SkyDrive – LegalTXTS – A Luminate Law Blog

Cloudy With A Chance of Disaster: Avoiding the Security Risks of BYOC (Bring Your Own Cloud)

November 18, 2013 by Elijah Yip·0 Comments

Photo by Ian Lamont (CC BY 2.0) courtesy of Flickr

Photo by Ian Lamont (CC BY 2.0) via Flickr

You’ve probably heard of BYOD (Bring Your Own Device). But do you know about BYOC? It stands for Bring Your Own Cloud, and it’s more prevalent than you might think.

Cloud storage services like DropBox, Google Drive, and SkyDrive sport features that are attractive to an increasingly mobile workforce. They provide gigabytes of storage for free. Files in the cloud are accessible anywhere with an internet connection. Changes to a file in a cloud account are synced across all devices with access to the account. It’s not difficult to see why cloud services are gaining popularity among individuals and companies alike.

Therein lies the problem. Because personal cloud accounts are so handy and easy to set up, an employee can create a security risk for a company in a matter of minutes. An employee can essentially connect the organization to the cloud without the company’s knowledge via a private cloud account. This enables the transfer of confidential company data to a location outside the company’s reach.

ComRent International, LLC v. Palatini, 2013 WL 5761319 (E.D. Pa. Oct. 24, 2013), involved such a scenario. ComRent hired Clayton Taylor to serve as a vice president of product development. Taylor primarily worked on matters related to Experium, a company that he co-founded and of which he was a minority owner. Taylor set up a Google Drive account to store, access, and edit all of Experium’s intellectual property and confidential commercial information. Only Taylor knew the username and password necessary for the account. When ComRent hired an engineering firm to consult on options for the future of Experium, Taylor refused to grant the firm access to any of Experium’s intellectual property, believing that ComRent might appropriate the intellectual property for itself. As a result, ComRent terminated Taylor and filed a lawsuit seeking access to the Google Drive account containing Experium’s corporate files.

Here are some tips for avoiding problems with unauthorized use of personal cloud storage accounts by employees.

Set a Policy: Remaining silent—and therefore ambiguous—about the organization’s stance on cloud storage can lead employees to believe they may use personal cloud accounts for work purposes without letting management know. To eliminate such misconceptions, set a policy on whether or not the organization will use cloud storage. If the decision is yes, then adopt measures to ensure responsible use of cloud storage. If the decision is no, then clearly communicate to employees that storing work data in a personal cloud account is against company policy.

Maintain Control: If an organization decides to use cloud storage, it should retain control over the information necessary to access the cloud storage account (e.g., login credentials). It is advisable to create an account under the organization’s name for official work purposes instead of allowing employees to use their personal accounts.

Restrict Unauthorized Cloud Services: Consider restricting access to private cloud storage sites from any device that can also access company data, including mobile devices, through the use of blacklists, proxies, and other network security measures. This will prevent the transfer of work files to a private cloud account. Organizations with BYOD programs might find it challenging to eliminate all access to private cloud services, but it is worthwhile consulting with the IT department about the feasibility of implementing such restrictions.

Retain Ownership: Make it clear that company information remains property of the company regardless of where it is stored. It’s also a good idea to have employees sign written non-disclosure agreements.

Stay safe in the cloud!

Estate Planning in Cyberspace: Making Sure Data Doesn’t Byte the Dust

June 18, 2013 by Elijah Yip·0 Comments

Ownership of contents of online email account gets called into question after account owner dies — Ajemian v. Yahoo!, Inc., 987 N.E.2d 604 (Mass. Ct. App. May 7, 2013)

Who owns the data in an online account after the account owner dies? It’s a question that’s growing in importance as online email accounts become commonplace and cloud storage services like DropBox and Google Drive gain users. A Massachusetts court faced that question in Ajemian v. Yahoo!, Inc., but left it unresolved.

In Ajemian, an individual (Robert) opened a Yahoo! email account for the primary use of his brother, John. Robert shared the account as a co-user. Several years after Robert opened the account, John died. Robert and his sister Marianne were appointed co-administrators of John’s estate. At the time of John’s death, Robert had not accessed the Yahoo! account for several years and had forgotten the password.

Robert and Marianne tried to get access to the contacts in Yahoo! account to retrieve email addresses of John’s friends and notify them of John’s death and memorial service. Robert and Marianne also wanted access to the emails in the account to help identify and locate John’s assets and administer his estate.

After negotiations, Yahoo! agreed to turn over the subscriber information for John’s account to Robert and Marianne if they obtained a valid court order, which they did. Yahoo! believed that the Stored Communications Act prohibited it from disclosing the contents of the emails in the account, however. This prompted Robert and Marianne to sue Yahoo! in the Massachusetts probate court. Robert and Marianne argued that the emails were the property of John’s estate and, therefore, as administrators of the estate, they were entitled to access to the emails. Robert also argued that as co-owner of the account, he was entitled to its contents.

The probate court dismissed the lawsuit on various grounds, including that the Terms of Service (TOS) governing the Yahoo! account required the lawsuit to be filed in California. On appeal, the Appeals Court of Massachusetts decided that the TOS was unenforceable because Yahoo! failed to prove that it reasonably communicated the TOS to Robert and that he indicated his acceptance of the TOS, such by clicking on a box that says “I Agree” (i.e., a “clickwrap” agreement). Even if Robert had accepted the TOS, the court would not enforce the forum selection clause contained in the TOS because it was unreasonable and overbroad. The Appeals Court sent the case back to the probate court for a ruling on the issue of access to the contents of the Yahoo! account.

LegalTXTS Lesson: Because the contents of online accounts can be quite valuable, they should be treated as an asset in an estate planning program. Much hassle and confusion can be avoided by making pre-death decisions about how one’s online information should be handled upon one’s death, such as entitlement of access to the accounts and ownership of their contents. To plan effectively, one might need to take into account the terms and service corresponding to online services. In Ajemian, for example, the terms and conditions for the Yahoo! account purportedly limited the transferability of the account and terminated the rights to the Yahoo! ID and the account’s contents when the account owner died. If an online service has similar terms, a workaround might be needed to preserve the rights of the account owner’s estate to data stored by the service.

Haven’t visited Yahoo in a while? You may lose your user name

The Electronic Wake Employees Leave Behind

May 21, 2013 by Elijah Yip·1 Comment

Employer sues ex-employee for not updating his LinkedIn profile — Jefferson Audio Visual Systems, Inc. v. Light, 2013 WL 1947625 (W.D. Ky. May 9, 2013).

What would you do if your ex-employee told everybody he still works for you? One company’s response was to sue. In the first case of its kind, the company decided to sue its former employee for fraud for not updating his LinkedIn profile.

Jefferson Audio Visual Systems, Inc. (JAVS) fired its sales director, Gunnar Light, after he mishandled a potentially lucrative deal and made defamatory statements about JAVS to a prospective customer. Shortly afterwards, JAVS filed a lawsuit against Light alleging various claims, including fraud. JAVS argued that Light was fraudulent in failing to update his LinkedIn profile to reflect that he was no longer a JAVS employee. A Kentucky federal court dismissed the fraud claim because JAVS failed to show that it was defrauded by Light’s LinkedIn profile. At most, JAVS alleged that the profile tricked others. Under Kentucky law, a party claiming fraud must itself have relied on the fraudulent statements.

LegalTXTS Lesson: JAVS’ actions against its ex-employee might have been rather extreme, but the case is a reminder that ex-employees can leave behind an electronic wake that is damaging. Because computer technology is an integral part of work life, management needs to be intentional in disengaging ex-employees from the electronic systems and online persona of the organization. Each organization must determine for itself what measures for dealing with such post-termination issues are feasible, effective, and consistent with its objectives, but here are some suggestions:

1. Promptly update the organization’s website, social media profiles, and any other official online presence to reflect that the former employee no longer works for the organization.

2. Specify who owns Internet accounts handled by the ex-employee for the organization’s benefit and the information stored in the accounts. This includes social media accounts and cloud storage accounts (e.g., DropBox, Google Drive, SkyDrive) to the extent they contain proprietary data. As part of this measure, be sure to obtain the information needed to access the accounts, including any updates to login credentials.

3. Restrict the amount of access to which former employees, as well as current employees whose departure is imminent, have to workstations, databases, and networks of the organization. Limiting access helps to prevent theft of trade secrets and proprietary information. Many CFAA lawsuits have been spawned by a failure to take this precaution.

4. Check if the employee left behind anything that would enable him or her to gain unauthorized access to company systems, like malware, viruses, or “back doors.”

5. Enable systems that allow of erasure of the organization’s data from electronic devices used by the ex-employee to remotely access the work network, such as smartphones, laptops, and tablet computers.

6. Establish guidelines on employee use of the company’s intellectual property on personal internet profiles (e.g., Facebook, Twitter, LinkedIn), including trademarks and trade names.

Cybersecurity, Privacy & Internet Law

Tag: SkyDrive

Tag: SkyDrive

Related articles

Related articles