I'm seeking any information or information on where I need to look to get my answers regarding the legality of a company who has all of their employees personal info including SS#'s available to any employee of the company that has an email account. I am concerned about this issue and the fact that anyone from the head boss to some janitoriol staff have the capabililty of accessing this information. (approximately 900 people have the capablity of accessing this information) I am fighting a political battle here as far reveiling the lack of knowledge of the IT person in charge of this server. I have addressed the issue. The one responsible for this system does not know how to use security in a Windows 2000 server environment and has all users set to full control of the entire file system. I have addressed this issue for approx. the past 6 years to no success. When I questioned who would be responsible if identity theft occured they point the fingers to me but it has been made clear that I am not the one responsible for this particular system. I'm in a rather small town and no one here local would know the legalities regarding this situaion. Any help or advice on how to address this issue or direction to lookin would be greatly appreciated.
Thanks in advance,