As you’ve no doubt heard, hackers recently accessed dozens of female celebrities’ personal cloud-based storage accounts, releasing hundreds of nude photographs and videos onto the web. Many of the photographs were taken by cell phones, which automatically backed up the files to popular cloud services, such as iCloud and Dropbox. Some suspect that the hackers then employed targeted attacks in which “brute force” programs were used to randomly guess weak passwords for a given username until it found a match. Once inside the celebrities’ cloud accounts, the hackers could access all manner of personal information. This is how many criminals operate today and all professionals should pay attention.
Cloud-based computing is not limited to personal use, and is quickly becoming ubiquitous in the professional community. This technology offers many benefits to professional firms, such as increasing collaboration, improving work efficiency, and minimizing the need to invest in costly data infrastructure and IT support. While there are clear benefits to be gained by adopting a cloud-based system, the remote storage of data on remote servers also poses many hazards and security concerns. In the private sphere, such data breach could mean the loss of privacy and the disclosure of embarrassing information; however, for professionals, the potential for disclosure of confidential client data raises the stakes even higher.
Unlike a company data center run by an in-house IT department, cloud storage generally involves outsourcing data needs to third-party providers. These providers do not necessarily have the same incentive to protect confidential client information as the firms who contract them. At the same time, storing data remotely opens up the possibility that the third-party provider may have access to confidential information. Furthermore, the consolidation of data from many different businesses and users on a single cloud system invites increased risk of cyber-attack and potential unauthorized access to client files.
Professionals must tread carefully when entrusting data to third parties. For starters, professionals have an ethical duty of confidentiality to their client, and may face disciplinary action for unauthorized disclosure of confidential client information. Similarly, professional privileges, such as the attorney-client privilege, and accountant-client privilege generally require that the communication be maintained confidentially between the professional and her client, and may be called into question by unintended disclosure through a cloud-based provider.
In addition to ethical concerns, unauthorized disclosure of confidential client information could significantly damage a client’s reputation, expose trade secrets to competitors, or invite increased litigation. If the client is damaged by such disclosure, and the professional failed to take adequate steps to mitigate the risk of harm, the client could look to a professional malpractice claim to remedy the harm.
Given that cloud-based computing and storage is likely here to stay, professionals should take steps to ensure that they use these services safely, so as to minimize harm to themselves and to clients. First, firms must conduct due diligence in selecting a cloud service that provides proper security measures to secure client data. Along these lines, firms should also have a clear policy in place about employee’s use of personal cloud storage services on devices that they use for work, and discourage employees from putting unauthorized apps with cloud storage capabilities at work that do not meet company security standards. Firms, should also implement programs to educate employees and customers about cloud storage, security, and privacy. Taking simple steps, such as using random number and letter passwords that can’t be guessed, and updating passwords every several months can go a long way to discouraging unauthorized access and avoiding potential costly data breaches.