Digital innovations in global communication and mass data exchange are changing the way organisations work and it is important to consider how your business can take advantage of technological developments without opening yourself up to leakages, espionage or giving away commercial advantage. Following interviews with several businesses, in June 2012 DMH Stallard published a report, Secure Your Data – Protect Your Business, highlighting data security best practice. The majority of the businesses we spoke to, thought they had appropriate measures in place, but when probed more deeply, we identified risks that they had not identified or eliminated.
Data and IP on a personal device
Traditionally, an employer supplies its employees with devices for business use. With the recent surge in demand for smartphones and tablet computers, employees are increasingly seeking to use their own devices for business. This “consumerisation” of IT means employees, who have bought a device they actually want to use and are familiar with, wish to use that device at work. In our interviews, businesses indicated that either they are persuaded by the cost savings – that is, the upfront capital cost of purchasing the device – or are keen to encourage employee productivity and satisfaction and are promoting BYOD or “Bring Your Own Device” Plans in the workplace. We also identified that as employees had a personal interest in the device and the data saved on it, they were more aware of and concerned about protecting the device and its data.
BYOD presents problems too. In particular, it raises the issue of ownership of data on a device. An employer will claim to own business-related data on the device, but will likely acknowledge that the employee will own his data on the device. As it is a personal device, the employee will likely carry it with them everywhere. If they lose the device, it could fall into the hands of someone who would seek to use the business data to their advantage. Also, IT departments, used to supporting Microsoft and Blackberry, can find they are being asked to cater for iOS and Android systems too but they do not necessarily have the resource to do this. Perhaps they will need to obtain official training or even a licence agreement from the manufacturer. Maybe the solution is to require the employee to obtain support from the place they bought their device. Of course, once again a third party – the party providing the support – will have access to the confidential business data held on the device. Finally, an employee who changes job will take their device with them and the employee could use that information to a competitor’s advantage or even the new employer could get access to the information on that device.
An employer could reduce risks like these by ‘partitioning’ the device, by installing software which separates the device for work and personal use. Even if the personal ‘partition’ has no security, it is possible to have this for the work ‘partition’. Further, the employer could ensure that very little data is stored on the device itself, with data stored centrally on its server. The employee would access virtual data on the work partition when he needs it and, when he has finished, the work partition would close and the data would disappear from the device. If the employee loses the device, or it is stolen or he takes it with him at the end of his employment, the employer can disable the work partition and prevent access to the centralised data. Some applications allow remote wiping of business data on the device. This will reduce the risk of files and information, about clients or the business, being taken with them. We found that employers forget or do not take the seemingly obvious step of blocking access rights to staff as they leave and do not undertake regular reviews to check this and revoke permissions.
There are other concerns too. For example, ownership of the device itself might be called into question if the employer provides a contribution to the employee when buying the device. Also, if the employee creates intellectual property rights on the device, then having a dual-purpose consumer and business device can complicate the usual question of who owns the rights.
Data and IP in the cloud
Increasingly, businesses are adopting cloud solutions as an affordable, scalable and flexible approach to data storage and processing. A cloud solution can provide a business with instant access to additional data storage without the need for it to incur a large upfront cost. This reduction in capital expenditure coupled with freeing up precious physical space gives business the flexibility to rent services specific to its requirements and allows it to store data centrally for accessing remotely, anywhere at anytime. Not every cloud solution is the same. A public cloud solution provided to a global customer base on the basis that it is cheap does not necessarily or automatically offer an enhanced level of resilience or data security. Also, if a cloud provider can keep its costs down by running the solution from the cheapest jurisdiction, then this is likely to mean that the data is transferred outside the protective area of the European Economic Area. That transfer could be to a jurisdiction which is not on the European Commission’s safe list of countries and, unless the transfer is done subject to appropriate contractual safeguards, then the business, as ultimate controller and owner of the data, could find itself in breach of EU data protection legislation. Further, it is worth remembering that not all jurisdictions have yet implemented appropriate measures to protect IP with some businesses concerned about corporate or even state espionage on data held by a cloud provider in their country.
Some businesses interviewed highlighted concerns over US cloud solutions. For example, the US Safe Harbor scheme is a self-certification scheme and a business should check their cloud provider’s credentials and seek evidence of their compliance before the data transfer takes place. Additionally, many businesses are concerned about the USA Patriot Act. This grants the FBI access to data held within the US and beyond. In 2011, Microsoft UK clarified that, as it is a US-headquartered business, it would respond to a request under the Patriot Act. This access by the FBI is not new and is, of course, subject to safeguards such as for the prevention of terrorism, but many data controllers are concerned about this access.
To deal with these types of issues, a business could store its data locally or implement a hybrid cloud solution where it stores all confidential or valuable data onsite and moves less important data and applications into a cloud solution. This segmentation and categorisation of business data according to confidentiality and value could mean a more complex but ultimately more secure cloud solution. We talked to one business that kept its “crown jewels” as they called it, including credit card, payment and customer data, at an ultra secure data centre in London and used a public cloud solution for data of low value, using a SaaS (Software as a Service) email solution for staff email. Segregating data can also be useful to limit employee access to certain types of data. Businesses can identify and specify what data the cloud provider must store within the EEA and elicit reassurances from the provider that it will undertake back-up and support also in the EEA. As many cloud solutions are provided by US companies, data is often automatically transferred to these jurisdictions. A business should consider encrypting data held in a cloud solution. Alternatively, it could ‘tokenise’ its data, where it stores the sensitive data onsite but obscures it (by way of a token identifier) when transferring data to the cloud.
There are other risks too. Although a business may have carefully thought out its official cloud strategy, its employees may be circumventing this. A business embracing BYOD should also identify where data on that device will be held. Further, the employer should identify whether its staff are using solutions such as Dropbox or Google Docs to store documents, Evernote to take and share notes on meetings or ideas and Gmail or Outlook.com for emails. The best approach might be to make employees aware of what is and is not expected of them, by putting clear policies in place and communicating them to the employees. Staff often do not consider the risks to data and IP. One tool that could prove useful is a “survey of truth” to find out how employees actually use and move data. Often, business data and IP policies which are so strict as to make it harder work for employees to do their jobs, can end up encouraging employees to circumvent those policies. By engaging with staff, it may be possible to implement a strategy that allows for use of cloud solutions while also reducing risks to data and IP by embracing a solution staff are comfortable using.
Data and IP in social media
The use of social media has become a part of everyday life for many and, increasingly, a way of doing business. Businesses can use sites such as Facebook, LinkedIn and Twitter to build up contacts through social encounters or through networking to promote its business and its activities. As with everything, careless use of social media by employees can give rise to risk. For example, an employee using the ‘Check In’ facility on Facebook to tell friends where they are, might disclose confidential or sensitive information inadvertently, like an appointment with a client or more specific details about a confidential project a business is undertaking for a client.
Another area of difficulty is who owns social media contacts built up during an individual’s employment. Laura Kuennsberg, a BBC reporter, was well known for her coverage of the 2010 UK general election and built up about 67,000 Twitter followers to @BBCLauraK. On leaving to go to ITV, there was, in her own words, much “frenzied conversation” about whether she could take her followers with her to her new job at ITV. Apparently, an “entirely amicable” agreement was reached, where all her followers of @BBCLauraK were transferred to @ITVLauraK. It is unlikely that every business in that situation would be quite so willing to allow this to happen and would argue that, by using the business trade mark, the followers belong to the business not the individual.
Protecting IP and data in technology
Clearly, in the ever-changing business environment, technology offers advantages but a business should ensure these are not to the detriment of its data and IP. To take advantage of the latest technologies without putting data and IP at risk, a business must consider the following:
- Engage with staff to identify what they need to do and identify a means to allow them to do this
- Introduce and enforce policies to protect business data and IP to reduce the likelihood of innocent (or deliberate) damage to data and IP
- Audit your most valuable data and IP and identify how (and where) best to store it
- If data and IP are to be transferred outside the EEA, adopt measures to reduce the risks
This article was first published in the November edition of Intellectual Property Magazine.