Technology Team Newsletter: Protecting Your Employee and Proprietary Information in the Age of Cloud ComputingNovember 17, 2010
On November 10, 2010, the Epstein Becker Green Technology Team hosted a roundtable discussion on the topic "Future of Cloud Computing: Assessing the Utility and Risk" at our New York office. One of the issues addressed at the roundtable was how a company can maintain the security of personnel and other private information regarding employees and its proprietary information if the company utilizes the "cloud" for data processing and storage rather than its own servers.
The consensus of the group — which included guest speakers Allen Ureta, Director of Technodyne LLC's GRC Practice; Michael Wood, Director of Product Management, netForensics, Inc.; and Bill Leroy, Information Security Management and Compliance Evangelist, netForensics, Inc. — was that all companies (large and small) considering the migration of physical data centers to an environment of cloud computing must identify the risks associated with cloud computing, develop proper policies for governance of the system, and implement training programs and controls to protect the integrity of their data. In today's competitive environment, companies go to great lengths to safeguard employee data and business information stored in their in-house computer systems.
The need for system and data security is even greater when companies choose to move data processing and storage into the virtual world of the cloud, where cyber-thieves are constantly looking for ways to sell or use proprietary company information and personal employee data for their own nefarious activities. In addition, companies that are subject to the Sarbanes-Oxley Act ("SOX") and HITECH/HIPAA, as well as companies that are government contractors (particularly to the U.S. Department of Defense), have a greater need to ensure that their data cannot be breached because the penalties for noncompliance are substantial and significant. In addition, numerous states have adopted data-breach laws requiring companies with data systems that are compromised to provide written notice to all individuals whose personal data has been lost, stolen, or disclosed.
Our speakers stated that, before choosing a cloud computing provider, a company must carefully scrutinize the service provider agreement to ensure that the provider can meet the company's specific security needs. The company should not assume that the provider's "form agreement" will suffice. To protect itself, the company should negotiate its own representations and warranties with the provider, paying particular attention to indemnity, "hold harmless," and termination provisions.
In addition, the service provider agreement should address a continuity plan so that a company can retrieve or move its data in the case of a natural or man-made disaster or if the provider goes out of business. Our speakers stressed that many of the cloud providers are located "off shore" — in countries that are not subject to U.S. jurisdiction and regulation. As such, including specific provisions for data retention and access is especially critical in view of both the requirements of the "e-discovery" rules that apply to civil litigation in the United States and the ever-increasing number of state and federal document retention regulations.
The speakers agreed that many of the data breaches are caused by human error (i.e., employee mistakes) or human malfeasance (i.e., departing employees who take proprietary information), and that such breaches can be minimized or avoided by compliance training and system monitoring. In this regard, companies must draft and implement written personnel and IT policies that are clear and easily understandable. In addition, companies should conduct regular training with their employees on company polices and protocols for data storage, use, and dissemination.
These company policies and training efforts must be coupled with rigorous enforcement. Therefore, companies must develop and implement policies and protocols for monitoring employee use of the electronic data systems (i.e., word processing, e-mail, and Internet use). In most states, establishing these policies and protocols is fairly straight forward since employees of private employers do not have a right to privacy in the workplace. However, some states, such as California, provide individual privacy rights to employees that may hamstring an employer's ability to monitor employee use of electronic media. It is recommended that employers consult with their employment counsel before implementing a monitoring policy.
In addition to establishing a system for monitoring employee use of the data systems, companies must actually conduct routine and random monitoring to ensure employee compliance with the data storage, use, and dissemination policy and take disciplinary action against employees who violate the policy. Companies that pay lip service to their own policies and protocols, and turn a blind eye to data leaks and employee negligence or malfeasance, run the risk of litigation, government audits, and damage to their business and reputation.
In sum, any company that has considered, or is considering, migrating its data processing and storage to the cloud must do the following:
Carefully assess its unique business needs
Thoroughly vet service providers
Negotiate a service provider agreement that adequately protects the company's interests
Weigh the risks of data breaches and loss versus the cost savings of being in the cloud
Develop written HR and IT policies and protocols for data storage, use, and dissemination
Implement a proactive monitoring policy
Adequately train employees and IT personnel on the policies and protocols
Rigorously enforce the policies and protocols
Develop a plan for handling security breaches if they occur
Additionally, the company should consult with legal counsel to determine what laws and regulations may impact the decision to move to cloud computing and to ensure that its policies and protocols for data storage, use, and dissemination comply with the applicable laws and regulations.
The Technology Team
As previously noted, on November 10, 2010, the Technology Team hosted a thought-provoking roundtable discussion entitled "The Future of Cloud Computing: Assessing Utility and Risk." The Technology Team wishes to thank Allen Ureta, Michael Wood, and Bill Leroy for serving as presenters.
Testimonials from the roundtable:
"I think we are all unconsciously incompetent before we receive new information that brings clarity. The information I received today, although imparted effortlessly and with great clarity from the presenters, was valuable and greatly appreciated. If you, too, are looking for cutting-edge information to broaden your understanding of current issues, I highly recommend attending the next event." — Arthur Esposito, Another 9.
"The luncheon's open discussion was very informative and insightful." — Anton Hios, Collaborative Benchmarking Group, LLC.
On December 3, 2010, Michelle Capezza will speak to professionals enrolled in Pace University's Human Resource Management course (offered in cooperation with the Society of Human Resources Management ("SHRM")) on the topic of health care reform legislation and its impact on employer health plans.
to you and yours from
the Technology Team!
What is the Technology Team?
The Technology Team is a multidisciplinary team of lawyers at Epstein, Becker & Green, P.C., who have dedicated themselves to serving the needs of technology companies—public and private, large and small. The Technology Team's members all have extensive experience representing technology companies—such as software companies, electronic device manufacturers, medical device producers, and wireless telecommunications companies—and bring their diverse skills and collective understanding of the needs of technology companies to the task of helping these clients solve a variety of matters and problems.
Working in a coordinated manner, the Technology Team is able to efficiently provide comprehensive legal services, across a broad spectrum of matters, including entity formation, securities, debt financing, acquisitions/divestitures, regulatory issues, employee benefits and executive compensation, labor and employment law, intellectual property, and commercial litigation. And because the members work as a team, they can tailor the type and level of legal services to the particular needs of the client in a cost- efficient manner.
Located in various offices across the Firm, the Technology Team's members can address their clients' needs across the country, whether the matter involves litigation or simply the need to understand how businesses operate in different locations. Team members routinely collaborate with each other and with other attorneys inside and outside the Firm, when necessary, in order to provide clients with effective and efficient legal services.