The consumerization of mobile devices, coupled with the increased use of third parties for information management, has made a strong data protection strategy more important than ever. These intersecting trends also create questions: With more companies trusting their information to third parties, who really owns the data, and whose ultimate responsibility is it to protect that data?
Cloud data security is a shared responsibility, but it's a shared responsibility that is governed, ultimately, by the contract.
SearchCompliance.com Editorial Director Scot Petersen recently sat down with Jeffrey Ritter, an attorney and recognized expert on technology law, to discuss how bring-your-own-device (BYOD) programs, cloud use and vendor relationships are influencing data protection strategy.
Scot Petersen: We have a new generation of employees wanting to use their own devices, so companies are grappling with bring-your-own-device strategy. What is your take on employee privacy regarding that?
Jeffrey Ritter: The reality is that the information that crosses those devices -- whether it's an iPad or a cell phone or any other device that is outside of the control of the company's system administrators and is used for business purposes -- [the device] is going to have information that is stored on it that is the company's information. In the legal field we are learning the obvious, which is that a corporation has a duty to preserve and produce electronically stored information regardless of where it is, as long as the information is viewed as being the company's data. So the devices of individual employees that are used to conduct business activity are eligible targets, and the companies have a legal duty to preserve and collect that information.
I think that kind of undercuts the employee privacy defense. If I'm going to have a BYOD policy, the corporation still has a responsibility for its data. If you want to work for me, that means your device may be subject to collection. I really don't think that employees can reasonably expect that if they're using any device as part of their employment relationship -- whether they own it or the company owns it -- that the device is immune from the responsibilities of the company to find, preserve, produce and, essentially, own information.
How do companies need to protect themselves legally at, let's say, the contract level with service providers, when it comes to protecting personal data?
Jeffrey: Step One is to document and understand business rules for the services that you may be outsourcing. Understanding what the rules are as they relate to your information governance, and how those rules will apply when the information is being processed or stored or managed by a third party. It's definitely critical to what then goes into the contract regarding what you are allowed and requiring to be monitored and measured.
When you outsource, the end result is supposed to be more efficiency, increased operational velocity, lower costs. But many companies drastically overlook and underestimate the expense of monitoring the vendors and measuring their performance.
Should companies assume that the security and control of the data in a cloud situation is their responsibility or the cloud provider's responsibility? Or is it a shared responsibility somehow to be negotiated?
I think it's actually the third -- it is ultimately the corporation's data. It's much like how we employ a babysitter to take care of our children: The fact that I employ the babysitter doesn't mean that I dismiss my responsibility for the children getting in trouble or getting hurt. The same is true in turning over the custody and care of our data to a third party.
More on data protection strategy
One of the really cool things that I've been pleased to see emerge over the last 12 months is a project out of the Cloud Security Alliance called the Star Registry. Star is an initiative to help improve security, trust and assurance in cloud services. What the Star Registry allows a vendor to do is to document its security controls, and then publish it to the registry so that it's visible and transparent, and customers can understand and evaluate the quality of those controls upfront, before a detailed negotiation.
I think that kind of transparency is going to be very important and ultimately become a competitive necessity for any of the vendors. Some of the biggest players out there are now participating in the Star Registry, and I think it's an important indicator of where we're headed. Cloud data security is a shared responsibility, but it's a shared responsibility that is governed, ultimately, by the contract.