Pardon the rhyme, but what should employers be doing to address use of Web 2.0 in the workplace? There are essentially two types of risks presented by Web 2.0. The first relates to the far broader range of content available to employees in using Web 2.0. The second arises out of the headlong rush of many businesses into “cloud computing.” Let’s take these one at a time.
Web 2.0 is based on the nearly universal availability of high speed Internet connections. Those connections make it possible to download or access high quality video, music, pictures, and other content. While these same types of content were available on the “old” Internet, the new risk is the ease with which this content can now be obtained. Some specific risks:
Liability for Copyright Infringement. The temptation for employees to download pictures, music, videos, and other content from the Internet is now stronger than ever. The overwhelming majority of instances in which this type of content is downloaded to company systems is for non-work related purposes. Each time an employee puts this content on the company computers the business is put at risk for potential claims of copyright infringement and, as discussed below, may be exposed to viruses and other harmful code. Copyright infringement is essentially a “strict liability” offense. If the infringing content is on the company’s computer systems, it can be held liable – even if it did not authorize the downloads and even if it had no knowledge the content was present.
Harassment; Illegal Content. Depending on the content of the materials downloaded the business may be exposed to harassment claims if inappropriate pictures or jokes are circulated to other employees or to potential prosecution if the content includes child pornography, hate speech, or other illegal material. In the latter case, the content, itself, constitutes a crime and may subject the employer not only to potential prosecution, but also seizure of the computer systems on which the content was stored.
Propagation of Harmful and Destructive Code. Downloading a broader variety of content from the Internet heightens the potential for harmful code and viruses to be transmitted onto an employer’s systems. In addition to deleting files and otherwise disrupting operation of the employer’s systems, sophisticated viruses now target personally identifiable information and other valuable data and surreptitiously transmit out of the company. Viruses can also turn corporate computers into “slaves” or “zombies,” permitting them to be used without the company’s knowledge to cause harm to other businesses. As an example, corporate computers have been used to store massive amounts of illegal music or to launch denial of service attacks against other businesses (e.g., using one company’s computer systems to disrupt operation of another company’s Web site) – all without the company’s knowledge.
Peer-to-Peer File Sharing. File sharing software such as BearShare, Limeware, and others enables users to exchange music, video, and other files directly over a peer-to-peer network without the need for an intermediate hub server. That is, users can directly access files stored on another user’s hard drive. While this may be a fine method of exchanging personal multimedia files in the privacy of one’s own home, the security implications are clear when employees install this software on work computers or home computers on which they engage in work-related activities.
Most businesses that handle sensitive information have already implemented strong policies prohibiting employees from using this type of file sharing software at work. The problem, of course, is the uncontrolled environment on the home computers of all their employees. Those home computers are seldom for the exclusive use of the employee. Instead, other members of the household and friends may all have access to the computer and the ability to install software on it. Anyone of them could knowingly (or unknowingly) install some form of peer-to-peer file sharing software. Then, when the employee uses the home computer for work-related activities, any business files stored on the computer may be accessible for copying by anyone on the peer-to-peer network and quickly disseminated across the globe. Once the files are loaded onto the computer of another member of the peer-to-peer network, they will be made available to others through their computer as well. The threat to corporate information is substantial and can only be controlled by enacting strict policies against storing business data on non-work provided computers (e.g., an employee can only access and store company data on a company provided laptop).
The potential risks of employee installation and use of peer-to-peer file sharing software is not merely theoretical. Earlier this year, there was a data breach of more than 5,000 customers of a mortgage company. Preliminary investigation of the breach has identified a business computer on which the BearShare peer-to-peer software was installed. This software is the suspected source of the compromise.
One of the most significant technological advances associated with the Web 2.0 is “cloud computing,” meaning the transfer of local computing and file storage to online services. Almost every kind of application from word-processing, to spreadsheets, to e-mail, to customer relationship management software, to security services, to file storage are now made available through Web 2.0-based services. Users require only an Internet-enabled computer, with no locally installed software, other than a browser, to access and use these applications. This means all information and data are stored on the third party service provider’s servers.
The driving forces behind the popularity of these hosted application services include the following: low cost of entry (i.e., the business does not have to license the software, but only pay a subscription fee to access the applications), generally faster deployment, ease of application updates, low maintenance, decreased investment in local hardware, and, at least perceived, increases in security and reliability.
The risk of using these services can be controlled when a company makes a reasoned decision to use them. That is not the case when an employee chooses to use these types of services without their employer’s knowledge. In those cases, employees are storing company information on computer systems that are maintained by third parties with whom the company has not contractual relationship or other protections to ensure that data is protected. In many cases, these third party service providers are small, start-up companies that frequently go out of business in the blink of an eye, potentially selling off the equipment on which their former customer’s data was stored at auction.
Steps to reduce the foregoing risks include better employee training, development of specific Internet/technology use policies, and the use of software and other technology to limit the ability of employees to download unauthorized, non-business-related content, to transfer sensitive information outside the company, and to monitor and protect systems from viruses and other harmful code.
About the Author:
Michael R. Overly is a partner in Foley & Lardner LLP's Information Technology & Outsourcing Practice. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information Systems Security Professional (CISSP) and Information Systems Security Management Professional (ISSMP) certifications. Mr. Overly's numerous articles and books have been published in the United States, Europe, Korea, and Japan. For more information, please visit www.foley.com, email: firstname.lastname@example.org, or call (213) 972-4533.