By Allen Smith
There are few drawbacks to prohibiting employees from using personal cloud accounts to store company-related information, and many dangers to allowing it, according to John Ella and Jillian Flower, attorneys with Jackson Lewis in Minneapolis.
Not everyone agrees, though; some see several downsides to having strict prohibitions, including the possible negative impact on morale.
A company might opt against a blanket ban on using personal cloud accounts for work, and instead ban certain employees from doing so, wrote Matthew Aibel, an attorney with Epstein Becker Green in New York City and Adam Forman, an attorney with Epstein Becker Green in Detroit and Chicago. Employees subject to the ban would typically have access to such sensitive business information that it might be too risky to let them use personal cloud accounts.
Ella and Flower wrote in response to questions from SHRM Online that there are many possible risks when employees use personal cloud accounts for work purposes, including that:
- The employer could lose access to the only copies of company documents for a period of time, or forever.
- The employee could use stored trade secrets or confidential information in competition.
- Personally identifiable information could be hacked, causing a data breach.
- Information could not be disclosed or made available in response to an electronic discovery request in litigation, leading to court sanctions.
The only good argument against having a prohibition on using personal cloud accounts for work would be for the flexibility or convenience of employees, they wrote. “But the company could arrange for a company-owned cloud storage arrangement that would allow remote access,” they added.
Aibel and Forman identified other risks of allowing employees to store company information in personal cloud accounts.
This practice “could potentially create an expectation or company-endorsed policy of working unauthorized overtime hours,” they wrote in an e-mail. “For employees who are nonexempt under the Fair Labor Standards Act, this could result in significant exposure if the overtime is not paid.”
In addition, “Even the most prepared IT department can be foiled in its measures to stop a cyberattack if employees accidently drag malware onto a company network via a cloud,” they noted.
Moreover, “once an employer decides to allow employees to use personal cloud-based systems for work-related documents—or does not prohibit it—it is very difficult to put the genie back in the bottle,” they wrote. “There is no telling what, if anything, has been removed or copied from the cloud-based service while in the employee’s control.”
Downsides of Strict Prohibitions
However, they saw some downsides for companies with strict prohibitions on employees’ use of personal cloud accounts.
“Employers desiring employees to access work files remotely or to work collaboratively on a project with co-workers located in different geographic regions, for example, would have to provide and maintain a secure network and remote access, requiring the expenditure of potentially scarce resources and time,” they wrote. “Allowing certain types of work-related information to be uploaded to a cloud-based account could relieve some of this economic pressure.”
And allowing the use of a personal cloud account for work could be a reasonable accommodation for a person with a disability, they added.
Not least of all, morale could dip if employers prohibit employees from using personal cloud accounts for work. “More and more, today’s workers expect certain workplace flexibility that permits a work/life balance,” they wrote. “Strictly prohibiting an employee’s use of a personal cloud-based account, when competitors allow it, could potentially lead solid prospects and good employees to choose to work elsewhere.”
If an employer lets an employee use a personal cloud account for work, “it might make sense for the employer to retain a copy of what the employee sent or stored,” Aibel and Forman said. This could prove to be a significant step: “One such scenario is where an employer is required to preserve or produce data because of litigation or a client demand. Another example is where the employee is leaving to start his or her own competing company, or where he or she is going to work for a competitor. Having a copy of what was sent or stored to have a version to check against might come in handy, should a future need arise.”
If a cloud-based account is the property of the company, but an employee somehow prevents the employer from accessing that account, such as by changing his or her password, the company may be able to get a court order to access it, noted Jessica Asbridge, an attorney with FordHarrison in Atlanta.
Asking a departing employee to delete files from his or her cloud account in the presence of a company official isn’t likely to eliminate the risks of permitting a personal cloud account to be used for work, Aibel and Forman cautioned. However, they wrote, “It may make sense to have the employee sign and date an acknowledgment confirming that he or she purged all work-related data in his or her personal cloud-based storage account and did not otherwise make or retain any copies.”
Allen Smith, J.D., is the manager of workplace law content for SHRM. Follow him @SHRMlegaleditor.