Data management is a critical concern for all businesses in the technology age. Many companies put significant amounts of data in the hands of third parties, both intentionally and unintentionally (such as through use of apps). Oftentimes, even though a user ordinarily thinks digital data is not tangible, a company who stores user information does not actually know where the servers containing such data are physically located. This is a potential concern in using cloud-based data storage.
A company using a cloud-based system for data storage must take reasonably prudent precautions to ensure its data is not at risk. This includes inquiring into where the third party’s “cloud” servers are physically located. If the third party goes out of business, any agreement between it and the company whose data it has on its servers ends. However, the data still remains on those servers, causing problems for companies trying to remove their data.
Some companies who handle large amounts of sensitive personal information, such as health care providers, have a heightened duty to keep their data secure. Earlier this year, the Federal Trade Commission (FTC) set this standard of care as one of reasonableness. However, Daniel Kaufman, the Bureau of Consumer Protection Deputy Director, in a deposition taken last May, would not definitively answer questions regarding whether specific practices would pass the FTC’s “reasonableness” standard. He instead maintained that what is “reasonable” must be determined on an individual basis, and that the FTC’s various statements on the matter, including its consent orders, adequately create a body of guidance that companies can use to determine whether their practices fit the standard.
Despite not stating what practices would pass the standard, the FTC has given examples of what would not be reasonable under the new standard. These unreasonable factors include the “failure to properly encrypt data,” “failure to train employees in proper data management,” and “failure to securely dispose of data,” amongst others.
Hosted software packages, also called infrastructure as a service (IaaS), is a cloud-based service model that many companies use. Under this method, the company buys a software package from a vendor, who stores the company’s data on its servers and provides maintenance and updates for the software. It provides ease to the company, and makes it such that the company does not have to entirely rely on its IT department. Yet, IaaS contains the same risks inherent under other cloud-based structure.
Proper research can mitigate the inherent risks a company faces using a third party to manage sensitive data. If a company does not want to take the risks described above, then it should instead use software packages that are installed on the company’s individual computers. These differ from hosted software in that data is kept on the company’s servers, rather than those of a third party vendor. Whichever system a business decides to use, the protection of user information should always be a priority.