It happens all too often: employees unknowingly put their company at risk of a security breach by putting confidential information where it doesn’t belong.
In 2015, The Open Security Foundation estimates that there were 1,472 incidents involving the theft or exposure of personal, confidential or proprietary data in the United States alone. Many of these incidents involved the leak of personally identifiable information, including names, birth dates, email addresses, social security numbers, bank account information, home addresses, employment records and even income data. Millions of customers, patients and employees have been affected by these leaks.
Despite IT’s diligence in protecting data, many times employees are the ones putting the data at risk. According to a study released by the Identity Theft Resource Center, approximately 15 percent of data breaches in 2015 were caused by employee error or negligence.
When Employees Turn to the Cloud
We recently heard a story that validated this data:
The IT director of a company in the health care sector was noticing a lot of requests being made to Google Translate from his company’s system. When he looked into it, he discovered that employees were utilizing Google Translate to translate confidential patient data. He estimates that over time employees used Google hundreds of thousands of times to translate data – and worst of all, he has absolutely no way of knowing what or whose data had been used.
We heard a similar story from the CTO of a Fortune 100 insurance corporation, as well. He found out that his internal employees were also running customer data through Google Translate to help with their work.
Here is the problem with scenarios such as this: When employees use Google Translate and other free online translation tools to make translation requests, that data is distributed across the cloud. During this process, Google “may need to use a third-party vendor to help provide some aspect of [Google’s] services, such as storage or transmission of data.” This means that there’s no way of knowing or controlling where your information may go or where it may be stored.
Violating HIPAA, NDAs and Privacy Laws
The danger of putting data into the cloud, however, is not necessarily that it is going to be stolen. The true threat lies in accidentally violating numerous contracts and industry regulations when it comes to handling personal or confidential data. These are just a few of the various regulations and laws governing personal data usage and storage in the United States:
- HIPAA: The HIPAA Omnibus rule took effect in 2013. Among the changes made to HIPAA guidelines was the inclusion that any cloud service provider is considered a business associate, and all business associates must be HIPAA compliant:
"... document storage companies maintaining protected health information on behalf of covered entities are considered business associates, regardless of whether they actually view the information they hold."
This means that health care companies must utilize a HIPAA compliant cloud service for storing patient data. Public cloud services and online translation tools, such as Google Translate, typically will not meet HIPAA compliance requirements. Using these services in association with confidential patient data could put the company at risk of a HIPAA violation.
If a HIPAA-covered entity is found to violate these rules, U.S. Department of Health and Human Services may impose civil monetary penalties up to $1.5 million. Additionally, this penalty can be assessed for each violation, potentially making total penalties much higher.
Anthem Inc.’s major data breach in 2015 leaked the personal information of 80 million people. This incident is expected to cost over $100 million, but could go up as high as $8 billion due to an ongoing class action lawsuit.
- Non-disclosure agreements: The typical non-disclosure agreement (NDA) states that recipients are obligated to maintain the confidentiality of information given to them. Placing confidential or proprietary information within the cloud is a direct violation of most NDAs. If your company is handling client information under an NDA, utilizing online translation software that is not encrypted or protected by a firewall could be seen as a contract violation. Any breach of this contract could lead to legal actions, including a lawsuit for damages.
Additionally, the loss of intellectual property or trade secrets due to a data breach can also result in shareholder suits or SEC investigations, depending on the situation.
- Privacy Act of 1974: The Privacy Act of 1974 was created in response to concerns regarding how computerized databases might impact an individual’s privacy rights. One of the four rules of the act places restrictions on how government agencies can share an individual’s data with other people and agencies.
Because of this rule, federal agencies that use a cloud service to store personal data may be in violation of the Privacy Act of 1974. Because of the questionable security of the cloud, some data experts have even argued that provisions such as this, as well as records management laws may limit federal agencies from storing records in the cloud. That also includes the use of cloud-based translation tools.
The American Federation of Government Employees, the federal government’s largest labor union, filed a class action lawsuit against the U.S. Office of Personnel Management (OPM) after a massive June 2015 cyber attack on OPM’s systems. The breach involved approximately 18 million federal employees’ personal and security files. The Privacy Act of 1974 provides for penalties of up to $5,000 per unauthorized disclosure. This lawsuit is also ongoing.
Finding Safe Alternatives to Prevent Violations
To prevent violations from occurring simply because employees are turning to public cloud services to perform translations, the solution is changing employee behavior and communicating the consequences of not doing so.
First, give employees a safe tool to use. Many translation software solutions are based in the cloud, which could leave your company vulnerable. Instead, utilize an in-house translation software solution that can be installed on your company’s servers behind a firewall, such as SYSTRAN.
Ensure employees actually use the tool by incorporating its use into your information governance policies and then communicating the benefits of using the translation software to employees. Other than the obvious prevention of a compliance violation or data breach, translation software also helps translate data faster and boost productivity. It’s also important that employees understand the consequences of not using such a software to deter them from continuing to use online tools.
While it may seem unlikely that your team would violate data laws, studies show it can and is happening. Safeguard your company against compliance violations by empowering employees with an in-house tool rather than utilizing a service in the cloud. Something as simple as translating records using a secure language software versus free online translation services could save your company millions of dollars in future penalties.