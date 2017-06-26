We have discussed
before the importance of maintaining internal policies and
procedures to protect the security and integrity of cloud-based
repositories. A recent case in the U.S. District Court for the
District of Maryland illustrates that this continues to be an
important issue—particularly for companies who store their
crown jewels on the cloud.
Smyth Jewelers is a retail jewelry store headquartered in
Maryland. In late 2016, three of Smyth's longstanding employees
resigned from the company and began working for a competing jewelry
retailer. One of those three employees had been responsible
for maintaining Smyth's Dropbox account. According to a
complaint filed by Smyth on May 31, 2017, this Dropbox account
contains a treasure trove of proprietary company documents,
including business plans, vendor information, confidential employee
information, customer lists, purchase histories, and other valuable
customer account metrics.
Smyth alleges that the company's "policy and
practice" was to use a company-provided email to set up and
access Dropbox. It further alleges that the departing employee
"surreptitiously changed the email under which the Dropbox
account was registered from his @smythjewelrs.com account" to
a personal email account. By doing so, the departing employee
allegedly locked Smyth out of its Drobox account and obtained
control over numerous trade secret and proprietary documents.
Smyth's lawsuit provides a cautionary tale about a
significant pitfall awaiting companies who use cloud storage
without having robust internal procedures in place. By having an
employee use his own individual email address to set up the
company's Dropbox account, Smyth allowed a single person to
have full administrative control over it. This can cause real
problems if the employee's loyalties do not remain with the
company.
There are several steps businesses can take to protect against
the risk of a departing employee maintaining control over or access
to cloud document repositories. First, companies should ensure that
full administrative access to them resides at all times with the
company, rather than an individual employee. For example, the
company should use a company email account that will always remain
accessible to its IT department ("ITadmin@company.com")
to establish administrative login credentials for the company's
cloud accounts. In addition, most cloud services optionally
provide email notifications when significant changes (like password
changes or new user logins) to the account are made. Ensuring
that such notifications are turned on, and that they are sent to
and read by responsible persons within the company, will reduce
risk. Another potential step is to set up multiple tiers of
access privilege within the cloud repository to limit access to
particularly sensitive documents. It is typically possible to
set up folder-level password protections. It is also common
to impose document-level restrictions on the ability to view,
print, download, or edit documents stored on the cloud.
These are just examples of measures companies can take to
protect cloud-based document repositories. Regardless, companies
should analyze the risks and advantages of cloud storage for their
unique business needs and set up a plan that strikes the right
balance of convenience, efficiency, and security.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.
