Many employees use consumer grade, unmanaged cloud services such as Dropbox and Google Drive as part of their work. This is sometimes called BYOC for Bring Your Own Cloud. It is convenient, but is it a good idea for the business?
Loss/theft of intellectual property –
One of the obvious risks of BYOC is the loss of control (AKA theft) of corporate intellectual property. These personal cloud services make it quick and easy to steal hundreds to thousands of confidential files by merely dragging and dropping. AND, since the account does not belong to the company, the only way the company can force an employee to let them into their account is via a court order – an expensive and dicey proposition. By the time that order is granted and appeals are exhausted, any evidence is likely gone.
Data breach and regulatory violations
Just because your company chooses to allow (or not stop) employees from using BYOC does not mean that company does not have liability if the data on the employee’s personal cloud, that the company does not control, is breached. In fact, likely, the company is fully liable even though they have no authority over that data. Violation of regulations such as HIPAA also fall on the company.
Litigation risk and electronic discovery exposure
If a company allows users to use BYOC and is involved in litigation, it is very difficult to preserve evidence that could exist on employee’s personal clouds. If it is discovered that evidence has been destroyed or compromised, the judge could hold the company in contempt or even instruct the jury that they should assume the worst – that whatever was destroyed would have helped the plaintiffs and hurt the company. A Florida court recently faulted a company for allowing an employee to destroy files in a personal Box account. Also, depending on what an employee does with the files on the BYOC account, the company may lose the ability to assert attorney-client privilege.
So what is a company to do?
There are only a couple of options –
Allow BYOC and deal with the risk. This doesn’t seem like a great solution, but it is what many companies are doing today – understanding that they are going to lose corporate intellectual property in the best of circumstances.
Outlawing BYOC. Done right, this can work. After all, the employee just wants to get his or her job done, but done wrong, it can really annoy the employee.
Allow but regulate. This is likely more complicated. The company has to decide what BYOC services are OK, create rules for using them and then enforce these rules, but it is possible for this option to work.
For most companies, providing a corporate owned solution that works at least as easily as the employee owned consumer grade solution is probably the best solution, but every company will need to decide for itself.
Information for this post came from JDSupra.