FindLaw columnist Eric Sinrod writes regularly in this section on legal developments surrounding technology and the internet.
Companies naturally want to protect their internal, sensitive company information. Indeed, intellectual property and trade secrets often constitute the crown jewels of a given operation. Companies also have practical and legal obligations to protect confidential information of their customers. Accordingly, prudent companies develop policies that are designed to ensure the security of such highly valuable, proprietary and sensitive data. But does that mean that company employees necessarily follow those polices? Au contraire!
Indeed, according to a recent study in Europe by Ipswitch, a file transfer security vendor, 69% of IT managers transmit highly confidential data, such as payroll, financial and customer information, over the Internet using unsecured emails.
And practically half of surveyed employees readily concede that at least once a week they send confidential or regulated content, the type of which could potentially require data breach notifications under governing laws if the content is stolen or lost.
On top of this, 69% of those surveyed said that they send highly confidential information at least once per month simply using regular, unencrypted emails and attachments. Moreover, 34% report that they do so daily!
In addition, 70% of respondents answered that they house company information on their PDAs, USB drives, and elsewhere through remote connections.
While 62% of companies surveyed have security policies in place that detail how sensitive information must be secured for transmission, 72% admit that they do not have enough transparency to ascertain how data is transferred internally and externally.
So, when it comes to protection of sensitive information maintained by companies, perhaps the biggest fear is not external hackers. Instead, companies may need to look in the mirror and follow through on true data security.
Companies technically must be able to track how and under what circumstances their data is transmitted. They also need to motivate their personnel to actually follow their data security policies.
Perhaps in this regard a carrot and stick approach could work; namely, providing positive incentives for compliance and penalties for non-compliance. And companies should consider working actively with skilled data security support vendors and knowledgeable legal counsel in this area.
Eric Sinrod is a partner in the San Francisco office of Duane Morris LLP (http://www.duanemorris.com) where he focuses on litigation matters of various types, including information technology and intellectual property disputes. His Web site is http://www.sinrodlaw.com and he can be reached at email@example.com. To receive a weekly email link to Mr. Sinrod's columns, please send an email to him with Subscribe in the Subject line. This column is prepared and published for informational purposes only and should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners.
- Personal Data, an Email Error & Security Breach Notification Laws (FindLaw's Common Law Blog)
- The Cost of Data Breaches: It Ain't Cheap! (FindLaw's Technologist Blog)
- Heartbreak over Heartland: Why Prosecution for Data Breaches Isn't Enough (FindLaw's Writ)