Confidentiality in the digital age is certainly an elusive concept. As more organizations turn to social networking sites, cloud computing, and bring your own device (BYOD) policies to facilitate commercial enterprise, they are finding that such innovations could provide unwanted visibility into their business operations. Indeed, technology has seemingly placed confidential corporate information at the fingertips of third parties. This phenomenon, in which some third party could be examining your trade secrets, revenue streams and attorney-client communications, brings to mind an iconic colloquy from the movie Ocean’s Eleven involving Tess (Julia Roberts) and Terry Benedict (Andy Garcia). Tess caustically reminds the guarded casino magnate that: “You of all people should know Terry, in your hotel, there’s always someone watching.”
That someone could always be “watching” proprietary company information was recently alluded to by Chief Judge Alex Kozinski of the Ninth Circuit Court of Appeal. Speaking on the related topic of data privacy at a panel sponsored by The Recorder, Judge Kozinski explained that technological advances that enable third party access to much of the data transmitted through or stored in cyberspace seemingly removes the veneer of confidentiality from that information. Excerpts from Judge Kozinski’s videotaped remarks can be viewed here.
That technological innovations could provide third parties with access to proprietary information is certainly problematic as companies incorporate social networking sites, cloud computing and BYOD into more aspects of their operations. Without appropriate safeguards, the use of such innovations could jeopardize the confidentiality of proprietary company information.
For example, content that corporate employees exchange on social networking sites could be accessed and monitored by site representatives under the governing terms of service. While those terms typically provide privacy settings that would allow corporate employees to limit the extent to which information may be disseminated, they also notify those same users that site representatives may access their communications. Though the justification for such access varies from site to site, the terms generally delineate the lack of confidentiality associated with user communications. This includes ostensibly private communications sent through the direct messaging features available on social networks like LinkedIn, Twitter, MySpace, Facebook and Reddit.
In like manner, providers of cloud computing services often have access and monitoring rights vis-à-vis a company’s cloud hosted data. Memorialized in service level agreements, those rights may allow provider representatives to access, review or even block transmissions of company data to and from the cloud. Provider access may, in turn, destroy the confidentiality required to preserve the character of company trade secrets or maintain the privileged status of communications with counsel.
BYOD also presents a difficult challenge for preserving the confidentiality of company data. This is due to the lack of corporate control that BYOD has introduced into company’s information ecosystem. Unless appropriate safeguards are deployed, employees may unwittingly disclose proprietary information to third parties by using personal cloud storage providers for storage or transmission of company data. In addition, family, friends or even strangers who have access to the employee device could retrieve such information.
Given the confluence of the above referenced factors, the question becomes what steps an organization can take to preserve the confidentiality of its information. On the social network front, a company could deploy an on site social network environment that would provide a secure environment for its employees to communicate about internal corporate matters. Conceptually similar to private clouds that house data behind the company firewall, an on site network could be jointly developed with a third party provider to ensure specific levels of confidentiality.
For the enterprise that is considering cloud computing for its ESI storage needs, it should require that a cloud service provider offer measures to preserve the confidentiality of trade secrets and privileged messages. That may include specific confidentiality terms or a separate confidentiality agreement. In addition, the provider should probably have certain encryption functionality to better preserve confidentiality. By so doing, the enterprise can better satisfy itself that it has taken appropriate measures to ensure the confidentiality of its data.
To address the confidentiality problems associated with BYOD, a company should prepare a cogent policy and deploy technologies that facilitate employee compliance. Such a policy would discourage workers from using personal cloud storage providers to facilitate data transfers or for ESI storage. It would also delineate the parameters of access to employee devices by the employee’s family, friends, or others. To make such a policy more effective, employers will need to develop a technological architecture that reasonably supports conformity with the policy.
By developing cogent and reasonable policies, training employees and deploying effective, enabling technologies, organizations can better prevent unauthorized disclosures of confidential information. Only by taking such professionally recognized best practices can companies hope to shield their proprietary data from the prying eyes of third parties in the digital age.