Reports of massive data breaches at trusted American retail businesses, banks, credit card companies and even governmental agencies have unfortunately become routine. So much so, in fact, that many of us have become desensitized to the serious personal privacy, identity protection and financial risks involved. That is especially unfortunate, because the costs to individuals, businesses and the government are very real and dramatically increasing.
We are falling prey to exploitation of the same consumer and other electronic technologies upon which we rely for our daily communications, purchases, banking, social networking and information storage. The most nefarious culprits are individual hackers (who may share loose affiliations with one another) and cyber agents in the service of foreign powers. The former seek personal profit at our expense, to embarrass some, to titillate others, to stick a cyber-thumb in the eye of business or the government, or just to show off. The latter are often thieves as well, but their overarching goals are strategic in nature. Foreign cyber agents seek to misappropriate sensitive information, to disrupt our economy, to shake public confidence in our government and systems, and to explore our cyber-vulnerabilities for potential use in the event of future hostilities.
In light of these threats, increased vigilance should be the order of the day – especially wherever significant volumes of personal, business and/or government information tend to intersect electronically. One such area is occupied by well-known consumer cloud-based data storage and file sharing services such as Dropbox, Google Drive, OneDrive, Box, Copy, and Amazon Cloud Drive.
In just the last several days, hackers published username and password information for hundreds of Dropbox accounts and promised to publish hundreds, thousands, or even millions more in exchange for bitcoin “donations.” Representatives of Dropbox insist the username and password data was not stolen from its servers. That, however, only begs the question of where, when, how, and from whom the data was misappropriated and whether any of the stolen account information is still active/usable. It is in Dropbox’s own interest to warn its users against whatever internet activity puts their personal information at risk.
To its credit, Dropbox offers two-step login authentication as a user option and regularly performs automated and manual security testing for system vulnerabilities. Based on the recent publication of stolen login credentials and the threat of further online “leaks” of account information, Dropbox users would do well to immediately change their passwords, make sure their new passwords are unique to their Dropbox accounts and opt in to two-step login authentication with the service.
At the same time, American businesses and government agencies need to sit up, take note, and carefully consider the adequacy of their policies, procedures and precautions relative to employees’ use of consumer cloud-based storage and file sharing services, especially the “free” ones.
Dropbox is one of many such services which enjoy widespread use among employees at every level (and across industries). The work-life appeal of Dropbox is simple – it affords the ability to store and share electronic files between multiple machines linked to the same account (for example, between one’s office desktop, personal laptop and tablet). Dropbox and several other providers offer free services for user accounts that stay within designated data storage volumes (generally between 2-15 GB), which is very attractive to a lot of consumers. The ease-of-use is undeniable and the services provided fit near perfectly with the electronic storage and file sharing demands of remote-working folks and far-flung project teams. As the latest data breach demonstrates, however, with those benefits also comes significant risk to employees and their employers.
Employees are storing business information with Dropbox and other third party cloud-based service providers in personal accounts over which their employers have no control or authority. Employees often do not share their account credentials with their employers – especially if they use those accounts in mixed fashion for storage of business and personal information. Many employers may not even know which of their employees are using such accounts. Wherever reasonably possible, employers should mandate that their employees only use business or enterprise level file sharing accounts for business related data and files, to take advantage of the centralized control, administration and additional security features they provide.
The data security and information governance risks attendant to employees’ use of personal data storage and file sharing accounts for business purposes are substantial. What’s more, in-house and outside counsel for businesses may be unable to effectively identify, much less preserve and marshal the relevant contents of such accounts in the event they become involved in litigation, are the subject of a government inquiry, or receive third party discovery requests. This is all to say that businesses need to understand the very real risks involved with allowing their employees to use personal cloud-based data storage and file sharing accounts for business purposes so they can properly protect themselves and craft effective, enforceable policies and procedures around them.
Gareth Suddes, manager of Montgomery McCracken’s Legal Technology Support and Application Development