ScienceDaily reports that a new study from Johns Hopkins University should have IT professionals worried about cloud security. Researchers found that the methodologies that common cloud storage companies use could let employees at the cloud company (and presumably anyone who has inside access) view supposedly encrypted documents when people – like your clients – use the "share" feature.
Here's how the vulnerability works. Company X stores a private document on its cloud storage site. It needs to share this document with a hired vendor. It sends a supposedly secure link to the vendor.
It's this "sharing" process that actually exposes the company's data. Even though data is encrypted, employees at the cloud storage company could theoretically view the document when it is shared.
You might be wondering if the theoretical possibility of, say, a Dropbox employee hacking into your clients’ files is really such a big deal. But these potential security flaws are, in fact, a big weakness for certain industries – medical and legal for example – that rely on confidentiality. Flaws such as this show there's still uncertainty in cloud security.
Protecting Your Client's Confidentiality: More Liabilities for IT Professionals
Medical data security laws (like HIPAA and HITECH) forbid businesses to store data on non-secure sites (which might include cloud storage). Businesses can be fined if data is potentially exposed. This is precisely what Johns Hopkins researchers found. Secure, encrypted data could theoretically be accessed when transferred via standard cloud services.
(For more on HIPAA liability, see "$1.2 Million HITECH Fine Highlights Risks for IT Contractors Working with Healthcare Clients.”)
Many of the same liabilities can affect law firms and other companies with lots of proprietary data. Though they don't have regulations like the medical industry, law firms are responsible for protecting client data. Similarly, big companies and the vendors who contract with them could potentially lose valuable IP through these security flaws.
Security leaks don't have to lead to identity theft. Some leaks (like those with medical data) carry other risks – such as the loss of confidentiality – that can lead to lawsuits.
In fact, a judge recently ruled that merely losing a customer's private data could be cause for a lawsuit – even if the customer was not affected by identity theft. We discussed this new liability in our recent article "$3 Million Settlement Paves the Way for Non-Identity-Theft Data Breach Awards."
IT Contractor Liability: Are You Responsible for Knowing about Potential Threats?
As an IT professional, you're liable for staying informed on current cloud security risks. Now that this study has been published, you're liable for understanding the new risks the Johns Hopkins team uncovered.
Let's say a client's data is hacked using this inside exploit. When you're sued, the client's lawyers could point to this Johns Hopkins research and explain to the judge that you, as an IT professional, were professionally negligent and failed to stay apprised of current research. Had you read more about cloud liabilities, you would have known that this was a potential risk.
For this reason, Errors and Omissions Insurance is a vital part of any IT insurance package. E&O coverage pays for lawsuits over professional negligence, client data breaches, and other errors you could make. No IT professional can stay informed about every potential data threat. Fortunately, E&O Insurance can cover lawsuits over threats you know about – and those you don't.
As businesses still have questions about how secure their data is in the cloud (and as cloud providers work out some of these kinks), E&O Insurance can protect IT contractors from the unknowns of working in a nascent industry.