Data Security Law: Managing The Legal Risks Of Cloud And Collaboration Tools

by Ellis & Winters LLP
Contact

Ellis & Winters LLP

As anyone with a Dropbox or Google Drive account knows, consumer-grade cloud storage and collaboration services are a convenient way to store and share personal photos, music, video and documents. Employees who use these cloud services outside the workplace naturally want their convenience and ease of use inside the workplace. So they often turn to familiar consumer-grade offerings. In a recent study by cybersecurity company Stroz Friedberg, more than half of information workers surveyed uploaded corporate documents and data to their personal cloud storage accounts.

This phenomenon is frequently referred to as BYOC — Bring Your Own Cloud. As with the more familiar Bring Your Own Device — BYOD — phenomenon, employee adoption of BYOC can offer certain benefits to a company, including greater productivity and increased employee satisfaction. They also eliminate purchasing or supporting equivalent corporate solutions.

But those benefits can come with serious drawbacks. This article will discuss the dangers presented by BYOC and suggest steps that companies can take to manage and mitigate their exposure.

BYOC: Risk in the forecast

Theft or loss of intellectual property

One of the most common — and dangerous — risks of a laissez-faire approach to BYOC is theft of trade secrets and other proprietary data. It often arises when employees leave and use corporate documents they’ve stored in BYOC accounts for the benefit of a new employer.

Indeed, numerous recent trade secret theft cases indicate that BYOC accounts are becoming the preferred means for departing employees to steal sensitive corporate documents. These cases typically involve sensitive materials such as customer lists, pricing and financial data, and proprietary technical specifications. In some, the employee’s resort to BYOC was unknown and unauthorized. But in others, the company condoned the use of BYOC accounts without considering the consequences of when the employee departed.

Data breach and regulatory violations

Another significant BYOC risk is the violation of federal, state or international privacy and data security laws. These laws vary significantly in their scope and requirements, but all obligate companies to take certain steps to protect personal information from unauthorized use or disclosure.

Many require that companies take steps to ensure that third parties who receive this information are bound to protect it. Almost all impose some duty to notify individuals or regulators in the event the information is lost in a security breach or sent to parties who are not authorized to receive it.

Employees who transmit corporate data to personal cloud accounts can unwittingly violate these laws. And they may expose the data to security breaches that can result in substantial response costs, monetary fines and reputational damage for the company.

Litigation risk and electronic discovery exposure

Unsupervised use of BYOC accounts also can create substantial risks if the company becomes involved in litigation. One risk is failing to preserve and collect discoverable evidence. Electronic discovery can be challenging and expensive even when the evidence resides wholly within a corporate information-technology environment. When that evidence migrates to employee controlled BYOC accounts, the cost and degree of difficulty can increase substantially.

Even so, courts may still hold companies responsible if relevant data in an employee’s BYOC account isn’t properly preserved and collected. In one recent case, a Florida court faulted a company for its employee’s destruction of files stored in his personal Box.com account when the company had reason to know about those files but didn’t instruct him to preserve or produce them.

The storage and sharing of sensitive information in BYOC accounts also can compromise a company’s ability to assert the attorney-client privilege. A Virginia court recently found that an employee’s use of an unsecured Box.com link to share a file with the company’s outside attorney waived any claim of attorney-client privilege to that file. The court reasoned that the employee’s actions were the cyber equivalent of leaving the file “on a bench in the public square and telling its counsel where they could find it.”

Weathering the BYOC storm

Companies have several options to reduce these risks. Used alone or in combination, they can help a company take back control of its information.

Prohibit

One option is to require employees to use only company-managed equipment and systems to store and share corporate documents and data, thus prohibiting BYOC entirely.

Companies can adopt and implement policies that clearly prohibit the transmission or storage of company data using personal cloud services. Such policies also should be supported by technical controls designed to prevent the transmission of corporate data to BYOC accounts. These can include blocking employee access to known file sharing or collaboration sites and implementing “data loss prevention” tools that track or block uploads from corporate computer systems to non-approved sites.

The main problem with this approach is that it can alienate employees and cause them to look for ways to subvert the prohibition. And in a world of rapid technological change, it’s likely they’ll find one. In one recent case, a company blocked access to well-known cloud storage services such as Dropbox. The company later discovered that a departed employee had used a new and relatively unknown cloud service — Jottacloud — that her employer had not blocked. She used it as a workaround to steal sensitive data for her new employer.

Companies who use this approach must therefore devote enough resources to keep those policies and technical controls current and monitor and enforce employee compliance.

Permit and regulate

A second approach is for the organization to accept BYOC as a fact of life and implement a program to manage the risks without sacrificing all the benefits. Companies inclined to take this approach should consider the following steps, at a minimum:

• Create a list of approved consumer cloud offerings that are acceptable for business use based on a review of the providers’ terms of use, privacy policies and security practices.

• Restrict the use of BYOC accounts to non-sensitive or less-sensitive documents while still prohibiting their use to store and transmit sensitive data whose compromise would pose a risk to the company.

• Require registration and approval for use of a BYOC account, based on the conditions that the employee acknowledges the company’s IT security and data protection policies and agrees to allow the company to access the account upon request.

• Update the company’s termination procedures to incorporate a review of employees’ BYOC accounts and the removal of corporate data from those accounts before their departure.

The downside of this approach is that it requires significant IT and compliance resources but still leaves the company vulnerable to the risks presented by employees’ failure — innocent or otherwise — to comply with the program.

Provide a corporate-managed alternative

The safest option for dealing with BYOC is to provide employees with an alternative enterprise-grade cloud storage and collaboration solution, thereby avoiding the need to resort to BYOC in the first place. Key benefits of enterprise-grade solutions typically include:

• The opportunity to ensure the offering meets the organization’s information security and privacy standards.

• Centralized management of account creation and deactivation to ensure that only authorized individuals can access corporate data.

• Data governance and auditing capabilities that allow the organization to understand and manage the locations in which its data is stored.

• Streamlined electronic discovery capabilities to facilitate legal holds and the collection of relevant data in the event of litigation.

This option provides employees the flexibility and ease of use they expect without a corresponding loss of control over corporate data. But it does have drawbacks. One is the significant cost associated with procuring a corporate solution and managing it. There also is the risk that the solution a company selects today will not be the one preferred by employees — or the company — in the future.

For companies that operate in regulated industries or that handle especially sensitive data this may be the only realistic option.

Conclusion

Whatever BYOC direction a company decides, it’s critical to document the choice in a well-drafted policy that clearly communicates the company’s expectations. The company should then train employees on that policy and remind them regularly of the risks of unapproved personal cloud use.

But simply telling employees what not to do isn’t enough. To be successful, any BYOC strategy must present workable alternatives that employees actually can use to get their jobs done. Otherwise, personal clouds will continue to darken the prospects for securing corporate data.

This article was originally published in the Business North Carolina, 2017 Law Journal, September 2017.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Ellis & Winters LLP | Attorney Advertising

Written by:

Ellis & Winters LLP
Contact
more
less

Ellis & Winters LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign up using*

Already signed up? Log in here

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
Privacy Policy (Updated: October 8, 2015):
hide

JD Supra provides users with access to its legal industry publishing services (the "Service") through its website (the "Website") as well as through other sources. Our policies with regard to data collection and use of personal information of users of the Service, regardless of the manner in which users access the Service, and visitors to the Website are set forth in this statement ("Policy"). By using the Service, you signify your acceptance of this Policy.

Information Collection and Use by JD Supra

JD Supra collects users' names, companies, titles, e-mail address and industry. JD Supra also tracks the pages that users visit, logs IP addresses and aggregates non-personally identifiable user data and browser type. This data is gathered using cookies and other technologies.

The information and data collected is used to authenticate users and to send notifications relating to the Service, including email alerts to which users have subscribed; to manage the Service and Website, to improve the Service and to customize the user's experience. This information is also provided to the authors of the content to give them insight into their readership and help them to improve their content, so that it is most useful for our users.

JD Supra does not sell, rent or otherwise provide your details to third parties, other than to the authors of the content on JD Supra.

If you prefer not to enable cookies, you may change your browser settings to disable cookies; however, please note that rejecting cookies while visiting the Website may result in certain parts of the Website not operating correctly or as efficiently as if cookies were allowed.

Email Choice/Opt-out

Users who opt in to receive emails may choose to no longer receive e-mail updates and newsletters by selecting the "opt-out of future email" option in the email they receive from JD Supra or in their JD Supra account management screen.

Security

JD Supra takes reasonable precautions to insure that user information is kept private. We restrict access to user information to those individuals who reasonably need access to perform their job functions, such as our third party email service, customer service personnel and technical staff. However, please note that no method of transmitting or storing data is completely secure and we cannot guarantee the security of user information. Unauthorized entry or use, hardware or software failure, and other factors may compromise the security of user information at any time.

If you have reason to believe that your interaction with us is no longer secure, you must immediately notify us of the problem by contacting us at info@jdsupra.com. In the unlikely event that we believe that the security of your user information in our possession or control may have been compromised, we may seek to notify you of that development and, if so, will endeavor to do so as promptly as practicable under the circumstances.

Sharing and Disclosure of Information JD Supra Collects

Except as otherwise described in this privacy statement, JD Supra will not disclose personal information to any third party unless we believe that disclosure is necessary to: (1) comply with applicable laws; (2) respond to governmental inquiries or requests; (3) comply with valid legal process; (4) protect the rights, privacy, safety or property of JD Supra, users of the Service, Website visitors or the public; (5) permit us to pursue available remedies or limit the damages that we may sustain; and (6) enforce our Terms & Conditions of Use.

In the event there is a change in the corporate structure of JD Supra such as, but not limited to, merger, consolidation, sale, liquidation or transfer of substantial assets, JD Supra may, in its sole discretion, transfer, sell or assign information collected on and through the Service to one or more affiliated or unaffiliated third parties.

Links to Other Websites

This Website and the Service may contain links to other websites. The operator of such other websites may collect information about you, including through cookies or other technologies. If you are using the Service through the Website and link to another site, you will leave the Website and this Policy will not apply to your use of and activity on those other sites. We encourage you to read the legal notices posted on those sites, including their privacy policies. We shall have no responsibility or liability for your visitation to, and the data collection and use practices of, such other sites. This Policy applies solely to the information collected in connection with your use of this Website and does not apply to any practices conducted offline or in connection with any other websites.

Changes in Our Privacy Policy

We reserve the right to change this Policy at any time. Please refer to the date at the top of this page to determine when this Policy was last revised. Any changes to our privacy policy will become effective upon posting of the revised policy on the Website. By continuing to use the Service or Website following such changes, you will be deemed to have agreed to such changes. If you do not agree with the terms of this Policy, as it may be amended from time to time, in whole or part, please do not continue using the Service or the Website.

Contacting JD Supra

If you have any questions about this privacy statement, the practices of this site, your dealings with this Web site, or if you would like to change any of the information you have provided to us, please contact us at: info@jdsupra.com.

- hide
*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.