What’s different about cloud computing?
Cloud systems are often different from the traditional IT infrastructure set up by a company itself because they are normally provided by a third party supplier, and so businesses do not have as much control over the cloud system as they would over their own IT infrastructure.
For these reasons, cloud computing raises new risks for company information security. For example, it can be difficult to trace the web browsing history of an employee who views the internet inside the cloud (as they may be accessing web-based email to move documents outside the cloud), and it is often possible with cloud environments for documents to be copied within the cloud and then pasted outside it onto a personal desktop.
Why does this affect HR?
For companies considering moving onto a cloud-based system (or for those who have recently done so), it is vital for their HR teams to ensure staff IT policies adequately cover the company in the cloud-era against the risks of employees removing company information for illegitimate purposes.
As a first step, HR should sit down with the IT team to ensure that they understand the technology and what is involved with the particular cloud system which the company uses or may use. If those explanations unveil potential information-security risks (such as those listed above), this may influence the company’s choice of cloud-service provider or its choice of additional services (such as an email archive).
Ideally, businesses should start by implementing technology-based restrictions on what staff can do. For example, it is one thing to tell staff that they cannot send work emails to their private email accounts without permission, however it is much easier to prevent such email traffic in the first place using technology.
Turning to the staff handbook, HR should also check whether the following questions are covered adequately in any IT policy:
- Does the IT policy make clear that emails and internet and general IT activity at work can be monitored?
- When will the company use the cloud – for all IT infrastructure or only select applications?
- Does the company allow employees to access personal webmail at work? Is access allowed inside or outside the cloud?
- Are staff allowed to email themselves to their private accounts, for example to facilitate work outside the office?
- Does the company allow employees to access cloud storage systems, such as Dropbox, at work? Does the company allow employees to put company information into such systems?
- Can employees use personal devices for work purposes – for example, laptops or tablet computers, to log-in remotely?
It is also essential that the IT policy is clear about what is and isn’t company information and company property, and that this explicitly covers soft copy documents.
To the extent that the company is prepared to allow employees to use personal webmail and personal cloud storage systems at work, in order to minimise the risks of illegitimate use of company information, the policy should make clear that neither should be used for work-related purposes without prior permission, nor should they be used to send or store company information outside of the company’s systems.
Finally, the IT policy should also be supported by up-to-date confidentiality and company property clauses in the company’s employment contracts.
With the new possibilities that cloud computing raises for companies, it is crucial that businesses update their IT policies and employment contracts to help protect themselves from employee theft. With updated policies in place, these should form the basic building blocks to trace employee theft if it strikes.
Sophie Vanhegan is a senior associate at GQ Employment Law LLP