Types of Data Disclosure
Information disclosure can happen in an instant, be it the moment an employee posts an online message to their Facebook account, or walks from a car to the company building holding confidential data in plain view. The costs associated with such a disclosure are high and include financial loss as well as the loss of a company's credibility.
All organizations, regardless of size, should be mindful of the need to protect the competitive advantage of their enterprise by avoiding inadvertent disclosure of intellectual property. Vectors for data disclosure are influenced by online and offline activity. This document discusses recent examples of events of inadvertent (or intentional) disclosures and provides guidance about how to protect data in a range of environments.
The United Kingdom's senior anti-terror policeman recently resigned after being photographed outdoors with a confidential document exposed. Digital photographic technology enhanced the ability to enlarge and read the sensitive document, leading to the compromise of an ongoing investigation. Employees should be mindful when walking with intellectual property of the company or customer data exposed. A cover sheet, binder, or other container should be used to protect information from inadvertent disclosure.
Social Networking Websites
As social networking becomes ubiquitous, the divide between home and office is blurring. One need only read the plethora of postings on social networking sites to understand the extent to which employer data is shared. Organizations should be aware that social networking discussions are actively harvested by competitive information professionals from the public domain. Social networking sites are under no contractual obligation to protect the information of companies whose employees use such sites for substantive discussions. Thus, company information may be placed at risk by its placement in an environment outside the company’s control. Steps should be taken to ensure sensitive corporate data is not placed on any third-party infrastructure, unless with explicit permissions. In addition, companies should create and have official policies on the use of social networking sites to which employees may reference at will.
The FBI recently arrested a former employee of an unidentified firm in New Jersey and accused him of trade secret theft. The individual, Zhu Yan, was discovered by his employer to be sending programming source-code and promotional materials to his personal e-mail account, and sharing this information in unauthorized competitor meetings. When confronted by his employer, Zhu stated that he needed the documents to work from home. The company terminated his employment and contacted law enforcement. The fact that the company was able to demonstrate that it had taken appropriate steps to protect its trade secrets made its complaint viable. Basic document classification standards are the foundation of the intellectual property protection process. Organizations are advised to ensure that data custodians are familiar with the information security classification process of the enterprise.
Organizations are advised to educate employees about how best to secure company e-mail. Employees should avoid the temptation to forward proprietary company information to personal e-mail accounts with the intent, for example, of printing or working at home. As with social networking sites, email providers are under no obligation to protect confidential information at the level that a corporation may protect, nor are the employees of the service provider the company's employees. Inadvertent disclosure of sensitive information—even information that is not obviously confidential, but which may reveal information about company plans and intentions—erodes competitive advantage and puts intellectual property and trade secrets at risk.
Chinese man in US accused of trade secret theft, Business Week, April 10, 2009
Bob Quick resigns over terror blunder, Telegraph (UK), April 9, 2009
Does Social Networking Require User Policy Changes?, CSO Online, April 13, 2009
This document is part of Cisco Security Research & Operations.
This document is provided on an "as is" basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information on the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document at any time.