Minimizing the risk of employee data breach and privacy mischief in the cloud

Employees can get into quite a bit of mischief when they have access to the company’s data — especially disgruntled employees, as we saw in yesterday’s blog Computer Fraud and Abuse Act – great tool for taming an employee that’s gone off the deep end!. The mischief they can get into is increased exponentially with the ease and convenience of the cloud which also makes discovering it much harder.

It is important that companies maintain control over this potential problem. In addition to the traditional competitive reasons that that we are all familiar with, when an employee compromises the private data of others that the company maintains, it triggers all of the privacy and data breach concerns that we now hear so much about all over the news.

This is serious and can be devastating to a company. What is worse, as an attorney focused on helping companies address these kinds of concerns, I can tell you one thing for sure: if you do not know it’s happening, you can not do a thing about it!

Consider, for example, the subject of yesterday’s blog which was the case Wells Fargo Bank, NA v. ClarkIn that case the employee had to resort to more traditional means of obtaining the data by storing it on his company laptop which he then refused to return for over a month. And, when he did, it was virtually destroyed though with skilled computer forensics they were able to retrieve enough of the data to reveal what he had been doing. But,

What if they had not regained possession of the laptop?

What if they had not been able to obtain from that laptop the data showing that he had posted its confidential information on the internet?

That is exactly the point of an insightful blog on Securosis (@securosis) written by Rich Mogull that is entitled Detecting and Preventing Data Migrations to the Cloud. Rich offers a nice explanation of the problem:

One of the most common modern problems facing organizations is managing data migrating to the cloud. The very self-service nature that makes cloud computing so appealing also makes unapproved data transfers and leakage possible. Any employee with a credit card can subscribe to a cloud service and launch instances, deliver or consume applications, and store data on the public Internet. Many organizations report that individuals or business units have moved (often sensitive) data to cloud services without approval from, or even notification to, IT or security.

Fortunately, Rich tells companies how they can help mitigate these risks in two steps:

1.   Monitor for large internal data migrations with Database Activity Monitoring (DAM) and File Activity Monitoring (FAM).

2.   Monitor for data moving to the cloud with URL filters and Data Loss Prevention.

He then goes on to explain exactly what each of the above mean and how companies can do it. I encourage you to read the full blog post.

This is good advice that companies need to implement. Remember, if you don’t know what your employees are doing with your data or if you don’t know who’s doing it, there isn’t a thing you can do legally to stop it. As Rich observed, this solution isn’t perfect, however, these suggestions are a great way to help protect your data and, should that data be compromised, be in a position to find out who was responsible.