Why? If not, you might see your former job posted on Monster.com while searching for a new job. The reason? This article by Tim Wilson describing an FTC settlement against ValueClick that might mean your company is liable for the inadvertent release of data.

In a nutshell, the decision means that enterprises could be found negligent for promising to protect user data but subsequently failing to implement the security precautions required to meet those promises. If you promise good security and then fail to provide it, it could weigh against you in court, the decision says” (¶ 4).

And trust me, if you are responsible for ensuring the security of the data, or the computers, and the company has to pay out a few hundred thousand or even millions, you will most likely be on Monster.com looking for a job the next day.

The problem? How do we secure those notebooks that travel around? This is a nightmare scenario to anyone in IT.

It all started when the spouse of a Pfizer employee used file-sharing software on a company laptop, presumably to swap music or other content with other P2P users. Unknowingly, the laptop user also exposed 2,300 work files, including those containing sensitive Pfizer employee data–names, Social Security numbers, addresses, and bonus information resident on the laptop” (Foley, ¶ 2).

One way or another, you have to find a way to secure your data. A data dissemination policy is a good start. Work with senior managers and define a set of data that will not be available outside the application where that data is used. For instance, in the case of employees, why do you need social security numbers in a spreadsheet? Wouldn’t just an employee number be sufficient? No name, no address, no phone number, just employee ID and the relevant data.

An acceptable use policy for computers should already be in place at your company, detailing exactly what applications are allowed to be installed and who is allowed to use the computer. In my opinion, installation of a P2P application like BearShare or LimeWire should be grounds for immediate, and public, dismissal. Nothing brings home the point more than to say, “Pete will no longer be with us because he installed an application from the forbidden list.”

And last, rally the IT troops and come up with an encryption policy regarding data that resides outside the core corporate databases. If you don’t, start polishing up your resume.

— Foley, J. (2008, March 17). Your Data and the P2P Peril. Network Computing. http://www.networkcomputing.com/article/printFullArticle.jhtml?articleID=206904104.

— Wilson, T. (2008, March 17). FTC Deal Suggests Enterprises Could be Liable for Poor Security. Dark Reading. http://www.darkreading.com/document.asp?doc_id=148572.

Advertisements