Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

Accounting and Financial Planning for Law FirmsKickerFeaturesTopicsLaw Firm ManagementTechnology Media and TelecomSectionsNewsLJN Newsletters

Averting Data Security Threats From Portable Electronics

By Michael W. Droke and Rachel E. Byrne
December 22, 2006

The proliferation of flash drives, iPods, camera cell phones, Black-berries, and similar electronic devices has put all companies at added risk for insider theft. With the use of these devices, downloading significant amounts of data is easy, virtually instantaneous, and often very difficult to detect. These risks apply to essentially all companies that allow employees access to electronically stored, confidential, and proprietary information.

The pocket devices used by employees to transport data between home and work, or on the road when traveling, are susceptible to theft just like any other piece of personal property. Stolen private customer or client information not only puts a business and its trade secrets at risk, but also subjects the business to legal liability claims by individuals or other companies whose private information is leaked as a result.

So what is today's company supposed to do to protect its valuable, sensitive information in the face of the risks posed by new portable devices?

Preventing Downloading Abuse

Of course, the most efficient way to prevent downloading abuse is to ban use of these portable electronic storage devices, a move that many companies have considered. Yet, the convenience and value to companies afforded by these devices is difficult, if not impossible, to ignore. The ability of employees to transport data so that they may work from anywhere provides enormous value to companies, sometimes affording them efficiencies not obtainable otherwise. Moreover, the ability to work outside the office gives companies a competitive advantage; indeed clients may demand it.

While not foolproof, there are many other less dramatic changes a company can implement to protect itself from vulnerability while still enjoying the benefits of today's portable technology:

Adopt a policy forbidding misuse. Such a policy, often referred to as a 'Portable Storage Device Policy,' announces to employees (and ultimately to courts) that the company does not tolerate abuse of portable storage devices. The policy should include the following elements:

  • A statement detailing the intent and purpose of the policy;
  • A nonexclusive list of the technologies and devices to which the policy applies;
  • A mandate forbidding personal storage devices from being attached to company computers or networks;
  • A requirement that passwords are to be activated on all possible devices;
  • A statement reminding employees about the risks of theft; and
  • A requirement that all downloaded information must be encrypted.

Follow up with courses. A company serious about protecting its information should consider having employees complete cybersecurity and information privacy courses annually. Consistent with the underlying technology, these courses could be Internet-based training programs.

Implement security systems. Consider employing an appropriate electronic device security system that requires authentication of users, records information about the devices attached to it, and performs automatic virus scans. Such a system should also automatically encrypt all stored data at high speeds without requiring employees to do anything beyond authentication.

Control devices. An employee exit interview is a company's last chance to protect its valuable information. Companies should require that all employees deliver back any computer, portable electronic storage device, or other device upon which company information has been stored, before they leave the company's employ. Even employee-owned devices upon which company information has been stored should be brought in to be cleaned of any proprietary or sensitive company information before an employee leaves the company's employ.

Conclusion

While not foolproof, the measures described herein will assist a company in proving to a court that it used reasonable efforts to maintain the secrecy of its valuable information. Such a finding increases the company's chance of having its sensitive information protected by trade secret laws, allowing it to demand the return of such information and even sue for damages associated with its misappropriation. It also will save the pain of having to explain to clients why their sensitive information has become available for public consumption.

Michael W. Droke, a partner at Dorsey & Whitney LLP, is the head of the Seattle office Labor & Employment Practice Group. Rachel E. Byrne is an associate in the group.

The proliferation of flash drives, iPods, camera cell phones, Black-berries, and similar electronic devices has put all companies at added risk for insider theft. With the use of these devices, downloading significant amounts of data is easy, virtually instantaneous, and often very difficult to detect. These risks apply to essentially all companies that allow employees access to electronically stored, confidential, and proprietary information.

The pocket devices used by employees to transport data between home and work, or on the road when traveling, are susceptible to theft just like any other piece of personal property. Stolen private customer or client information not only puts a business and its trade secrets at risk, but also subjects the business to legal liability claims by individuals or other companies whose private information is leaked as a result.

So what is today's company supposed to do to protect its valuable, sensitive information in the face of the risks posed by new portable devices?

Preventing Downloading Abuse

Of course, the most efficient way to prevent downloading abuse is to ban use of these portable electronic storage devices, a move that many companies have considered. Yet, the convenience and value to companies afforded by these devices is difficult, if not impossible, to ignore. The ability of employees to transport data so that they may work from anywhere provides enormous value to companies, sometimes affording them efficiencies not obtainable otherwise. Moreover, the ability to work outside the office gives companies a competitive advantage; indeed clients may demand it.

While not foolproof, there are many other less dramatic changes a company can implement to protect itself from vulnerability while still enjoying the benefits of today's portable technology:

Adopt a policy forbidding misuse. Such a policy, often referred to as a 'Portable Storage Device Policy,' announces to employees (and ultimately to courts) that the company does not tolerate abuse of portable storage devices. The policy should include the following elements:

  • A statement detailing the intent and purpose of the policy;
  • A nonexclusive list of the technologies and devices to which the policy applies;
  • A mandate forbidding personal storage devices from being attached to company computers or networks;
  • A requirement that passwords are to be activated on all possible devices;
  • A statement reminding employees about the risks of theft; and
  • A requirement that all downloaded information must be encrypted.

Follow up with courses. A company serious about protecting its information should consider having employees complete cybersecurity and information privacy courses annually. Consistent with the underlying technology, these courses could be Internet-based training programs.

Implement security systems. Consider employing an appropriate electronic device security system that requires authentication of users, records information about the devices attached to it, and performs automatic virus scans. Such a system should also automatically encrypt all stored data at high speeds without requiring employees to do anything beyond authentication.

Control devices. An employee exit interview is a company's last chance to protect its valuable information. Companies should require that all employees deliver back any computer, portable electronic storage device, or other device upon which company information has been stored, before they leave the company's employ. Even employee-owned devices upon which company information has been stored should be brought in to be cleaned of any proprietary or sensitive company information before an employee leaves the company's employ.

Conclusion

While not foolproof, the measures described herein will assist a company in proving to a court that it used reasonable efforts to maintain the secrecy of its valuable information. Such a finding increases the company's chance of having its sensitive information protected by trade secret laws, allowing it to demand the return of such information and even sue for damages associated with its misappropriation. It also will save the pain of having to explain to clients why their sensitive information has become available for public consumption.

Michael W. Droke, a partner at Dorsey & Whitney LLP, is the head of the Seattle office Labor & Employment Practice Group. Rachel E. Byrne is an associate in the group.

This premium content is locked for Entertainment Law & Finance subscribers only

  • Stay current on the latest information, rulings, regulations, and trends
  • Includes practical, must-have information on copyrights, royalties, AI, and more
  • Tap into expert guidance from top entertainment lawyers and experts

For enterprise-wide or corporate acess, please contact Customer Service at [email protected] or 877-256-2473

Read These Next
Overview of Regulatory Guidance Governing the Use of AI Systems In the Workplace Image

Businesses have long embraced the use of computer technology in the workplace as a means of improving efficiency and productivity of their operations. In recent years, businesses have incorporated artificial intelligence and other automated and algorithmic technologies into their computer systems. This article provides an overview of the federal regulatory guidance and the state and local rules in place so far and suggests ways in which employers may wish to address these developments with policies and practices to reduce legal risk.

Is Google Search Dead? How AI Is Reshaping Search and SEO Image

This two-part article dives into the massive shifts AI is bringing to Google Search and SEO and why traditional searches are no longer part of the solution for marketers. It’s not theoretical, it’s happening, and firms that adapt will come out ahead.

While Federal Legislation Flounders, State Privacy Laws for Children and Teens Gain Momentum Image

For decades, the Children’s Online Privacy Protection Act has been the only law to expressly address privacy for minors’ information other than student data. In the absence of more robust federal requirements, states are stepping in to regulate not only the processing of all minors’ data, but also online platforms used by teens and children.

Revolutionizing Workplace Design: A Perspective from Gray Reed Image

In an era where the workplace is constantly evolving, law firms face unique challenges and opportunities in facilities management, real estate, and design. Across the industry, firms are reevaluating their office spaces to adapt to hybrid work models, prioritize collaboration, and enhance employee experience. Trends such as flexible seating, technology-driven planning, and the creation of multifunctional spaces are shaping the future of law firm offices.

From DeepSeek to Distillation: Protecting IP In An AI World Image

Protection against unauthorized model distillation is an emerging issue within the longstanding theme of safeguarding intellectual property. This article examines the legal protections available under the current legal framework and explore why patents may serve as a crucial safeguard against unauthorized distillation.