Personal liability for orphaned accounts?

Here is an interesting question:

But what about you and your personal liability? If you leave a company, and your ID stays behind, and stays active, are you liable if it’s used for bad purposes? Personally, if I were doing something “prohibited” I’d much rather be using an ID belonging to a departed employee or contractor.

As a consultant, I deal with this issue a lot. On multiple occasions, I have returned to a client months or years after leaving, and discovered that my old accounts IDs and passwords were still valid!  So, my current policy is to send the company an email, (receipt requested) telling them that I am leaving, and formally request that they de-provision the accounts. If I could put the account in a shredder myself, I would. If only there WERE a virtual account shredder I could use!

I doubt that there would be any legal liability if your old accounts got used for illegal activities. Your good name and reputation could well suffer, however. Still it’s a very interesting issue.

When I used to work on provisioning systems I used to joke that IdM is really all about de-provisioning. Most companies don’t care it takes you two weeks to get all the resources you need, but it better not take even two minutes to turn them all off when you leave.

Maybe it really is all about de-provisioning after all.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s