The landscape of data storage and maintenance is shifting. Despite significant company investments in secure, onsite data storage systems, today’s data storage environment can create challenges for many of these extensive (and expensive) efforts. Employees are increasingly storing sensitive, proprietary data on assets that their companies do not control and cannot protect on mobile devices like phones, tablets and computer flash drives.  

And then there’s the proliferation of free file-hosting services—such as OneDrive, Dropbox, Filedrive, Google Drive, MediaFire, and others —that present a far greater concern.  While a lost or stolen flash drive will ordinarily be a one-off event, the breach of a file-hosting service may go undetected by the user, resulting in serial breaches as the user updates stored content or adds new content.

To craft a data privacy and cybersecurity policy that confronts the increasing use of third-party file-hosting services and protects valuable corporate information, companies should consider three basic questions.

1. Will the file-hosting service preserve the confidentiality of the data being stored and ensure that access is limited to the user only? 

This issue is a critical term to share with employees. For example, Google does not provide this level of access confidentiality.  Google’s  terms of service allow Google to “use, host, store, reproduce, modify, create derivative works . . . communicate, publish, publicly perform, publicly display and distribute” content that users “upload, submit, store send or receive” through Google’s services.  See www.google.com/policies/terms (last modified April 14, 2014).  According to the terms of service, Google can also analyze content that is sent, received, or stored, to provide “personally relevant product features.”  This sort of third-party access to user data may be problematic, depending on the nature of the data stored.  For example, some information cannot qualify as a trade secret if the proponent of the trade secret has not taken reasonable measures to protect the confidentiality of the allegedly misappropriated information.  Third-party access to proprietary data—even for a limited purpose—may carry significant consequences.

2. Will the file-hosting service keep the data secure?

This question has several subparts, the first dealing with how access is granted. These include:

• What level of password protection exists?

Unsurprisingly, most file-hosting services grant access through the creation of must create a User ID and a password.  But file-hosting services will inevitably implement varying parameters for password creation.  Thus, some sites may have more robust password protection measures than others.  Furthermore, there may still be room for infiltration in spite of stringent password requirements, with lurking bugs like Heartbleed allowing others to capture passwords as they are transmitted over the Internet.   

• Who is granted access to stored content?

For example, some sites, such as Dropbox, allow users to grant others access to data stored on the service.  This feature, while undoubtedly very useful when sharing files with co-workers or other collaborators, also has the potential to increase the likelihood of unauthorized access.  Instead of obtaining access by stealing the primary user’s ID and password, an unauthorized user could also obtain access by hacking into an invited user’s e-mail or stealing an invited user’s ID and password.   

• How does the file-hosting service protects the data that it stores?

Many file-hosting services offer assurances of security, but many are also unlikely to disclose the full range of measures taken to protect against data breaches and cyber-attacks.  In the absence of this information, a full assessment of the security risks is impossible. As a result, some data may simply be too sensitive to ever store on a third-party file-hosting service. 

3. What are the terms of use? 

A file-hosting service’s terms of use have the potential to cause problems down the road if, for example, they grant the service rights to access and use the stored data, relieve the service of any obligation to restore data that is corrupted, lost or otherwise destroyed, or relieve the service of any liability for security breaches that result in the theft of stored data.  Thus, before signing off on the use of any third-party file-hosting service, companies should assess what provisions the terms of use contain, and how those provisions might impact the data a file-hosting service stores.

Conclusion

In raising these questions, we are not suggesting that third-party file-hosting services are insecure, or inadequately protect user data.  We raise these questions because companies developing privacy and cyber security policies would benefit from taking a holistic view of how their employees use company data and where they store it.  That entails considering the extent to which their employees utilize third-party file-hosting services, and the implications that may flow from such use.  That assessment may lead to the limitation or curtailment of third-party file-hosting services, the identification of a third-party file-hosting service of choice, or something else entirely.  It depends on what the company’s objectives are in developing a privacy and cybersecurity policy, and how it answers the questions presented in this article.