Peer-to-Peer May Share Some Nightmares

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer (“P2P”) networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

Many of these security risks, they note, have already materialized.

In Washington, the Walter Reed Army Medical Center is investigating the possible disclosure of the personal information of roughly 1,000 military health beneficiaries, whose data may have been leaked through unauthorized sharing on a P2P network.

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

Also in 2007, Pfizer Inc. was hit with a P2P problem, whereby the names and Social Security numbers of 17,000 current and past employees were leaked after the partner of an employee downloaded file-sharing software onto a company laptop.

P2P file-sharing technology, which emerged in 1999 with the online music file-sharing service Napster, is used by millions to share electronic files with one another. Computer users, known as “peers,” can share communications and data files that contain a number of things, such as vacation photos, literary works, music or movies. Among the risks, however, is inadvertent file sharing, which happens when computer users mistakenly share more files than they intended.

Opening a Window

“It's like opening a window in downtown Manhattan and watching all of the documents fly out,” Jackson Lewis partner Joseph Lazzarotti says of inadvertent P2P disclosure. “And it's not just personal information. Company secrets get out, minutes of board meetings and proprietary information ' that's all just running around on these networks that are created by P2P software. That's what's going on.”

Unfortunately, says Lazzarotti, many companies are still unaware of the risks “because people don't really realize how many times this has happened.”

David Bateman, a partner in the Seattle office of K&L Gates, agrees that P2P file sharing is a growing problem for companies. He says he has dozens of clients who are “actually concerned about it and taking proactive steps to limit the risk.”

Bateman says a nightmare situation would be employees taking work home with them on a laptop or copying sensitive company data onto their home computer. Then they or their teenager goes onto the laptop or home computer and sets up a P2P account and “shares all that data with the world.”

Corporations Respond

But corporate America is aware of the threat, Bateman believes, and starting to respond to it: “I am seeing more and more companies coming to learn of the risk and then consult with me.”

Maybe so, but corporate counsel are being very tight-lipped about P2P concerns. More than a dozen corporate counsel at major companies were contacted for this story, but none would comment. Private attorneys also asked clients if their general counsel would speak, but none would do so.

The Association of Corporate Counsel had no comment on the subject.

Rodney Satterwhite, a partner at Richmond, VA-based McGuireWoods, says P2P file sharing is part of a bigger problem for employers: trying to keep up with technological advancements. New technologies are continually cropping up, he says, and workplace policies can't keep up.

“There's always a new frontier of technology that employees get first,” Satterwhite says, noting that P2P file sharing is the latest headache for employers.

Joan Canny, a management-side attorney in the Miami office of Morgan, Lewis & Bockius, agrees, saying P2P technology is just one more technological headache for employers: “If people embrace a new tool before we've had time to allow our security systems to catch up, we're going to have some of these problems.”

Unknown to corporate America, the popular peer-to-peer file-sharing networks that allow music and movies to be shared could be sharing something else with the public: company secrets and personal data.

Management-side lawyers are sounding alarms to their corporate clients, warning that peer-to-peer (“P2P”) networks are increasingly becoming a gateway for trade secrets, confidential financial information and personal data.

Many of these security risks, they note, have already materialized.

In Washington, the Walter Reed Army Medical Center is investigating the possible disclosure of the personal information of roughly 1,000 military health beneficiaries, whose data may have been leaked through unauthorized sharing on a P2P network.

In 2007, Citigroup Inc.'s ABN Amro Mortgage Group reported that the personal information, including Social Security numbers, of more than 5,000 customers was leaked when a business analyst signed up to use a P2P file-sharing service on a home computer containing the personal information.

Also in 2007, Pfizer Inc. was hit with a P2P problem, whereby the names and Social Security numbers of 17,000 current and past employees were leaked after the partner of an employee downloaded file-sharing software onto a company laptop.

P2P file-sharing technology, which emerged in 1999 with the online music file-sharing service Napster, is used by millions to share electronic files with one another. Computer users, known as “peers,” can share communications and data files that contain a number of things, such as vacation photos, literary works, music or movies. Among the risks, however, is inadvertent file sharing, which happens when computer users mistakenly share more files than they intended.

Opening a Window

“It's like opening a window in downtown Manhattan and watching all of the documents fly out,” Jackson Lewis partner Joseph Lazzarotti says of inadvertent P2P disclosure. “And it's not just personal information. Company secrets get out, minutes of board meetings and proprietary information ' that's all just running around on these networks that are created by P2P software. That's what's going on.”

Unfortunately, says Lazzarotti, many companies are still unaware of the risks “because people don't really realize how many times this has happened.”

David Bateman, a partner in the Seattle office of K&L Gates, agrees that P2P file sharing is a growing problem for companies. He says he has dozens of clients who are “actually concerned about it and taking proactive steps to limit the risk.”

Bateman says a nightmare situation would be employees taking work home with them on a laptop or copying sensitive company data onto their home computer. Then they or their teenager goes onto the laptop or home computer and sets up a P2P account and “shares all that data with the world.”

Corporations Respond

But corporate America is aware of the threat, Bateman believes, and starting to respond to it: “I am seeing more and more companies coming to learn of the risk and then consult with me.”

Maybe so, but corporate counsel are being very tight-lipped about P2P concerns. More than a dozen corporate counsel at major companies were contacted for this story, but none would comment. Private attorneys also asked clients if their general counsel would speak, but none would do so.

The Association of Corporate Counsel had no comment on the subject.

Rodney Satterwhite, a partner at Richmond, VA-based McGuireWoods, says P2P file sharing is part of a bigger problem for employers: trying to keep up with technological advancements. New technologies are continually cropping up, he says, and workplace policies can't keep up.

“There's always a new frontier of technology that employees get first,” Satterwhite says, noting that P2P file sharing is the latest headache for employers.

Joan Canny, a management-side attorney in the Miami office of Morgan, Lewis & Bockius, agrees, saying P2P technology is just one more technological headache for employers: “If people embrace a new tool before we've had time to allow our security systems to catch up, we're going to have some of these problems.”