Andy Green of Varonis argues that to better protect their intellectual property and sensitive data, companies need to take more proactive measures – closely auditing and monitoring access to confidential documents.
Is your company doing enough?
Dropbox and other file-sync companies offer incredibly convenient services to share content in the virtual world of the web.
However, it’s important to keep in mind that long-established laws don’t stop at the entrance to their giant data centers.
Intellectual property law involving corporate trade secrets, copyrights, and patents also apply to anything uploaded to the cloud. Recently light has been shed on Dropbox’s practice of honoring Digital Millennium Copyright Act (DMCA) requests from Hollywood to remove copyrighted material.
In a real sense, there’s nothing new here. Dropbox has to play by the same rules as everyone else – YouTube, Vimeo, et. al.
And if they don’t, well, just look at what happened to a Mr. Kim Dotcom and his file-locker service, Megaupload, when he ignored US copyright rules. (Hint: the US government is now in control of his US-based server farm.)
What is new is that Dropbox has made it far easier for the general public to violate general Intellectual Property (IP) laws with content other than movies and videos. Confidential corporate information, which can include sensitive legal documents, sales projection slides, customer spreadsheets, and proprietary software, all fall under various state and federal IP protections.
So if an employee uploads software for a project he’s working on – say for the purpose of being able to review it offsite – and that employee moves to a new company with a similar product, there is potential for a lawsuit.
Various safe harbor rules would likely protect the file locker service in this scenario, but the employee and the competitor would fall squarely in the law’s cross-hairs.
IP leakage of content is a serious problem.
There’s been one prominent case in the US involving software leakage by a software engineer from an investment bank, which was prosecuted by the US Department of Justice under the Economic Espionage Act.
Though there were problems in the trial — the charges were eventually dismissed but not before the defendant spent time in prison — this is one example among many of how far companies will go to protect their IP.
What can companies do to lessen the risk of IP theft?
Employee education about their IP obligations is a good place to start. Companies typically ask employees to sign confidentiality or non-disclosure agreements, which require them to return all sensitive documents when leaving the company.
However, in Varonis’s own survey of 120 companies, it learned that about one-third of employees remembered to delete contents they had uploaded from their workplace into the cloud.
Varonis concluded that many employees have simply forgotten that they signed these agreements (who remembers all those documents during on-boarding?) and that organizations were not providing continual feedback – emails, training sessions – on what those agreements meant.
And, by the way, to prove IP theft of trade secrets has taken place, US courts require plaintiffs to show that they have an employee IP education program in place as a way to indicate they value their sensitive information.
Companies should also take more proactive measures by closely auditing and monitoring file access activity to their confidential documents using specialized software. The key point is to look for unusual access patterns that indicate documents are being reviewed in non-standard ways—entire folders are being copied or access is made at unusual times.
Additionally, software is now available to provide cloud-style file sharing to their employees using their own infrastructure, removing the temptation to use unsanctioned cloud services at work.
There’s another benefit from putting in place file auditing software.
Close monitoring of file activity is not only a good way to spot IP transfers by employees but also to catch hackers who have entered your system and are looking for easily monetizable content—credit card numbers, etc. – as well as corporate IP.
Graham,
Interesting take on the security aspect of file sharing. This part doesn't get near as much coverage in the news than the flashier hacks and data breaches, but it could be equally if not more important in terms of data security.
What we're finding out now is that the cloud is truly a double-edged sword. Convenient? Heck, yeah. Dangerous? Heck, yeah.
It'll be interesting to see how the cloud companies deal with government monitoring and intrusion. That's something that technology may not be well suited to find a solution for.
On the tech side of things, in addition to your great suggestions on auditing and monitoring, companies with sensitive data that absolutely cannot be lost need to look seriously at more secure solutions. CertainSafe uses data centers that are fully PCI DSS Level 1 certified and takes an even more granular approach to security. It breaks data down to the byte level, tokenizes it, then scatters those tokens across multiple servers. This makes data breaches almost mathematically impossible. They also just won PC Mag's Editors' Choice Award: http://www.pcmag.com/article2/0,2817,2455731,00.asp
They also include audit trail history for all files, military grade shredding and secure messaging.