Traditionally, privacy and cybersecurity efforts have focused on how companies can protect their IT assets from intrusion. Literally billions of dollars have been invested in developing security measures that limit and control access to servers, workstations, laptops and mobile devices. But in today’s cloud-computing environment, these extensive (and expensive) efforts may not be sufficient. The true objective is not to protect the IT assets, but the data that they store. And with increasing frequency, employees are storing sensitive, proprietary data on assets that their companies do not control. Thus, to capture and address this extra-company activity, a comprehensive approach to data privacy and cybersecurity needs to be data-centric rather than asset-centric.
Let’s just state this as a fact: If you have employees with laptop computers, some proportion of them is storing company data on assets your company does not control. Yes, this certainly includes those pesky flash drives that are prone to being left behind at airport security. But the greater concern is posed by the free file-hosting services that proliferate the Internet, such as OneDrive, Dropbox, Filedrive, Google Drive, MediaFire and others. Despite companies’ best efforts to provide employees with remote VPN access to data that is safely stored on company servers, many employees don’t use it — at least exclusively. Instead, employees are drawn to file-hosting services because they want to be able to easily access their files from anywhere, and are resistant to the limitations imposed by VPN keys and the requirement that a device be loaded with VPN software.
The increasing use of third-party file-hosting services raises at least three questions worth considering in crafting a privacy and cybersecurity policy that both confronts this reality and protects valuable corporate information.
First, will the confidentiality of the data stored with the file-hosting service be preserved? For example, Google’s terms of service allow Google to “use, host, store, reproduce, modify, create derivative works . . . communicate, publish, publicly perform, publicly display and distribute” content that users “upload, submit, store send or receive” through Google’s services. The terms also allow Google to analyze content that is sent, received, or stored, to provide “personally relevant product features.” Depending on the nature of the data stored, such third-party access may be problematic. Recall that in order to qualify as a trade secret, the proponent of the trade secret must have taken reasonable measures to protect the confidentiality of the misappropriated information. Thus, third-party access to proprietary data — even for a limited purpose — may carry significant consequences.
Second, will the data be secure? Many file-hosting services simply require users to create a User ID and a password. The parameters required for password creation will vary from site to site, meaning some sites may have more robust password protection measures than others. And, as we recently learned, even a stringent set of password requirements may still leave room for infiltration, with lurking bugs like Heartbleed allowing others to capture passwords as they are transmitted over the Internet. In addition, some sites, such as Dropbox, allow users to grant others access to data stored on the service — a feature that has the potential to increase the likelihood of unauthorized access. Finally, while many file-hosting services offer assurances of security, many are also unlikely to disclose the full range of measures taken to protect against data breaches and cyber-attacks, making a full assessment of the security risks impossible. Consequently, some data may simply be too sensitive to ever store on a third-party file-hosting service.
To be clear, nothing in this article should be taken to suggest that file-hosting services are insecure or do an inadequate job protecting user data. Instead, the increasing use of these services simply means that companies developing privacy and cyber security policies would be wise to consider the extent to which their employees utilize such services, and the implications that may flow from such use. Whether that assessment leads to the limitation or curtailment of third-party file-hosting services, the identification of a third-party file-hosting service of choice, or something else entirely, depends on the company and its objectives.