According to the corporate law magazine InsideCouncil, Google has increased its Gmail security standards in order to ease customer concern and provide a more secure email platform to companies that require it.
In order to do so, Google announced that it will take two precautions to secure private and commercial emails:
- HTTPS secure connections. Most Gmail accounts already used secure HTTPS connections (it was the default setting), but now Google will only use HTTPS connections. Users no longer have an option to choose less secure settings.
- Constant encryption. Emails will be encrypted both when a user sends them to Google's server and when Google routes the data among its own servers.
Using this news as a framework, let's look at some of the security and liability issues you can have with email and other basic IT solutions that are hosted by third parties.
Google as a Third-Party Vendor: The Risk of Outsourcing
Almost every business outsources some of its IT infrastructure. Whether you use Gmail, Google Docs, Dropbox, Salesforce, or another third-party service, you and your clients are exposed to some IT risk.
Take, for instance, Google's decision to encrypt all email data. Many IT consultants assume that data is secure once it’s sent to a secure third party or hosted on a cloud. In reality, third-party vendors often don't encrypt data when it is passed among their servers. In fact, Wired reported that Microsoft doesn’t encrypt its server-to-server communications. This oversight was how the NSA was able to hack into Microsoft, Yahoo, and Google.
It's dangerous and inaccurate to assume your data is safe when it is in the hands of a third party – even if it's a big name like Microsoft or Google.
But Wait – There's More Third-Party Risk
Most small IT businesses have to work with third-party tech vendors. You'll use their services to manage client sales data, financial transactions, and a host of other responsibilities that are too expensive and time-consuming for you to do yourself.
In other words, third parties are an unavoidable risk. This is especially troubling because TrustWave reports that 63 percent of data breaches were caused by third-party contractors.
What makes using third-party vendors and contractors so dangerous? As an IT consultant, you know two things about data security:
- Any time data changes hands there's risk involved.
- When someone else stores your data, you can't control its security.
Third-party vendors expose you to both risks. They require you to transfer data from your servers to theirs, where you will no longer have any oversight. For more on third-party risk, see our article "Help Your Clients Understand the Risk from Third-Party Contractors."
Insurance for IT Consultants: Covering Vendor Liability
The reality of the situation is simple: you have to employ third parties and vendor services for your clients because it's the only cost-effective option. That means you'll have to find a way to cover this risk.
Many client contracts require you to have Professional Liability Insurance (also called Errors and Omissions Insurance) in order to cover data breaches and other work liabilities. You might be wondering if this insurance also covers a lawsuit when a vendor mishandles your clients’ data. Don't worry: it does.
IT consultants and tech professionals can be sued when a vendor service they recommend for a client makes a mistake or exposes the client's data to a breach. When that happens and a client sues you, E&O Insurance covers your legal expenses.
In the unpredictable and unsecure world of IT vendors, E and O Insurance can make your work a lot less stressful. Even when you're unable to watch over data that's hosted on someone else's servers, you're still protected from the cost of a lawsuit. For more information, check out our other E & O blog posts.