Data Breach Liability and Cloud Storage

As more companies store customer or vendor data online with cloud storage providers, the potential for data breach risk is increased exponentially.

As more companies store customer or vendor data online with cloud storage providers, the potential for data breach risk is increased exponentially.

Earlier this year, some doctors at Oregon Health and Science University started using Google Drive to store patient's medical records. By the time the organization officially knew what was happening and stopped it, they had uploaded over 3,000 patient files to Google Drive, which is a violation of the Health Insurance Portability and Accountability Act, which requires doctors to keep patient information private and secure.

Although Google Drive is password protected and has security measures in place, the university did not have a contract agreement with Google to use or store OHSU patient health information. Additionally, under the terms of service for Google Drive, Google had the right to "use data" to promote or improve the service, which is a violation of patient rights under HIPAA.

This is surely not an isolated incident. As cloud storage proliferates, employees at every kind of company will search for ad hoc methods of data storage, and in many situations such as the Oregon Health and Science University discovered, these employees may be unaware of the various privacy and cyber liability risks they face.

In order for companies to avoid liability arising from use of cloud storage services, the first step is a clear and comprehensive internal policy dictating what kind of company or customer information, if any, is able to be stored on a cloud storage service. Educating employees about the types of risk related to storing medical, financial or other private or protected information about customers is critical.

As a matter of law, cloud storage providers must comply with various compliance and security standards, but they ultimately will not know what kind of information a user uploads. As a risk manager, it is your responsibility to proactively establish company policy regarding what kind of customer data is stored, and where, because it is highly likely your employees are already using some cloud services to store work-related documents.