Reprinted with permission from FindLaw.com

Companies naturally want to protect their internal, sensitive company information. Indeed, intellectual property and trade secrets often constitute the crown jewels of a given operation. Companies also have practical and legal obligations to protect confidential information of their customers. Accordingly, prudent companies develop policies that are designed to ensure the security of such highly valuable, proprietary and sensitive data. But does that mean that company employees necessarily follow those polices? Au contraire!

Indeed, according to a recent study in Europe by Ipswitch, a file transfer security vendor, 69% of IT managers transmit highly confidential data, such as payroll, financial and customer information, over the Internet using unsecured emails.

And practically half of surveyed employees readily concede that at least once a week they send confidential or regulated content, the type of which could potentially require data breach notifications under governing laws if the content is stolen or lost.

On top of this, 69% of those surveyed said that they send highly confidential information at least once per month simply using regular, unencrypted emails and attachments. Moreover, 34% report that they do so daily!

In addition, 70% of respondents answered that they house company information on their PDAs, USB drives, and elsewhere through remote connections.

While 62% of companies surveyed have security policies in place that detail how sensitive information must be secured for transmission, 72% admit that they do not have enough transparency to ascertain how data is transferred internally and externally.

So, when it comes to protection of sensitive information maintained by companies, perhaps the biggest fear is not external hackers. Instead, companies may need to look in the mirror and follow through on true data security.

Companies technically must be able to track how and under what circumstances their data is transmitted. They also need to motivate their personnel to actually follow their data security policies.

Perhaps in this regard a carrot and stick approach could work; namely, providing positive incentives for compliance and penalties for non-compliance. And companies should consider working actively with skilled data security support vendors and knowledgeable legal counsel in this area.

Eric J. Sinrod is a partner in the San Francisco office of Duane Morris. His focus includes information technology and intellectual-property disputes. This column is prepared and published for informational purposes only, and it should not be construed as legal advice. The views expressed in this column are those of the author and do not necessarily reflect the views of the author's law firm or its individual partners

This article is for general information and does not include full legal analysis of the matters presented. It should not be construed or relied upon as legal advice or legal opinion on any specific facts or circumstances. The description of the results of any specific case or transaction contained herein does not mean or suggest that similar results can or could be obtained in any other matter. Each legal matter should be considered to be unique and subject to varying results. The invitation to contact the authors or attorneys in our firm is not a solicitation to provide professional services and should not be construed as a statement as to any availability to perform legal services in any jurisdiction in which such attorney is not permitted to practice.

Duane Morris LLP, a full-service law firm with more than 700 attorneys in 24 offices in the United States and internationally, offers innovative solutions to the legal and business challenges presented by today's evolving global markets.