DATA PRIVACYDATA PRIVACY

Ashish S. Joshi, Esq.Ashish S. Joshi, Esq.Lorandos & AssociatesLorandos & Associates

Trial LawyersTrial Lawyers

Michigan – New York – Washington, D.C. – IndiaMichigan – New York – Washington, D.C. – India

1

Businesses collect and store sensitive Businesses collect and store sensitive information: social security numbers, information: social security numbers, credit card and bank account information, credit card and bank account information, medical and personal data.medical and personal data.

Businesses have a Businesses have a legal obligationlegal obligation to to protect this information.protect this information.

Failure to exercise due diligence in Failure to exercise due diligence in protecting sensitive data could lead to protecting sensitive data could lead to fraud and identify theft – and expose a fraud and identify theft – and expose a business to serious legal liability.business to serious legal liability.

Exposure to Legal LiabilityExposure to Legal Liability Federal LawFederal Law: The Federal Trade Commission (FTC) enforces : The Federal Trade Commission (FTC) enforces

several laws that have information security requirements: several laws that have information security requirements: The Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, The Gramm-Leach-Bliley Act, the Fair Credit Reporting Act, and the Federal Trade Commission Act.and the Federal Trade Commission Act.

State LawState Law: Michigan law requires immediate notification of : Michigan law requires immediate notification of a security breach with ancillary measures. Failure to a security breach with ancillary measures. Failure to provide a required notice may subject a person to a civil provide a required notice may subject a person to a civil fine up to $750,000 and/or a prosecution by the State fine up to $750,000 and/or a prosecution by the State Attorney General. Majority of states have similar laws.Attorney General. Majority of states have similar laws.

Private LawsuitsPrivate Lawsuits: Lawsuits filed by victims of identity theft : Lawsuits filed by victims of identity theft and/or fraud can involve a business in a long and expensive and/or fraud can involve a business in a long and expensive litigation.litigation.

Peer-To-Peer File SharingPeer-To-Peer File Sharing

P2P technology is a way to share P2P technology is a way to share music, video and documents, play music, video and documents, play games, and facilitate online games, and facilitate online telephone conversations.telephone conversations.

Popular P2P programs: BearShare, Popular P2P programs: BearShare, LimeWire, KaZaa, eMule, Vuze, LimeWire, KaZaa, eMule, Vuze, uTorrent and BitTorrent.uTorrent and BitTorrent.

P2P Security RiskP2P Security Risk If P2P software is not configured properly, files not intended If P2P software is not configured properly, files not intended

for sharing may be accessible to anyone on the P2P for sharing may be accessible to anyone on the P2P network.network.

Employees using P2P programs may inadvertently share Employees using P2P programs may inadvertently share files.files.

Instead of just sharing music on a lunch break, an Instead of just sharing music on a lunch break, an employee may end up “sharing” his or her company’s employee may end up “sharing” his or her company’s highly sensitive information.highly sensitive information.

Once a user on a P2P network downloads someone else’s Once a user on a P2P network downloads someone else’s files, the files cannot be retrieved or deleted.files, the files cannot be retrieved or deleted.

Create a Policy and Enforce It.Create a Policy and Enforce It. The decision to ban or allow P2P file The decision to ban or allow P2P file

sharing programs on your company’s sharing programs on your company’s network involves a number of factors.network involves a number of factors.

Whether you decide to ban P2P file sharing Whether you decide to ban P2P file sharing programs or allow them, it’s important to programs or allow them, it’s important to (a) create a policy, (b) implement it, and (a) create a policy, (b) implement it, and (c) enforce it.(c) enforce it.

Prepare a plan that you can implement – Prepare a plan that you can implement – effectivelyeffectively and and efficientlyefficiently - in case of a - in case of a security breach.security breach.

If You Decide to If You Decide to BanBan P2P Programs…. P2P Programs….

Block access from your network to sites used to download Block access from your network to sites used to download P2P programs – especially, the sites that offer free software.P2P programs – especially, the sites that offer free software.

Use scanning tools to find P2P file sharing programs and Use scanning tools to find P2P file sharing programs and remove them.remove them.

Install tools that create records of file transfers to detect Install tools that create records of file transfers to detect P2P traffic.P2P traffic.

Review activity logs on your network to identify traffic Review activity logs on your network to identify traffic volume spikes that may indicate big files (or a large volume spikes that may indicate big files (or a large number of small files) are being shared.number of small files) are being shared.

Install data loss prevention tools that inspect outgoing files Install data loss prevention tools that inspect outgoing files for sensitive information.for sensitive information.

If You Decide to If You Decide to AllowAllow P2P Programs… P2P Programs…

Review various P2P programs, and select one that Review various P2P programs, and select one that is appropriate for your company.is appropriate for your company.

Permit only the approved program.Permit only the approved program.

Provide the approved program directly to Provide the approved program directly to authorized users from an internal server, not from authorized users from an internal server, not from a public download site.a public download site.

Update the approved P2P program from an Update the approved P2P program from an authorized source to incorporate the latest authorized source to incorporate the latest security patches.security patches.

If You Allow Remote Access…If You Allow Remote Access… Provide dedicated company computers to Provide dedicated company computers to

employees who work remotely.employees who work remotely.

These computers should have the same security These computers should have the same security measures that you use at work.measures that you use at work.

Remote access should be allowed only through Remote access should be allowed only through secure connections like VPN or SSL.secure connections like VPN or SSL.

Exercise due diligence in permitting who you Exercise due diligence in permitting who you allow to access your network remotely.allow to access your network remotely.

Train Your EmployeesTrain Your Employees Keeping sensitive information secure is responsibility of Keeping sensitive information secure is responsibility of

every employee.every employee.

Every employee who has access to sensitive information Every employee who has access to sensitive information should be trained about the security risks.should be trained about the security risks.

If you allow P2P programs, train your employees on how to If you allow P2P programs, train your employees on how to limit what other P2P users can view on your network.limit what other P2P users can view on your network.

Consider what disciplinary measures are appropriate for Consider what disciplinary measures are appropriate for violation of your company’s policies about data security.violation of your company’s policies about data security.

And, most important: make sure that policies have teeth - And, most important: make sure that policies have teeth - disciplinediscipline the rogue employees. the rogue employees.

In Case of aIn Case of a Security BreachSecurity Breach

Immediately consult an attorney who is an expert in the Immediately consult an attorney who is an expert in the area of data privacy laws.area of data privacy laws.

Get together a team: attorneys, computer forensic experts, Get together a team: attorneys, computer forensic experts, in-house I.T. staff, and Chief of Human Resources.in-house I.T. staff, and Chief of Human Resources.

Take swift action to comply with the state notification laws.Take swift action to comply with the state notification laws.

Evaluate potential civil and/or criminal remedies.Evaluate potential civil and/or criminal remedies.

Evaluate a possibility of obtaining preliminary relief / Evaluate a possibility of obtaining preliminary relief / injunction.injunction.

Media / Public RelationsMedia / Public Relations

Sources:Sources:The Federal Trade CommissionThe Federal Trade Commission

www.ftc.govwww.ftc.gov

Ashish S. Joshi, Esq.Ashish S. Joshi, Esq.Lorandos & AssociatesLorandos & Associateswww.lorandoslaw.comwww.lorandoslaw.com