June 26, 2019

June 25, 2019

Subscribe to Latest Legal News and Analysis

June 24, 2019

Subscribe to Latest Legal News and Analysis

Data: It Is Lurking Everywhere, Especially in the Shadows

For years, companies have been struggling to understand the multitude of locations where their data resides. From traditional employment files with embedded Social Security numbers, to new-aged hiring software with videos of job applicants, and enterprise software used to facilitate employee communications, controlling employee, customer, and corporate data is, to say the least, a logistical challenge. One of the newest entries into the mix is the increased use of ShadowIT and cloud-based storage systems.

ShadowIT involves workers’ use of unsanctioned products and applications to perform the work of the business enterprise. In other words, ShadowIT occurs when employees use their personal emails and applications, such as a cloud-based storage system, instead of company-approved solutions. According to a recent survey, about one-third of IT use is considered ShadowIT. Whether responding to a subpoena in a wage and hour dispute, attempting to safeguard previous corporate secrets, or analyzing the extent of a data breach, a company’s failure to understand the scope and location of ShadowIT data could be problematic. Companies should have policies in place regarding employees’ (and other workers’) use of unapproved applications, but there should also be an understanding that a policy is not a panacea.  

For data storage, recent studies show that most organizations are using over 1,000 cloud-based services. Indeed, one such study found that an average organization had 1,154 cloud services in use. This large number demonstrates that companies must manage the sheer volume of data in the cloud or potentially be exposed to liability.

Companies must also think about physical storage when a laptop or a phone is stolen and suddenly control over data on that item is lost. One leaked file in California, for example, could require a company to send out a data breach notification to millions of customers in California (an issue magnified under varying state laws as well in the current landscape). No overall system is perfect for this task, and the idea that company data can be completely controlled may be an illusory one, but there are important issues for companies to consider and sensible steps that they should take to safeguard data, including the following:

  • Survey ShadowIT Usage. Companies should consider conducting anonymous data audit surveys of employees to find out what other applications or products employees are using to perform their jobs. The company can then review its IT department to determine if it lacks the functionality for a certain program or if the problem of unsanctioned product use is simply a result of a lack of employee education as to the sanctioned products available to employees.

  • Manage ShadowIT Usage. Employees using ShadowIT or unsanctioned products create control risks for companies, and employers may consider disciplining employees for not following corporate policies on approved applications. On the other hand, having draconian disciplinary measures in an effort to maintain control over data will not necessarily stop ShadowIT use but may force it deeper undercover. Discipline could also have an adverse impact on employee engagement and retention.

  • Consider “Amnesty.” Companies should consider whether it makes sense to implement a time-limited policy, whereby employees can bring their unapproved software or application to the IT department to see if the program can be moved onto an approved list from the corporation, without the threat of discipline or sanction.

  • Review Vendor Contracts. Companies should review their contracts with vendors for approved cloud-based products and software. This may include auditing other cloud-based companies where data is stored to ensure that the company is adhering to best practices of network security. The contracts should contain data breach notification clauses, as well as indemnification agreements, when possible.

  • Train Workforce. Frequently, employees are the “weak link” in data control efforts, as they are often the cause of a data breach into a company’s secure network. Training employees about how to spot scam phishing emails and protect intellectual property can go a long way toward mitigating that risk.

Technology is constantly evolving such that there will always be a new product or service that could potentially be a benefit to employee productivity. A ShadowIT survey, while helpful, is only a look back in time. Companies need a way to address ShadowIT use as it evolves going forward. A company prohibition on ShadowIT without some method for employees to submit new products for consideration without fear of reprisal keeps the company in the dark about its data. Companies must also be mindful of the other cloud-based providers’ security protocols and the likelihood that a third party could accidently let sensitive data out into the public domain.

©2019 Epstein Becker & Green, P.C. All rights reserved.

TRENDING LEGAL ANALYSIS


About this Author

Adam S. Forman, Epstein Becker Green, Workforce Management Lawyer, Chicago, Detroit, Social Media Issues Attorney
Member

ADAM S. FORMAN is a Member of the Firm in the Employment, Labor, and Workforce Management practice, based in Chicago and Detroit (Metro). As noted in the 2015 edition of Chambers USA, Mr. Forman “is a renowned expert in social media issues relating to the workplace” and also “focuses on litigation, training and preventive advice on the employment side.” A frequent writer and national lecturer on issues related to technology in the workplace, such as social media, Internet, and privacy issues facing employers, Mr. Forman is often interviewed by...

312-499-1468
Matthew Savage Aibel, Epstein Becker Green, Trade Secrets Attorney, Breach of Non-Compete Agreements Lawyer
Associate

MATTHEW SAVAGE AIBEL is an Associate in the Litigation and Employment, Labor & Workforce Management practices, in the New York office of Epstein Becker Green.

Mr. Aibel:

  • Assists in the representation of clients in complex commercial litigation, business disputes, and breach-of-contract matters

  • Provides assistance with litigation matters involving the breach of non-competition and non-solicitation agreements, the misappropriation of trade secrets, and unfair competition

  • Assists in the representation of employers in federal and state court and in mediation and arbitration proceedings on labor and employment matters involving discrimination, harassment, retaliation, whistleblowing, and wage and hour disputes

  • Aids health care companies in litigation arising under ERISA and other related disputes

  • Advises employers about issues and policies related to social media and the online conduct of employees

Prior to joining Epstein Becker Green, Mr. Aibel served as a Legal Intern at the largest labor union representing officers of the New York City Police Department. In this role, he helped with state and federal litigation, collective bargaining issues, employee handbooks, and city administrative board hearings.

212-351-4814