Storing data ‘in the cloud’ is not a new concept; it has become a fact of corporate life. We now, however, have a contemporary, terse way of referring to the off-site storage of accessible data via the Internet— essentially, ‘Cloud’ computing. Over time, cloud computing may very well become ubiquitous and unavoidable. But what are the risks associated with cloud computing, and how can you minimize that risk?
Cloud Storage Services (CSS) are a great way to access work-related data both at home and while on the road. CSS also makes it possible to collaborate with co-workers, especially those who work remotely. Cloud Storage Services allow a user to log into an account and upload documents or files. Once uploaded, a user can then access or download documents from any device, anywhere and at any time. Folders can be ‘synched’ across devices, and can also be ‘synched’ or shared with others. Common examples of Cloud Storage Services include Dropbox, Google Drive, SkyDrive and Cubby1.
But while industry experts extol the virtues of Cloud computing, it is not without its serious perils. Servers housing data can be destroyed by power surges, fire, flood, or other crises. Servers could be ‘offline’ or otherwise not accessible for untold reasons. Data can be hacked, or even comprised by a virus.
The use of Cloud Storage is also a great way to make your confidential data Insecure. While these Cloud Storage Services can facilitate efficient productivity, they can also create vulnerabilities, since data now resides ‘in the cloud’ and not on your system.1
Most Cloud providers have adequate security but, of course, no technology is faultless. It may not even be necessary for ‘hackers’ to breach a well-crafted system. A common technique used by ‘hackers’ is to steal usernames and passwords from a less-secure site and use that information to access a more secure site. Seeing that it is common for people to use the same username and passwords to access multiple sites, hackers may find that this technique occasionally works.
The ultimate intent of cloud storage is to have the ability to access data remotely. But keep in mind that your data is only as secure as the network on which you are working at that moment. If you are accessing sensitive data on an unprotected home network or are using a public Wi-Fi connection at a local hotspot, the data is not secure.
Confidentiality and Data Security Concerns
Whether you are storing your own data, or that of your clients, confidentiality and security issues are of foremost concern. There are limitations to shielding the confidentiality of your clients’ data when dealing with third-party vendors, and the risks of unauthorized disclosure of sensitive data by cloud providers can be significant. Major data breaches are continuing to occur at an unparalleled pace, affecting millions of customers. See, e.g., LivingSocial Hack Exposes Data for 50 Million Customers, N.Y. Times, April 26, 2013. Even the courts themselves are not unaffected. See, e.g., Washington State Court Hacked: 160,000 Social Security Number Potentially Accessed, Forbes, May 10, 2013. With a data breach, implications can be disastrous. Costs can rise into the thousands– if not millions — of dollars, along with the intangible loss of reputation and customer/client confidence.2
Given the significance of electronic information, users need to be aware of such potential pitfalls and to proactively implement protective safeguards.
Employee Handbook Policy
One way to protect yourself is to limit your company to the use of one, single cloud provider. It is much easier to maintain security with just one provider rather than letting employees select their own providers. It would also be important that the cloud service have the ability to track and generate reports on employee usage.
Having employees sign a written Cloud Storage Policy (CSP) might be a good idea. Among other things, such a CSP could restrict employees from:
- uploading or sharing cloud data without prior management approval;
- using a cloud service that is not approved by management;
- accessing cloud data without a secure connection,
- downloading data to home devices or
- sharing data with anyone outside the company, or
- sharing their login credentials with anyone (including co-workers).
Another safeguard may be to secure an insurance policy covering cloud storage usage.
Insurance that protects you in case of a cyber attack may seem like something only large corporations would ever need, or could ever afford. Cyber liability insurance can make sense for small companies as well. Cyber liability insurance is still a fairly new concept, with a lot of variation among policies, and room for negotiation, says Ethan Miller, partner at the San Francisco law firm Hogan Lovells. Typically, a general liability policy specifically excludes losses incurred because of the Internet, Miller says. So a good cyber liability policy can pick up where your general policy leaves off. Make sure your cyber policy covers laptops and mobile devices as well, to give yourself coverage in as many situations as you can3. “Work with your broker to integrate cyber liability with your general policy and employment liability policy,” Miller advises. “You want to give yourself the most seamless coverage possible.”3
1You May Need a Policy Covering Employees’ Use of Cloud Storage (2015), The Law Offices of Robert J. Ross, https://robertjross.com/2015/05/12/you-may-need-a-policy-covering-employees-use-of-cloud-storage/.
2Keeping Your Data, Not Your Head, In the Cloud (2013), by Jason M. Rosenthal for American Bar Association, https://apps.americanbar.org/litigation/committees/insurance/articles/112213-data-cloud-discovery.html.
3Five Reasons You Should Have Cyber Liability Insurance (2013), by Minda Zetlin for www.inc.com.