Could an enterprise be legally liable for the presence of P2P file swapping clients on its network?
Yes, the entertainment industry is on the warpath against illegal file trading. Most notably, the Recording Industry Association of America is taking aggressive legal action against anyone directly or indirectly participating in unauthorized swapping of music. While RIAA has grabbed headlines by subpoenaing hundreds of colleges and ISPs, and suing hundreds of students and other individuals, it is also targeting private enterprises whose employees engage in illicit downloading.
On enterprise networks, software clients that facilitate file-trading through networks such as KaZaA are vermin that should not be tolerated. These are executable programs that will not be stopped by antivirus products or firewalls. Their presence on corporate or school IT resources exposes the organization to liability. Prudent managers will proactively monitor for these applications and eradicate them.
A legitimate enterprise doesn't intend to promote illegal file trading. But P2P networks for bootleg tunes, movies, software and the like are popular among employees, students or visitors. These users will install on enterprise resources client programs, such as KaZaA Media Desktop (KMD), that link with P2P networks.
Songs, motion pictures, music videos and software are protected under copyright laws, which normally forbid the exchange of unauthorized copies. The laws have teeth, as they are enforced with substantial monetary penalties. An enterprise cannot avoid liability by just ignoring what its IT users do in their spare time. The laws punish organizations that indirectly participate in copyright infringement, under theories such as contributory infringement and vicarious liability.
Contributory infringement occurs when someone knowingly contributes to someone else's infringement. Vicarious liability applies where an enterprise has the right and ability to control the activities of a direct infringer and also receives a financial benefit from the infringing activities. Under these two concepts, the owner of a flea market was held vicariously liable for the sale, by individual vendors in the market, of counterfeit copies of music CDs. [Fonovisa Inc. v. Cherry Auction, Inc., 76 F.3d 259 (9th Cir. 1996)].
Applying the weight of this precedent, the RIAA forced a publicly-traded company in Arizona, Integrated Information Systems, Inc. (IIS), to pay $1 million to settle claims that it tolerated employee sharing of MP3 music files over its corporate server. [Lisa Bowman, "Labels settle at-work song-share dispute," CNET News.com April 9, 2002.]
Then in February 2003, pointing to IIS' punishment as an example of things to come, RIAA and the Motion Picture Association of America rattled sabers at corporate America. They dispatched letters to chief executives across the country warning that P2P file swapping could lead to legal action and the payment of stiff monetary damages.
None of Mr. Wright's statements on SearchSecurity.com are legal advice for any particular situation. If you need legal advice, you should consult a lawyer.
For more info on this topic, please visit these SearchSecurity.com resources: