Two recent developments highlight the risks that are presented by the use of Peer-to-Peer (P2P) file-sharing software on corporate computers, and underscore the importance of having, and enforcing, data security policies in the corporate environment.
P2P file-sharing software is usually used to trade music files, but installing and using it can expose any file on a user's computer to sharing and downloading by third parties, and this is exactly what happened in the latest highly publicized corporate data security breach.
A major pharmaceutical company has recently been sued by its employees in a putative class action relating to a data security breach that was traced to a company laptop. The data security breach occurred when an employee's spouse installed unauthorized P2P file-sharing software on a laptop provided by the company for the employee's use at home. According to the company's letter notification to its affected employees, the names, social security numbers, and, in some cases, addresses and bonus information of some 17,000 present and former employees could have been accessed and copied by third parties via the P2P software.
The risk of a data security breach through the use of P2P software is no surprise to Rep. Henry Waxman, who held hearings in Washington on July 24, and concluded that the use of such software in government and corporate environments is a "national security threat." Tests conducted by his staff using popular P2P applications revealed that "personal bank records and tax forms, attorney-client communications, the corporate strategies of Fortune 500 companies, confidential corporate accounting documents, internal documents from political campaigns, government emergency response plans, and even military operation orders" are available on P2P file-sharing networks.
Thelen attorneys regularly counsel clients on privacy and data security matters. For example, Thelen assists in the preparation of written Security Policies and Security Incident Response Policies.
A Security Policy sets forth the various security measures an entity employs to protect the data it possesses, given the nature of the data and the types of risks the data is exposed to in the course of the entity's activities. For example, a thoroughly considered Security Policy outlines specifically what software can and cannot be installed on company computers, and who may have access to such computers, particularly when they are deployed in a home environment.
A Security Incident Response Policy prepares an entity to respond to a security incident, and includes compliance requirements for the 38 state data security breach notification laws presently on the books and other federal and local laws and standards. A policy also defines an entity's incident response team and the allocation of tasks, delineates the appropriate order of such tasks, and provides instructions for the method and content of notifications, etc., so that the entity is not left scrambling without a plan. A policy might also include template forms, such as customizable customer notification letters, FAQs, press releases, and notifications to state agencies, police departments, consumer reporting agencies, etc.
Having both policies in place is not only a "best practice," it may be required by law for entities that handle credit card information, financial account numbers, SSNs, health-related information, and the like. Virtually every company is in need of such policies in order to safeguard the confidential information that it maintains with respect to its employees and to respond to a breach in an efficient and legally compliant fashion.
Thelen's Privacy and Data Security practice group works closely with its Labor and Employment team in assisting clients in all aspects of implementing these policies and effectively enforcing them. They also help their clients to manage incident responses in the event of a breach. Their knowledge of data security law and experience in responding to security incidents enables them to assist clients in a manner that can both lower the risk of suffering from a security breach and, in the event of a security breach, mitigate the harm suffered by the client and its customers alike.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.