Shadow IT, or Rogue IT, is the practice of employees reportedly improvising their way to a more productive job, without their company’s knowledge or approval, by importing cloud based tools to allow greater ease of access to company documents, bypassing firewalls, and facilitating collaboration, to enhance company performance. What could possibly be the harm? It just might be a good way to violate the FTC’s Reasonable Precautions cybersecurity standard.
In order to sustain allegations of unfair practices under the FTC Act, which is the power the FTC uses to enforce its Reasonable Precautions cybersecurity standard, the FTC must prove substantial injury. Quoting from the April 7, 2014 decision of the U.S.D.J. Esther Salas in FTC v Wyndham, et al:
See Am. Fin. Servs. Ass’n, 767 F.2d at 972 (“An injury may be sufficiently substantial . . . if it does a small harm to a large number of people, or if it raises a significant risk of concrete harm.”) (internal quotation marks and citations omitted).
Merely allowing sensitive, private information to be leaked on line, evidently can meet the test for substantial injury.
We previously wrote about the FTC’s case against LabMD. Allegedly, a LabMD employee put a music file sharing application on her work computer, and accidentally shared a company file containing medical information for approximately 9,300 people. Once done, it really couldn’t be undone because there was no way to control what any other person did with the file. According to the FTC, it was enough that the information was shared. The FTC’s lawyer, Alain Sheer, according to a May 20, 2014 report in the National Law Journal, argued that the legal standard, i.e., what the FTC has to prove, is not actual harm, but whether there is a likelihood of harm. That might explain why, according to the same article, he said that the FTC did not plan on offering evidence from any victims of actual ID theft.
In both the Wyndham case and the LabMD case, one of the FTC’s main allegations reportedly was that the particular company did not keep adequate firewalls. Those firewalls basically help the company control access to company files. Putting company documents in the cloud, however, puts them off-site, and may in fact bypass those same firewalls. Putting documents in the cloud, without the company’s direct knowledge, however, is what Shadow IT apparently is all about.
Employee improvisation regarding IT innovations is a good thing, according to an article by Christopher Mims in the 6.9.13 Wall Street Journal, and this is what Shadow IT does. He cited people within the IT world who commented on how cloud based applications virtually sell themselves, with employees bypassing IT departments to install, and use, them on their own. When enough people within a company use them, evidently, the company’s IT department finally notices and, only then, vets the application to ensure its appropriate use and safety. He summarized the benefits of Shadow IT this way:
Here is a typical example of how Shadow IT makes people more productive: Many companies still control access to files employees share with each other by keeping the files behind a corporate firewall, or machines IT controls directly. The problems with this approach are myriad: Employees must be connected to their company’s network to access the files; when they work remotely they have to access the files through a “virtual private network,” which can be cumbersome on a PC and almost impossible on a mobile device. Cloud solutions like Box, Dropbox and others allow workers to access files anytime, on any device, and can even allow them to track all the changes others have made to a file. Many cloud applications also allow real-time collaboration. Google Docs lets multiple people write and edit in the same document simultaneously, and Lucidpress lets multiple people lay out and design the same document, each watching the others’ changes unfold even as they make their own.
Compare the benefits of Shadow IT to the FTC’s allegations in the Wyndham case, as summarized in U.S.D.J. Esther Salas’ April 7, 2014 decision:
Likewise, the FTC alleges that Defendants failed to “use readily available security measures to limit access between and among the Wyndham-branded hotels’ property management systems,” such as firewalls. (Id. ¶ 24(a)). And this aligns with the FTC’s allegation that intruders “were able to gain unfettered access to the property management systems servers of a number of hotels” because “Defendants did not appropriately limit access between and among the Wyndham-branded hotels’ property management systems, Hotels and Resorts’ own corporate network, and the Internet–such as through the use of firewalls.” (Id. ¶ 28).
Now, there may not be a direct link between using cloud based systems and file sharing applications. Most cloud based systems have safety features built in, including controlled access. That doesn’t control, however, what people with that access do with the files, even inadvertently. Passwords may not be strong, or even vetted or controlled by the company. The firewall protecting the documents on the company’s internal network, whose purpose it is to prevent unauthorized access to company documents is by definition bypassed. And, perhaps most importantly, the documents are now stored off site. That after all is the definition of a cloud based system: the files are accessed through servers or computers off site, in some remote center run by whichever company provides the service, in whatever country the company decides to put them.
That, if you remember, is what the British National Health Service, or NHS, recently was criticized for. According to a March 3, 2014 story in the Guardian, confidential patient health information, taking up 27 DVD’s, was uploaded to Google’s large array of servers by a management consulting firm. As we previously wrote, the basic idea was to make the information easier to work with and analyze. The problem, reportedly, was that the dissemination of the personal information was harder to control since it was placed on Google servers, and they were outside of Britain.
Shadow IT is just another example of how well-meaning, and maybe even easily overlooked, behavior can have important consequences. It’s difficult to imagine that the FTC would consider it reasonable for your company to allow, or for it not to do what it could to prevent, its clients’ sensitive private information from being uploaded to the cloud, and then shared, without your company having any sort of direct control or way to limit access. No matter what, exactly, the FTC’s Reasonable Precautions cybersecurity standard means, it must mean your company should at least try to control that.
Go raibh maith agat.