Add to collection(s) Add to saved
  1. Social Science
  2. Law
  3. Labor Law

Employment Law USB Drives: Opportunities and Risks for Employers

MARCH 2005
Employment Law
USB Drives: Opportunities and Risks for Employers
Portable Universal Serial Bus (“USB”) drives, popularly
known as flash drives, jump drives, memory keys and key
chain drives, are one of the hottest and least expensive
technological accessories. Most are tiny and some are
designed to look like expensive watches, beautiful pens,
elaborate Swiss Army knives, and even high-end beauty
products.
Using a flash drive is quite easy - a user simply plugs the
device into a computer’s USB port on the outside of the
computer, and the system automatically recognizes the
device as an additional drive. Within seconds, the user
can transfer the equivalent of hundreds, even thousands,
of floppy disks worth of information from the computer
onto the flash drive, remove it, and walk away with all of
the acquired data. Just as easily, the drive full of
information can then be plugged into another computer,
and the drive’s contents spilled into the receiving
computer’s system.
RISKS TO EMPLOYERS’ SENSITIVE INFORMATION
Because of their growing popularity, portability, and
affordability, these devices pose serious threats to the
confidential information of companies. This is
problematic since the implementation of the Health
Insurance Portability and Accountability Act (“HIPPA”),
the Gramm-Leach-Bliley Act, and related state and
federal legislation that holds companies legally
responsible for protecting certain information of their
employees and customers stored in databases.
These USB devices are dangerous in many ways. For
example, they are ideal for employees, even those who
have limited computer savvy, to engage in espionage, leak
or otherwise mishandle sensitive corporate information.
Not many years ago this practice would require time,
effort, skill, and planning. Now, however, disgruntled
employees no longer have to sneak into offices or stay
after-hours to photocopy thousands of pages of
information. With USB drives, file transfers are quick,
and the capacity to save massive amounts of data makes
stealing information a walk in the park.
Flash drives can also be used to introduce innocently or
willfully viruses onto a computer network. Employees
may bring files to work that have been purposely or
unknowingly infected with viruses. This could jeopardize
a company’s entire network. In addition, an employee
may introduce spyware or other malicious code that will
require hours of a company’s IT resources to eliminate.
Even a well-intentioned employee can expose a company
to information security disasters. For example, a flash
drive can be stolen or easily misplaced considering its
small size. In many cases, especially when an employee
personally owns a USB drive, the data on the device will
not be encrypted or otherwise secured. Therefore, anyone
who steals or finds the drive will have access to all of the
stored information.
BENEFITS OF PERMITTING EMPLOYEES
TO USE PORTABLE STORAGE DEVICES
Although the use of flash drives can be dangerous for
corporations, the devices offer some genuine advantages
to employers and employees. For example, worker
productivity may increase since the devices essentially
allow employees to carry a clone of their office computers
in their pockets, permitting employees to transport works
in progress to their homes, a library, or another convenient
alternate worksite.
The devices also permit employees to transport and backup files while traveling without carrying a bulky or
expensive laptop. Furthermore, employees can carry
presentations and other large files to another office or
worksite without granting anyone at the new location
direct access to their company’s network.
PRACTICAL CONSIDERATIONS AND
IDEAS FOR EMPLOYERS
3. Employers may consider installing third-party
software to restrict flash drive use only to authorized
employees.
Although both risks and benefits attend employee use of
portable storage devices, employers should adopt
procedures that comply with applicable state and federal
laws and also address their individual information
security needs. One procedure would be for companies to
completely ban any and all portable storage devices from
the workplace. However, because the devices can be
useful work tools, a complete ban on the devices may not
be practical or necessary. Instead, employers should
consider alternative policies and procedures that can
balance the benefits of this cutting edge technology with
security measures to protect confidential information:
4. Employers that allow employees to use flash drives
may choose only to permit devices that incorporate
encryption and password protection schemes directly
onto the drive.
5. Employers that allow employees to use flash drives
may choose only to permit biometric drives that
incorporate a fingerprint scanner directly onto the
drive and restrict data access to users with registered
fingerprints.
CONCLUSION
1. Employers engaged in highly sensitive activities may
conclude that the risk of losing information outweighs
the benefit of employees having access to the contents
of their computers at all times and may choose to
completely ban the devices from the workplace.
However, employers should be aware that the only
way to ensure compliance with this policy is to disable
USB ports on all company computer terminals.
Companies should weigh the risks and benefits of
allowing employees to use portable storage devices.
Policies may be implemented that reduce information
security problems but that permit the corporation and its
workers to reap the benefits of new technology.
Marilyn Sneirson
2. Instead of banning all portable storage devices from
the workplace, employers may consider banning only
personally owned devices. To accomplish this,
employers may issue company controlled flash drives
that are specially configured to satisfy information
security policies.
msneirson@klng.com
973.848.4028
Rosalia Niforatos
rniforatos@klng.com
973.848.4113
If you have questions or would like more information about K&LNG’s Employment Law Practice,
please contact one of our lawyers listed below:
Boston
Henry T. Goldman
Mark D. Pomfret
617.951.9156 hgoldman@klng.com
617.261.3147 mpomfret@klng.com
Dallas
Jaime Ramón
214.939.4902 jramon@klng.com
Harrisburg
Carleton O. Strouss
717.231.4503 cstrouss@klng.com
London
Paul Callegari
Miami
April L. Boyer
Carol C. Lumpkin
Michael C. Marsh
Newark
Rosemary Alito
973.848.4022 ralito@klng.com
Vincent N. Avallone 973.848.4027 vavallone@klng.com
Marilyn Sneirson
973.848.4028 msneirson@klng.com
New York
Eva Ciko
212.536.3905 eciko@klng.com
Pittsburgh
Stephen M. Olson
Michael A. Pavlick
Hayes C. Stover
412.355.6496 solson@klng.com
412.355.6275 mpavlick@klng.com
412.355.6476 hstover@klng.com
+44.20.7360.8194 pcallegari@klng.com
Los Angeles Thomas H. Petrides 310.552.5077 tpetrides@klng.com
Paul W. Sweeney, Jr. 310.552.5055 psweeney@klng.com
305.539.3380 aboyer@klng.com
305.539.3323 clumpkin@klng.com
305.539.3321 mmarsh@klng.com
San Francisco Jonathan M. Cohen 415.249.1029 jcohen@klng.com
Washington
Lawrence C. Lanpher 202.778.9011 llanpher@klng.com
www
w.. k l n g . c o m
BOSTON
■
DALLAS
■
HARRISBURG
■
LONDON
■
LOS ANGELES
■
MIAMI
■
NEWARK
■
NEW YORK PITTSBURGH
■
■
SAN FRANCISCO WASHINGTON
■
Kirkpatrick & Lockhart Nicholson Graham is a combination of two limited liability partnerships, each named Kirkpatrick & Lockhart Nicholson Graham LLP, one established in Delaware,
USA, and one incorporated in England.
This publication/newsletter is for informational purposes and does not contain or convey legal advice. The information herein should not be used or relied upon in regard to any particular
facts or circumstances without first consulting a lawyer.
Unless otherwise indicated, the lawyers are not certified by the Texas Board of Legal Specialization.
Data Protection Act 1998 - We may contact you from time to time with information on Kirkpatrick & Lockhart Nicholson Graham LLP seminars and with our regular newsletters, which
may be of interest to you. We will not provide your details to any third parties. Please e-mail cgregory@klng.com if you would prefer not to receive this information.
© 2005 KIRKPATRICK & LOCKHART NICHOLSON GRAHAM LLP. ALL RIGHTS RESERVED.
Related documents
What You Need To Know About Intellectual Property Rights Benefits Advisory Network (BAN)
What You Need To Know About Intellectual Property Rights Benefits Advisory Network (BAN)
Exploring the Funding Roadmap: Entering U.S. Markets
Exploring the Funding Roadmap: Entering U.S. Markets
BANKING/BROKER-DEALER SEC to Propose Rules on Bank – Broker “Push Out” Exceptions
BANKING/BROKER-DEALER SEC to Propose Rules on Bank – Broker “Push Out” Exceptions
Real Estate United States: Private Development Through Eminent Domain May Be Permissible
Real Estate United States: Private Development Through Eminent Domain May Be Permissible
Proposed Rules Changing Risk-Based Capital Requirements
Proposed Rules Changing Risk-Based Capital Requirements
Alert K&LNG Toxic Tort
Alert K&LNG Toxic Tort
Employment Law Essential Disaster Plan Components for
Employment Law Essential Disaster Plan Components for
Record Retention & E-Discovery Electronic Discovery—The Emerging Minefields
Record Retention & E-Discovery Electronic Discovery—The Emerging Minefields
Alert K&LNG Tax Law Taxpayers Need To Take Action Now To Preserve Refund
Alert K&LNG Tax Law Taxpayers Need To Take Action Now To Preserve Refund
Download