We have discussed before the importance of maintaining internal policies and procedures to protect the security and integrity of cloud-based repositories. A recent case in the U.S. District Court for the District of Maryland illustrates that this continues to be an important issue—particularly for companies who store their crown jewels on the cloud.
Smyth Jewelers is a retail jewelry store headquartered in Maryland. In late 2016, three of Smyth’s longstanding employees resigned from the company and began working for a competing jewelry retailer. One of those three employees had been responsible for maintaining Smyth’s Dropbox account. According to a complaint filed by Smyth on May 31, 2017, this Dropbox account contains a treasure trove of proprietary company documents, including business plans, vendor information, confidential employee information, customer lists, purchase histories, and other valuable customer account metrics.
Smyth alleges that the company’s “policy and practice” was to use a company-provided email to set up and access Dropbox. It further alleges that the departing employee “surreptitiously changed the email under which the Dropbox account was registered from his @smythjewelrs.com account” to a personal email account. By doing so, the departing employee allegedly locked Smyth out of its Drobox account and obtained control over numerous trade secret and proprietary documents.
Smyth’s lawsuit provides a cautionary tale about a significant pitfall awaiting companies who use cloud storage without having robust internal procedures in place. By having an employee use his own individual email address to set up the company’s Dropbox account, Smyth allowed a single person to have full administrative control over it. This can cause real problems if the employee’s loyalties do not remain with the company.
There are several steps businesses can take to protect against the risk of a departing employee maintaining control over or access to cloud document repositories. First, companies should ensure that full administrative access to them resides at all times with the company, rather than an individual employee. For example, the company should use a company email account that will always remain accessible to its IT department (“ITadmin@company.com”) to establish administrative login credentials for the company’s cloud accounts. In addition, most cloud services optionally provide email notifications when significant changes (like password changes or new user logins) to the account are made. Ensuring that such notifications are turned on, and that they are sent to and read by responsible persons within the company, will reduce risk. Another potential step is to set up multiple tiers of access privilege within the cloud repository to limit access to particularly sensitive documents. It is typically possible to set up folder-level password protections. It is also common to impose document-level restrictions on the ability to view, print, download, or edit documents stored on the cloud.
These are just examples of measures companies can take to protect cloud-based document repositories. Regardless, companies should analyze the risks and advantages of cloud storage for their unique business needs and set up a plan that strikes the right balance of convenience, efficiency, and security.