Peer2Peer Software, Confidential Information and Employment Policies

Employers should be alert to yet another web-based activity that should be addressed in its technology policies and practices.
In January of this year the Federal Trade Commission sent a letter to 100 companies warning each of them that “sensitive personal information from or about your customers and/or employees has been shared from your computer network…to a peer-to-peer file sharing (P2P) network.”  Then, the FTC described specifically the files that were available to all users of that P2P network.  This was not the first time the FTC has raised an alarm about the potential damage that can occur if P2P network software is installed on a company’s server.  But what does this mean to a business in practical terms?  It could mean a breach of security in a businesses’ network that results in the loss of private information or its trade secrets or other proprietary, confidential information, AND the violation of state and federal laws prohibiting the disclosure of private information.
President Obama was unknowingly involved in a recent example of the potential problem.  It was widely reported last year that P2P software may have been used to obtain all of the blueprints and avionic specifications for President Obama’s helicopter, Marine One.  One commentator has described P2P networks as a “conduit for hackers to enter a network or computer, access personal and confidential information, as well as deploy viruses or worms.”
P2P technology is for group sharing, most commonly used by millions to share music, video and documents through sharing programs such as Bit Torrent.  Each user of the software (usually free and downloaded to a computer) can obtain information shared by others.  When the settings are configured incorrectly, however, other data on a user’s computer may become available to the other users of the P2P software.  Anyone can join these networks, and “millions of computers could be connected at one time,” as the FTC has warned in its publication Peer-To-Peer File Sharing: A Guide for Business.
The potential risks associated with P2P software mean that employers should review their policies regarding their employees’ use of and access to the company’s computers and network, and review their internal security systems.  An employer’s policy decision will be influenced by its culture, but the importance of protecting against disclosure of the company’s proprietary information and private information relating to its employees and customers must be given great weight.  The FTC’s publications discuss various methods to control the installation and use of P2P software and to protect confidential information (see also, P2P File-Sharing: Evaluate the Risks).   But whatever policy decision is made should be supported by policies and procedures that unambiguously inform the employees of the limitations and prohibitions.  Those policies should apply not only to the employee’s use of his or her computer and access to the company’s servers and network from the office location, but also to the employee’s remote access to the system.  In addition, administrative security controls should be applied to monitor the network, consistent with the policy.
Stephen C. Gerrish, Employment Group