Sixty Seconds Of Privacy: Employee Use Of Peer-To-Peer Software Presents Data Security Concerns

Welcome to Sixty Seconds of Privacy, an e-newsletter brought to you by the Privacy and Data Security practice group at Thelen Reid Brown Raysman & Steiner LLP.

Each edition of this e-newsletter addresses one interesting legal development in the area of privacy and data security, in a brief "question and answer" format. Each edition is intended to be read in about a minute, yet will update you on an important development. We pick the topics for this e-newsletter based on what our clients are concerned about. You are welcome to submit your questions or suggestions to us, and you may find your sixty second answer in an upcoming edition.

Answer: Yes, and those risks were demonstrated by a recent security breach incident at a major pharmaceutical company that was traced to the use of unauthorized P2P software on a company laptop. The data security breach occurred when an employee's spouse installed the software on a laptop provided by the company for the employee's use at home. According to the company's letter notification to its affected employees, the names, social security numbers, and, in some cases, addresses and bonus information of some 17,000 present and former employees could have been accessed and copied by third parties via the P2P software. Now the company is being sued by its employees in a putative class action.

The risk of a data security breach through the use of P2P software is no surprise to Rep. Henry Waxman, who held hearings in Washington on July 24, and concluded that the use of such software in government and corporate environments is a "national security threat." Tests conducted by his staff using popular P2P applications revealed that a multitude of varieties of sensitive corporate information is inadvertently made available on P2P file-sharing networks.

The security breach incident, and the results of Rep. Waxman's tests, underscore the importance of having, and enforcing, data security policies in the corporate environment. A properly drafted security policy should include the following:

• Provisions prohibiting the installation of unauthorized software on all company computers, specifically including laptops and other computers provided by the company for use in the home environment.

• Provisions prohibiting the use of company-provided computer equipment by anyone other than the company employee.

Finally, this incident also underscores the importance of advance planning in handling data security breach incidents, and having a properly drafted security incident response policy outlining steps that must be taken to comply with the 38 state data security breach laws now on the books. For some types of companies, having these policies in place is not only a best practice, it is also a legal requirement.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.