It is safe to assume that the an employee listening to the latest Britney Spears album on his or her computer is not the top concern of most corporations when assessing the various financial and legal risks their day-to-day operations. However, given the substantial money damages that accompany copyright infringement and the increasing likelihood that the music and entertainment industries will soon focus their enforcement actions on corporations, online file sharing in the workplace should be a key concern for every company.
Two kinds of liability
Let's assume an employer provides employees with high-speed Internet access for business purposes. Let's also assume the employer is aware that some employees use the internet to access to file-share copyrighted materials. In this case, the employer may be liable for contributory copyright infringement if it knows, or has reason to know, about the copyright infringement and induces, causes, or materially contributes to the violation. The employer may also be subject to vicarious liability if it is aware of, but ignores, its employees’ illegal activities.
For more on contributory and vicarious copyright infringement, click here.
Anticipated actions against corporate users
As mentioned in the introduction above, the absence of enforcement actions against corporations is expected to change. Corporations will likely be copyright holders’ next prime targets for several reasons:
|•||Remedy is available. P2P service providers are unlikely to be held liable and actions against individual P2P users are met with heightened scrutiny.|
|•||Corporate users are easier to identify than individual users. . It is far easier to trace the origins of a corporate P2P user than a home P2P user. Individuals accessing P2P services from home generally connect to the Internet through broadband or dial-up internet service provider, such as telephone and cable companies and AOL and MSN. These ISPs randomly assign each user an Internet Protocol ("IP") address to access the Internet. Generally, a user’s IP address changes each time he accesses the Internet. Thus, in order to match an IP address to an individual user, the copyright owner must subpoena records from an ISP. Many large corporate users, however, have large pools of IP addresses permanently reserved for their use. Therefore, once an IP address is associated with online file sharing, it can be easily traced directly back to a large corporation thus eliminating the need to file a subpoena to reveal the identity of an individual user. Since employers can be held liable as contributory or vicarious infringers for the acts of their employees while using the company's computer networks, as long as the prohibited use can be traced back to the corporation in question, the copyright holder's search can end there.|
|•||Deep pockets. The resources of most individuals to contest such lawsuits are not as significant as those of large corporations. Thus, suing corporations may prove to be more effective than suing individual users. Many individuals, while receiving lawsuits alleging liability for hundreds of millions of dollars in statutory damages, have settled such cases for a few thousand dollars. However, if the copyright holders’ priorities shift from making examples of randomly selected individuals to collecting larger sums of money from infringers, it is likely they will refocus their enforcement actions against deep-pocketed corporations.|
What are the risks for my business?
In addition to possible legal liability, P2P programs present the following risks to your corporation’s data security, computer resources, and network availability:
|•||Confidential information might be compromised. Some P2P programs will share everything on your computer with anyone by default. Employees have accidentally exposed patent applications, medical information, financial data, and other personal and corporate information.|
|•||Viruses, Worms and Trojans are being distributed. The RIAA has even proposed placing these types of malicious software (i.e., malware) on P2P networks to discourage their use.|
|•||Many P2P programs contain spyware. Spyware is software that covertly gathers user information through the user's Internet connection without his or her knowledge, usually for advertising purposes. Once installed, the spyware monitors user activity on the Internet and transmits that information to someone else. Spyware can also gather information about e-mail addresses and even passwords and credit card numbers and diminish the user’s computer’s memory and system resources.|
|•||Malware and spyware can spread. Since the computers running the P2P programs are usually connected to a network, they can be used to spread malware and spyware|
|•||Diminished network capacity. Much of the P2P activity is automatic, and its use is unmonitored. Computers running this software will be busy exchanging files whenever the machine is turned on.|
|•||Exposure to criminal liability. Various types of illegal files can be downloaded and re-shared over these P2P networks by mistake. This includes child pornography, which will bring the owner of the computer and network under severe criminal penalties.|
How can I protect my business?
In order to avoid exposure to liability for copyright infringement and other risks associated with P2P software, companies that permit Internet access in the workplace should take firm measures to stop illegal file sharing. Corporations have adopted the following are best practices to deter illegal file sharing on corporate networks and protect the company from liability:
|•||Assign responsibility for legal compliance with regards to copyrights to a senior officer and senior IT department member. Inform employees that they will be held personally responsible for any damages as a result of copyright infringement.|
|•||Create a regular audit program which specifies tasks, frequency, responsibilities and reporting.|
|•||Adopt and enforce a file sharing policy which prohibits the downloading of any software or entertainment materials from the Internet for storage or use on company equipment, unless specifically authorized by senior management. Take disciplinary action against any employee that violates the company's policies regarding copyrighted materials.|
|•||Restrict Internet access to web sites that provide P2P services and require specific manager approval where absolutely necessary for a legitimate and documented business purpose.|
|•||Block P2P software Internet access. This may mean: (a) Disable NAT - Network Address Translation; (b) Block access to/from the common P2P ports; (c) Use a packet-reassembly firewall that can examine streams of data in-context for possible P2P mis-use.|
|•||Legitimate music sources. Businesses that need access to music for business reasons may also consider buying songs online through a legitimate digital music store, listening to authorized samples (usually 10-20 second clips) that are available on many online book and music stores, buying the CD, or licensing the music.|