October1988,pp. 36-41.
Wardv. SuperiorCourtof California. 3 Computer
L. Serv. Repo(Callahan)206Cal. Super.Ct.,
1972.
156 MIS Quarterly/June 1990
Warren,S.D. and Brandeis, L.D. "The.Rightto
Privacy," HarvardLawReview(4), December
15, 1890, pp° 193-220.
Well, B.H. andPolansky,B.F. "Copyright,Serials
and the Impacts of Technology," Serials
Review,Summer/Fall1986, pp. 25-32.
WestPublishing Company
v. MeadDataCentral
799 F.2d 1219, 1986.
Whalenv. Roe.429U.S. 589,595,97 S. Ct° 869,
874, 1977.
Wharton, L. "Legislative Issues in Computer
Crime," HarvardJournalon Legislation(21:1),
Winter 1984, pp. 239-254.
WhelanAssociatesInc. v. Jaslow Dental Lab.
oratorylnc. 797 F.2d 1222,230 U.S.P.Q.481,
1986.
Yoches,E°R. and Levine, A.J. "Legally Speaking: BasicPrinciples of CopyrightProtection
for ComputerSoftware," Communications
of
the ACM(32:5), May1989, pp. 544-545.
About the Authors
Detmar
W.StraubJr. is assistant professor of
management
information systemsat the Curtis
L. CarlsonSchoolof Management
at the University of Minnesota.Hehas publisheda number
of studies in the computersecurity management
arena,but his researchinterests extendas well
into emerginginformation technologies and
theory andmeasurement
of key IS concepts.Besides prior publicationin MISQuarterly,he has
also beenpublishedin Communications
of the
ACM,Sloan Management
Review, Journal of
MIS, and Computers
& Society. His professional
associationsandresponsibilities include: associate director, MISResearch
Center,University
of Minnesota;associatepublisher, MISQuarterly; editorial boardmemberships;
andconsulting
with the defenseand transportationindustries.
Rosann
Webb
Collinsis a doctoral candidatein
management
information systemsat the Curtis
/.. CarlsonSchoolof Management
at the University of Minnesota.
Hercurrentresearchinterests
center on the impactof information technology
on knowledge
workand on the legal and ethical
issues in computing.Shehas publishednumerous articles on the library andeducationalapplication of computers,
includingarticles in the
Journalof the American
Societyfor Information
Science,International Library Review,andthe
Journalof Research
on Computing
in Education.