X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.
For years the business world has found itself under an electronic siege � there always seems to be someone or something attempting to derail company computer systems. Worms, viruses, and hackers have ensured that computer security will be a booming industry for years to come. But as corporations look to secure their stores of digital information, they’ve largely overlooked one looming problem: insider data theft. In one of the largest incidents of data theft yet, Bank of America Corporation, Wachovia Corporation, and several other banks reported last May that account information from more than 670,000 customers had been breached by insiders. The seven employees charged in the incident were reportedly selling customers’ account information for $10 a pop. Unfortunately for companies like Bank of America, the information technology solutions that block hackers and other external threats to data can do very little to prevent an employee with access to sensitive information from engaging in data theft. Why? Thanks to advances in data storage technology, stealing massive amounts of sensitive information is becoming easier and easier to do. Using USB thumb drives � “flash” memory devices so small they can fit on key chains � and a plethora of other tiny memory storage devices, people can store large amounts of data into smaller and smaller spaces. They are dwarfing the floppy disks of days past with their capacity for data while simultaneously shrinking in physical space. Anyone can carry around their photo albums, vinyl collections, and memoirs-in-progress in their pockets. They also make convenient, covert capsules for the digital equivalent of mountains of confidential intellectual property. What’s more, so-called smart devices are upping the ante on thumb drives. Phones and PDAs are becoming mini-computers as they amalgamate more and more functions into their tiny chassis. In fact, thumb drives, with their relatively puny capacity, are dwarfed by smart devices that may hold as much as 60 GB of data. Other tech advances, mainly in data recovery, have made digital theft hard to track down. For example: A disgruntled employee could transfer sensitive information to his or her iPod, delete it off the iPod, and show his or her boss the iPod’s “clean” hard drive, just to reassure the boss of his or her trustworthiness. The deleted data’s gone, right? Wrong. With disk utility software, this angry employee could recover the supposedly deleted files and walk off with sensitive company information. “For a long time you’ve always had instances of employees gone bad,” says Daniel Solove, author of The Digital Person (New York University Press, 2004) and associate professor of law at George Washington University. “What’s new is that we’re seeing a rise in identity theft, a rise in demand for the data, a rise in the incentives to misuse the data, and a rise in the amount of data being collected. At the same time [we're still seeing] the pitiful level of security that existed before this information was hoarded by these companies.” The current interest in data theft is something like the corporate fraud scandals of a couple of years ago: People always stole company secrets, but all it takes is a few headline-grabbing incidents to make it a full-blown problem. In the case of data theft, we have California to thank; a state law there requires companies to alert consumers when their data is compromised. More states and the federal government are considering following California’s lead, but until they do, companies are reluctant to take the threat seriously. In the words of Solove: “If it’s not going to cost you much if you have the data leak, why should you go spend hundreds of thousands of dollars on security?” Yet the costs of not tightening security are now rising. Unlike other forms of white-collar crime, data theft is most often perpetrated by those employees lowest on the food chain. Although a departing IP chief may be tempted to smuggle out a patent application, temps or entry-level staffers have the least to lose and little attachment to the companies that employ them. The access these often transient employees are sometimes given to corporate networks makes them about as airtight as a colander. So what can be done to plug these holes? Short of “going Amish,” in the words of Marcus Sachs of Menlo Park, California � based think tank SRI International, there’s no 100 percent bulletproof solution. But having strong policies and corporate awareness in place, he says, can “knock a good dent” into the chances of a company being a victim of data theft. Company lawyers also should examine who has access to what and limit network privileges accordingly. The aim of any program, realistically speaking, is to deter casual theft. Corporations with the resources also might consider looking into software being developed that allows administrators to monitor the digital activities and network downloads of employees. And finally, the more intrepid, if not paranoid, companies should consider a no-thumb-drive policy and forbid employees from hooking up their mp3 players to company computers. But in coming up with these policies, companies also need to weigh their costs, because they could affect productivity, not to mention take their toll on morale. Disabling USB ports could affect which printers or which mouse a company can use. And biometric passwords or encryption will only keep employees without a need of access away from sensitive data. So companies need to assess how valuable the intellectual property and databases they maintain are and how vulnerable they could be. (Naturally, a company with billions of dollars invested in R&D might need to think more about data leaks than, say, a small retail chain.) But no matter what in-house lawyers and IT professionals choose to do, in the words of Purdue University computer technology professor Marcus Rogers, “If people really want to do something bad, they’re going to find a way.” With devices and tactics like these out there, companies will have to weigh how intrusive they want their IT and human security to be. Charles DeLeon, general counsel with Chantilly, Virginia � based government technology firm GTSI Corp., says that even though businesses and government agencies should adopt more stringent measures against data theft, in offices, like his own, where employees are very “tech savvy,” they may encounter some resistance. But, he says, “from a legal perspective, no cost is too great.” So while there is no fail-safe way to tackle data theft, given the time and effort, companies can at least deter the more casual thief.

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Advance® Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]

 
 

ALM Legal Publication Newsletters

Sign Up Today and Never Miss Another Story.

As part of your digital membership, you can sign up for an unlimited number of a wide range of complimentary newsletters. Visit your My Account page to make your selections. Get the timely legal news and critical analysis you cannot afford to miss. Tailored just for you. In your inbox. Every day.

Copyright © 2021 ALM Media Properties, LLC. All Rights Reserved.