P2P Exposes Corporations To Regulatory And Liability Risks
October 06, 2010
How Rap And Rock And Roll Ruined Customer Relationships
Employment Law Update, Vol. 31
My partner, Tom Ryerson, presents this hypothetical case based on data breach cases he has defended and we have a several Practice Tips which you should consider:
Your company gets a customer complaint that her social security number was published on the internet. She claims your company's computers exposed her personally protected information (PPI) to misuse. You call your IT manager who assures you that your company has all the standard firewalls installed to prevent hackers' access to your network.
While IT investigates the complaint, you receive another letter from the FTC informing you that a customer list containing customers' PPI had been published on the internet through a peer-to-peer (P2P) network. The government demands your records and data, and insists on proof of remediation and the security of your network. You ask IT what P2P is and learn that P2P is "peer-to-peer" networking, e.g., music downloading or gaming programs on the internet. In more technical jargon, P2P is a distributed application architecture that partitions tasks or workloads between equally privileged peers, which form a peer-to-peer network of nodes. The peers become suppliers and consumers of resources in contrast to the traditional client server model where only servers supply and users consume. You may know P2P as file-sharing networks like Napster, eDonkey, BitTorrent, and Gnutella, which are examples.
You tell IT, "I thought we barred our employees access to these sites, so how could this happen?" Further investigation reveals that your salesman has downloaded a 600-customer spreadsheet for use on his personal laptop which he shared with his son who downloaded music using P2P software. You figure that this is all too unforeseeable to be a legal problem? Think again.
Legal Problems in Two Arenas: Regulatory and Litigation
Depending on your industry and location, the FTC, the Justice Department, states attorneys general, or municipalities all may have authority to investigate, demand records and data, or demand remediation or issue substantial fines. Regulatory compliance may require your company to identify the breach, terminate it, prevent it, and prove you did all that in a short period of time.
Individual claims or lawsuits are bad enough. But PPI breaches are like cockroaches, if there is one, there are probably a thousand. So, you may not be facing a few simple, small lawsuits. More likely is the filing of a class action, joining all the customers or clients into one large lawsuit. There is potential liability under the common law legal theories of general negligence, privacy claims, identity theft, or emotional distress. Depending on the industry and the nature of the PPI, liability claims can arise under patient rights' acts, healthcare reform acts, and PPI protection acts. Insurance coverage is potentially an issue depending on the allegations. Lawyers representing employees see this as fertile ground; the list of potential legal theories will grow.
Potential defenses include the existence of a legal duty, intervening cause, or that regulatory statutes don't apply.
When regulators knock at your door:
- Take the first notice seriously;
- Investigate to verify the breach and the source of the breach;
- Communicate a policy against P2P software being on your network;
- Educate employees that P2P exposes your computer hard drive to a world full of enterprising data information thieves;
- Require employees to sign a statement that they will not put company data on a computer that has peer-to-peer sharing networks such as Napster, eDonkey, internet games;
- Require employees to re-sign the statement annually;
- Revise your internet and computer use policies prohibiting employees from downloading of company data outside your protected network;
- Wipe all P2P software or applications from your network.
Call Jim Barber for further information at (312) 606-7712 or e-mail at firstname.lastname@example.org.