These days people get bombarded with adverts via the TV, email etc. to ‘protect’ their PC’s, more specifically the data on it, by using an Online Backup system such as Carbonite. So what happens if you have a company provided PC? What’s to stop you signing up for such a service on the basis that you’re ‘”just protecting the PC” and “it’ll help the company if they have to recover/re-build my PC”.
Well in some corporate environments they stop users from installing un-approved software but in a lot of companies laptop users get have local admin access and hence can install software themselves. In an environment where users have the privileges to install software what might some of the repercussions be, to a company who’s employees make use of such a service?
Well two potential issues immediately spring to mind;
- Electronically Stored Information (ESI)
- Visibility to Legal action
Now the would seem to be the same and they are somewhat related but for the purposes of this blog entry I’m treating them as different.
In the case of ESI if your company has to go to Federal court these days they may need to provide information to the court as to where the company stores information along with some indication of how long it will take to retrieve information pertinent to the case and in what formats. So what’s going to happen if an employee has been backing up their PC using an online service, is the company likely to know about it? If they don’t is there an obligation on the employee to tell them if they’re part of a case? What happens if the company is keeping the case close held and the employee/s aren’t informed that they’re part of some sort of litigation? What’s the court going to say if (when) they find out?.
In the second case, visibility to legal action, I’ll alluding to whether or not the company/employee in question might be kept in the dark if they’re being investigated. If law enforcement knows, or suspects, that employees and or the company stores information using an online backup service how protected is that information from them? Would it be possible for law enforcement to get a ‘search warrant’, or whatever the appropriate legal device is, that would allow them to go to the service provider and demand the information without either law enforcement, or the service provider, telling the employee/company that they are doing so?
Before you think I might be going off the rails here, law enforcement agency’s already have a mechanism to request and implement wire tapping, without the targets being informed. Online storage of information is a new and untested waters when it comes to who can access your information. Something else to think about, if you store information in the ‘cloud’, essentially at a third party, have you given up any rights to privacy? Do you know where that data is stored? Is it in the same State, even the same Country (probably but ..). What laws might be broken by transmitting data that’s evidence in a case over State lines.
Lots of questions about using using these online backup systems and so far I don’t believe there’s much in the way of legal precedent. Of course any lawyer reading this and who knows better is free to correct me, as is any of the online backup/cloud providers.
Steven JW Kennedy 