Jeremy D. Wunsch, John L. Nicholson and Jeffrey A. Carr

Right now, employees and contractors are accessing and disseminating confidential corporate information in ways that may be harmful to their employers. Some employees are acting intentionally or even maliciously; others are compromising proprietary and confidential information inadvertently and ignorantly. In either case, the consequences to employers can be catastrophic.

Everyone has heard about companies getting burned from leaks of sensitive data. Wal-Mart, TJX and the U.S. Department of Veterans Affairs are just a few of the recently publicized victims of information security breaches that are costing billions of dollars in legal and recovery fees. While many cases involve deliberate acts of theft by insiders, there are plenty of examples where insiders unknowingly expose confidential data that malicious third parties then exploit. Some of the most insidious sources of inadvertent data loss are peer-to-peer (P2P) file-sharing programs, which are rising to the top of the threat list for network security professionals.

In the past, file-sharing risks were primarily assessed in the context of copyright infringement, illicit (or unacceptable) content, or even bandwidth escalation. Until recently, there has been a general complacency within the enterprise about P2P risks to information security. The competitive and financial costs related to information loss simply weren't considered in the context of P2P, and security resources were allocated toward other, more obvious vulnerabilities. The fact is that P2P protocols are becoming more prevalent, sophisticated and intricate than email or HTTP, resulting in greater risks for business. Even lawmakers in Washington are looking at this more closely after a July hearing indicated that the threat of P2P is greater than originally thought, according to court documents. The hearing was prompted by a report from the Patent and Trademark Office that said "several distributors of popular P2P networks have 'repeatedly deployed features' that trick users into sharing some of their files."

According to Insight Research's study, "Peer to Peer & File-Sharing Services Market 2007-2011," P2P networks and file-sharing services could generate up to $28 billion in revenue for carriers and ISPs over the next five years, and it is estimated that more than 50 percent of all current Internet traffic is P2P traffic. From a security perspective, many P2P protocols are being modified to specifically evade existing security tools such as Web filters, IDS/IPS and firewall rules. While some of these design choices are made based on good intentions, such as enabling communications in countries that limit freedom of speech or access to information, the reality is that these well-intentioned changes are helping users with more nefarious purposes in mind.

Recent Incidents Highlight Urgency in Addressing the P2P Threat

Incidents at companies like Pfizer and ABN Amro are expanding how we perceive P2P risks, especially as they pertain to data loss. Recently, a Pfizer employee who installed an unauthorized P2P program on a company laptop exposed Social Security numbers and personal data belonging to an estimated 17,000 current and former Pfizer employees. Additionally, ABN Amro recently learned that data for 5,000 of its customers was found on the BearShare P2P network and the original files containing this sensitive information were traced to the home computer of an ABN Amro employee.

According to a Dartmouth study released earlier this year, an estimated 10 million users share music, videos, software and photos over P2P networks  - up from 4 million in 2003. The study noted that efforts to limit P2P use only have prompted program developers to create decentralized, encrypted, anonymous networks that can easily poke through both corporate and residential firewalls. Some of this development is done with good intentions, but these changes can lead to problems for those who have a legitimate need to limit the access of P2P systems to corporate networks.

The good news is that business owners can significantly decrease the potential for corporate data loss from P2P networks via proactive prevention and protection with what is often referred to as "internal threat management." Effective internal threat management procedures not only help prevent these information leaks from happening, they also protect confidential and valuable information from exposure to unauthorized parties. By taking just a few simple steps, organizations can decrease risks and potentially save untold costs in time, resources, money and reputation.

The Keys to Effective Internal Threat Management

First and foremost, identify the information of greatest concern and where that sensitive data resides on the network. This analysis should include Social Security numbers, credit card numbers, driver's license numbers, trade secrets, merger/acquisition information, customer information, financial information and the like. This is not just a job for the IT department - other company stakeholders, like the human resources, legal and finance departments, should be included in the discussion of what information is valuable, and all departments should be involved in identifying where it is stored.

Many companies believe the most reliable methods for protection against internal threats are firewalls and anti-virus software. However, given the constant evolution of the P2P threat, such technical precautions can only do so much in the absence of appropriate policies and procedures. Consider Gartner Group's projection that "through 2010 we expect 80-90 percent of sensitive information leaks to be unintentional, accidental, or the result of poor business processes." This statistic is supported by the Pfizer and ABN Amro examples, where both individuals responsible for spilling the data were unaware of the leaks.

Companies should consider hiring an outside firm to conduct an internal threat assessment of the network and associated policies to identify vulnerabilities and establish benchmarks for compliance. It is essential to educate employees about company policies, including the reasons why such policies are in place, and consistently enforce them (that includes executives and IT). People are more likely to comply with policies when they understand the purpose behind them and perceive their enforcement as fair and even-handed.

Compliance and enforcement with policies also is important when a company ends up in court following a data breach. If a company can show that it had reasonable policies and procedures that were consistently monitored and enforced, that could go a long way toward reducing any fines or penalties imposed on the company.

Acknowledging the risk for data leaks from P2P file-sharing is an important step in protecting the enterprise. With escalating incidents, companies would be wise to immediately undertake a strategy to protect against this well-established threat.  

Jeremy D. Wunsch is the Founder, CEO and director of data forensics for LuciData Inc. With more than a decade of internal threat management and e-discovery experience, he is a leading authority in the development of internal threat management and data forensic solutions for companies and their legal counsel He can be reached at +612.604.0848 or at

John L. Nicholson is a Senior Associate in Pillsbury Winthrop Shaw Pittman LLP's Global Sourcing Group. A frequent speaker on privacy, security and outsourcing, his practice includes structuring and negotiating complex IT and business process outsourcing agreements. He can be reached at +202.663.8269 or at

Jeffrey A. Carr is the Chief Operations Officer for Red Lambda, a technology leader in distributed network security. He has more than 20 years of successful experience in technology sales, business development and start up executive management within the security marketplace. He can be reached at+303.717.2091 or at


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

IAPP-OneTrust PIA Platform

New U.S. Government Agency privacy impact assessments - free to IAPP members!

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

More Resources »

Europe Data Protection Intensive 2017

The Intensive is sold out! But cancellations do happen—so hurry and get on the wait list in case more seats become available.

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds, unparalleled programs and preeminent networking opportunities.

Canada Privacy Symposium 2017

The Symposium returns to Toronto this spring and registration has opened! Take advantage of Early Bird rates and join your fellow privacy pros for another stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is sold out! But you can still add your name to the wait list, and we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Call for Speakers open! Join the Forum in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

Call for Speakers open! This year, we're bringing P.S.R. to San Diego. Submit today and be a part of something big! Submission deadline: February 26.

Europe Data Protection Congress 2017

Call for Speakers open! The Congress is your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Submit a proposal by March 19.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»