Averting Data Security Threats From Portable Electronics

Preventing Downloading Abuse

Of course, the most efficient way to prevent downloading abuse is to ban use of these portable electronic storage devices, a move that many companies have considered. Yet, the convenience and value to companies afforded by these devices is difficult, if not impossible, to ignore. The ability of employees to transport data so that they may work from anywhere provides enormous value to companies, sometimes affording them efficiencies not obtainable otherwise. Moreover, the ability to work outside the office gives companies a competitive advantage; indeed clients may demand it.

While not foolproof, there are many other less dramatic changes a company can implement to protect itself from vulnerability while still enjoying the benefits of today's portable technology:

Adopt a policy forbidding misuse. Such a policy, often referred to as a 'Portable Storage Device Policy,' announces to employees (and ultimately to courts) that the company does not tolerate abuse of portable storage devices. The policy should include the following elements:

• A statement detailing the intent and purpose of the policy;
• A nonexclusive list of the technologies and devices to which the policy applies;
• A mandate forbidding personal storage devices from being attached to company computers or networks;
• A requirement that passwords are to be activated on all possible devices;
• A statement reminding employees about the risks of theft; and
• A requirement that all downloaded information must be encrypted.

Follow up with courses. A company serious about protecting its information should consider having employees complete cybersecurity and information privacy courses annually. Consistent with the underlying technology, these courses could be Internet-based training programs.

Implement security systems. Consider employing an appropriate electronic device security system that requires authentication of users, records information about the devices attached to it, and performs automatic virus scans. Such a system should also automatically encrypt all stored data at high speeds without requiring employees to do anything beyond authentication.

Control devices. An employee exit interview is a company's last chance to protect its valuable information. Companies should require that all employees deliver back any computer, portable electronic storage device, or other device upon which company information has been stored, before they leave the company's employ. Even employee-owned devices upon which company information has been stored should be brought in to be cleaned of any proprietary or sensitive company information before an employee leaves the company's employ.

Conclusion

While not foolproof, the measures described herein will assist a company in proving to a court that it used reasonable efforts to maintain the secrecy of its valuable information. Such a finding increases the company's chance of having its sensitive information protected by trade secret laws, allowing it to demand the return of such information and even sue for damages associated with its misappropriation. It also will save the pain of having to explain to clients why their sensitive information has become available for public consumption.

The proliferation of flash drives, iPods, camera cell phones, Black-berries, and similar electronic devices has put all companies at added risk for insider theft. With the use of these devices, downloading significant amounts of data is easy, virtually instantaneous, and often very difficult to detect. These risks apply to essentially all companies that allow employees access to electronically stored, confidential, and proprietary information.

The pocket devices used by employees to transport data between home and work, or on the road when traveling, are susceptible to theft just like any other piece of personal property. Stolen private customer or client information not only puts a business and its trade secrets at risk, but also subjects the business to legal liability claims by individuals or other companies whose private information is leaked as a result.

So what is today's company supposed to do to protect its valuable, sensitive information in the face of the risks posed by new portable devices?

Preventing Downloading Abuse

Of course, the most efficient way to prevent downloading abuse is to ban use of these portable electronic storage devices, a move that many companies have considered. Yet, the convenience and value to companies afforded by these devices is difficult, if not impossible, to ignore. The ability of employees to transport data so that they may work from anywhere provides enormous value to companies, sometimes affording them efficiencies not obtainable otherwise. Moreover, the ability to work outside the office gives companies a competitive advantage; indeed clients may demand it.

While not foolproof, there are many other less dramatic changes a company can implement to protect itself from vulnerability while still enjoying the benefits of today's portable technology:

Adopt a policy forbidding misuse. Such a policy, often referred to as a 'Portable Storage Device Policy,' announces to employees (and ultimately to courts) that the company does not tolerate abuse of portable storage devices. The policy should include the following elements:

• A statement detailing the intent and purpose of the policy;
• A nonexclusive list of the technologies and devices to which the policy applies;
• A mandate forbidding personal storage devices from being attached to company computers or networks;
• A requirement that passwords are to be activated on all possible devices;
• A statement reminding employees about the risks of theft; and
• A requirement that all downloaded information must be encrypted.

Follow up with courses. A company serious about protecting its information should consider having employees complete cybersecurity and information privacy courses annually. Consistent with the underlying technology, these courses could be Internet-based training programs.

Implement security systems. Consider employing an appropriate electronic device security system that requires authentication of users, records information about the devices attached to it, and performs automatic virus scans. Such a system should also automatically encrypt all stored data at high speeds without requiring employees to do anything beyond authentication.

Control devices. An employee exit interview is a company's last chance to protect its valuable information. Companies should require that all employees deliver back any computer, portable electronic storage device, or other device upon which company information has been stored, before they leave the company's employ. Even employee-owned devices upon which company information has been stored should be brought in to be cleaned of any proprietary or sensitive company information before an employee leaves the company's employ.

Conclusion

While not foolproof, the measures described herein will assist a company in proving to a court that it used reasonable efforts to maintain the secrecy of its valuable information. Such a finding increases the company's chance of having its sensitive information protected by trade secret laws, allowing it to demand the return of such information and even sue for damages associated with its misappropriation. It also will save the pain of having to explain to clients why their sensitive information has become available for public consumption.