Storing digital data in the internet “cloud” rather than on a computer’s hard drive is an increasingly common practice among businesses.
In fact, a recent survey by RightScale found that 95 percent of respondents were using the cloud in some form.
While there’s a certain scalability and flexibility that comes with cloud usage via the internet, small businesses must also take precautions to ensure they’re protecting their trade secrets and other intellectual property that resides in the cloud.
“Anytime you entrust someone else with your company’s most important secrets, you have to be cautious that protections are in place to ensure that your secrets remain a secret,” says Seth Northrop, a partner at Robins Kaplan LLP in Mountain View, California.
Cloud service providers offer different levels of protection, so when firms choose a provider, they should be clear on what privacy protections it offers, he says.
Putting your data in the cloud with a third party doesn’t, in itself, mean you are surrendering your trade secrets, he says. However, the language of controlling agreements — such as the terms of service, the protections the cloud provider offers, and how a company uses that cloud service — are important in determining whether you took reasonable steps to ensure your trade secrets remain secret.
Some industries require specific levels of protection. Know what those are and be sure your provider complies, says William Collins, president of NST Inc., an East Northport provider of cloud and security services.
A client can customize its cloud usage to enhance security protections if warranted within a “private cloud,” Collins says.
Still, for the most part, storing information in the cloud can often be safer for a small company than trying to put it in its own security and privacy infrastructure, says Richard Raysman, co-author of “Computer Law” (Law Journal Press; $625) and a partner at Holland & Knight LLP in Manhattan. “Big cloud providers spend a lot more on security than small companies.”
The real question, he says, is: Who has access to your data that’s in the cloud?
Companies should have written agreements with employees, customers and anyone else with access to their proprietary information, he says. They should acknowledge ownership by the company of the trade secret and define what it covers.
The agreements should also state that employees should only duplicate information as necessary to perform their duties and may not duplicate any of the information if they leave the firm, Raysman says.
If they do leave, they should delete any proprietary information they’ve downloaded to a computer or personal device, he says.
Make sure only certain people have access to confidential information, Collins says. Put policies in place to address not only how employees access the cloud but also what devices they may use to do so.
Spelling out such policies and protocols is important to fill the gap between the systems you have in place and the end users, says Jason Aptekar, CEO of The Mithril Cloud, a Westbury managed-cloud service provider.
“The best system in the world doesn’t mean anything if the people aren’t following the guidelines,” Aptekar says.
People need to know what their responsibilities are, he says.
“It all comes down to an information and data security policy that is then implemented, communicated and that users are trained on and sign off on,” he says.
You can then back that policy up with technological controls to manage how employees access data, he says. “The users are still the weakest link in the chain, and you have to address that.”
Percentage of businesses that said cloud security is a concern, down from 29 percent last year.
Source: RightScale’s 2017 State of the Cloud Survey