The data security risks involved in the installation of peer-to-peer file-sharing software on corporate computers were demonstrated by a recent security breach incident at a major pharmaceutical company that was traced to the use of unauthorized P2P software on a company laptop. The data security breach occurred when an employee’s spouse installed the software on a laptop provided by the company for the employee’s use at home. According to the company’s letter notification to its affected employees, the names, social security numbers, and, in some cases, addresses and bonus information of some 17,000 present and former employees could have been accessed and copied by third parties via the P2P software. Now the company is being sued by its employees in a putative class action.
At about the same time, Rep. Henry Waxman held hearings in Washington on July 24, and concluded that the use of such software in government and corporate environments is a "national security threat." Tests conducted by his staff using popular P2P applications revealed that a multitude of varieties of sensitive corporate information is inadvertently made available on P2P file-sharing networks.
The security breach incident, and the results of Rep. Waxman’s tests, underscore the importance of having, and enforcing, data security policies in the corporate environment. A properly drafted security policy should include the following:
- Provisions prohibiting the installation of unauthorized software on all company computers, specifically including laptops and other computers provided by the company for use in the home environment.
- Provisions prohibiting the use of company-provided computer equipment by anyone other than the company employee.