Should we store personally identifiable information on google drive?

Question

For a number of reasons, including remote accessibility, my company would like to move all of our accounting records, account applications, and marketing materials to Google’s Apps for Work Drive. At first glance, this sounds like a pretty bad idea, but I don't have the firsthand knowledge or reasons to argue a case against it.

The information stored includes banking information, names, and addresses; as well as SSNs, mostly in the form of PDF documents.

Can we legally host our files with Google Drive, who would be responsible for the costs associated with a breach in access, and is the amount of risk worth the increased accessibility?

Documents provided by Google support:

Probably not desirable to make it so breaking into a single google account grants access to all that information, just as an initial thought. — James T, Oct 12 '15 at 14:27
here, in Switzerland, it would be illegal to do so due to data protection law and the fact that Dropbox uses US-based data centers. — Stephane, Oct 12 '15 at 14:33
every PC/Laptop/Smartphone that has access to this Google Drive is a liability. — JOW, Oct 12 '15 at 14:33
Thank you, these were also my thoughts as well. I also read on an EDU site there was an issue because we cannot guarantee only US employees will have access to the documents. I don't have any hard facts though — epool, Oct 12 '15 at 14:36
I'm presuming you're in the US due to the use of SSNs. I am betting (though not a lawyer) that there are restrictions on export of data in the US (Certainly is here in the UK). You would have to be able to guarantee the data staying in the US (possibly in the same state, I don't know). In short, you'd need a lawyer to ensure this is compliant. — Chris Murray, Oct 12 '15 at 15:53
[Related question](http://security.stackexchange.com/questions/62599/what-are-some-considerations-before-moving-personal-data-to-google-drive) — Mark, Oct 12 '15 at 21:02
Please edit the question to add more context. As our [help] says, "What background should I give in my question? Security is a very contextual topic: threats that are deemed important in your environment may be inconsequential in somebody else's, and vice versa. [...] To get the most helpful answers you should tell us: [..]" Also, please clarify what exactly your question is. Can you? Of course you can. Should you? I don't know; that sounds subjective -- what are the criteria? Is it safe? Nothing is safe. Is it safe enough? You'll need to tell us what you consider "safe enough". — D.W., Oct 12 '15 at 21:48
IANAL, but I would read the [Terms of Service](http://www.google.com/policies/terms/) very carefully. In particular: "When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide license to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content." That may not fly with PII. — tpg2114, Oct 12 '15 at 23:02
This depends on the legislation that applies, but usually at least you would need a proper contract with google and not just the "click here to create a free account" thing. In this contract, they have to guarantee that they are compliant to all requirements you have (like mentioned, where the data is stored but maybe also who can access it) — Josef, Oct 13 '15 at 07:14
You shouldn't even be looking at the consumer-targetted systems. Cloud systems "...for business", which are likely to be paid services, are more likely to be compliant and secure. I'd only run half a mile from them if it was my decision. — Chris H, Oct 13 '15 at 09:07
Probably you can, but if you may (legally) is another question. Whether you should: probably not. — simon, Oct 13 '15 at 10:11
"I'm making the assumption they would be responsible for physical breaches". What makes you think that? And what kind of "responsibility" do you expect - what do you expect Google to do after they were breached? — oliver, Oct 13 '15 at 12:30
How would you honestly evaluate the information security skill of Google as compared to the skill of your company? Here are 2 key test questions to ask your CISO: 1. How many days do you take to detect an intrusion, a leak? 2. How many days do you spent to fix these? Compare with what would an independant IS expert answer for Google Apps for Work. This is worth to hire an independant IS expert to get a correct weighting of advantages versus inconveniences, risks, impacts, costs. — dan, Oct 14 '15 at 06:21
The Grant Tornton audit sentence (in Audit & Certification Summary ) "Logical security controls provide reasonable assurance that logical access to production systems is restricted to authorized individuals." is using too weak a buzzword "**reasonable assurance**" which my brain can't compute in probability value: NaN! — dan, Oct 14 '15 at 06:31

Jon Story · Accepted Answer · 2015-10-14T08:57:30.133

48

Google Drive is no more or less safe than any other web-based service with a single logon. Your company must decide for itself whether it is willing to put the data online (albeit behind Google's authentication)

At the very least, I'd recommend that

2-factor authentication is used
Any data travelling outside the organisation is encrypted.

Google Drive is presumably fairly secure, but as we saw with iCloud, people can (and do) sometimes get access to systems they shouldn't be able to access.

One piece of advice a tutor at university gave me was:

Treat anything that isn't behind your firewall as though it was on a USB pen you'd just left on a train

Meaning: assume that it may fall into the wrong hands, and ensure that you've taken sufficient precautions to make it useless to them.

(In fact, I'm a fan of treating things that are behind my firewall the same...)

Edit

To add to the "liability" question:

This is mostly a matter of what is stated in the contracts, agreements (EULA or ToS etc) etc between you and Google, and potentially you and any third parties who the data belongs to. Note that this doesn't just include clients/customers, it also includes your staff, if you are storing their personally identifiable information in the cloud - so this could not only cause financial issues, but also destroy employee trust if there is a breach! Your bank may also refuse to reimburse any money lost if bank details are stored in the cloud, as this could be considered negligence.

In general, though: unless specifically stated, at least some liability will always remain with you. Some liability may or may not fall upon Google for data breaches etc, but this will depend on the agreement. You will still be liable for any third party data, however, in as much as you have chosen to entrust it to a third party.

If there was a data breach, it would then become a (likely very long and drawn out!) legal question, and would revolve around whether either Google or yourself were negligent, the nature of your agreement, and whether you both took any and all reasonable steps to protect that data.

I think the crux of your question is "Will Google take responsibility for the security of data on Google Drive" to which the answer is "No, probably not". But I am not a lawyer, nor do I play one on TV.

edited Oct 14 '15 at 08:57

answered Oct 12 '15 at 14:36

Jon Story

674
6
8

Thank you, very good advice. We have just enabled the 2 step authentication because funny enough, one of our users passwords were just compromised. They still want to move forward because google has ensured them with the 2 step process we are safe. – epool Oct 12 '15 at 14:44
13

2-factor authentication is useful for preventing people guessing your password. Although this helps significantly with the main weakness of online services, it does nothing if someone malicious gains access to the storage behind Google Drive (ie they break into Google's system directly). If you have sensitive data, you should still encrypt it. – Jon Story Oct 12 '15 at 14:46
1

It's also worth noting it doesn't protect someone from a compromised device after its been authenticated. E.g. someone who has synced our documents on a computer than later becomes infected or compromised. – epool Oct 12 '15 at 15:04
6

Given current security practices, I'd say that you should treat ANYTHING as about as secure as on a flash drive that you lost on a train. Firewalls don't just magically save you. Look no further than Sony, the NSA, the US Military, Ashley-Madison and countless other major data spills for evidence of that. – Steve Sether Oct 12 '15 at 20:44
2

The same will happen to Google since they don't live in the magic world where probability equal to 0 exists, do they. – dan Oct 13 '15 at 22:30
3

Data stored on Google Drive is, in fact, "data traveling outside the organization." – Craig Tullis Oct 14 '15 at 06:19
@SteveSether - that was really the point of my "In fact, I'm a fan of treating things that are behind my firewall the same..." statement: assume someone will try gain access and do as much as you can to make it not worth their time. – Jon Story Oct 14 '15 at 09:06
@craig - that was somewhat the point of my answer? That anything placed on Google Drive should be encrypted – Jon Story Oct 14 '15 at 10:56
@JonStory The problem with these attacks, and with encrypting the files using any system which provides the user with transparent access to the files on their own computer is that any malware which gets onto their computer also gets transparent access to the files. In other words, encrypting the files is nice, but almost pointless in light of the actual nature of attacks like DropSmack and these token manipulation attacks. – Craig Tullis Oct 15 '15 at 14:18
True, but the question here is 'should we put our data on Google Drive' not 'should we access google drive from home' - I know that's pedantic to an extent, but in the interest of keeping this focuses, I've opted to only answer the direct question. Certainly there are additional concerns if the GDrive is then synced down to other external machines, although that's no different to any other method of taking the files to a home machine – Jon Story Oct 15 '15 at 14:20

score 23 · Answer 2 · answered Oct 12 '15 at 19:04

23

This answer may not directly relate to your question who is held liable for data leakage.

I would not store any unencrypted, sensitive data on google drive, even if they just use your data to operate, promote and improve their Services. From Google's Terms of Service:

When you upload, submit, store, send or receive content to or through our Services, you give Google (and those we work with) a worldwide licence to use, host, store, reproduce, modify, create derivative works (such as those resulting from translations, adaptations or other changes that we make so that your content works better with our Services), communicate, publish, publicly perform, publicly display and distribute such content. The rights that you grant in this licence are for the limited purpose of operating, promoting and improving our Services, and to develop new ones.

answered Oct 12 '15 at 19:04

mucaho

378
1
7

2

Great find! This is a good argument in itself. Specifically this part bring a large amount of concern; > publicly display and distribute such content – epool Oct 12 '15 at 19:11
2

@edward.pool There are other cloud storage providers that claim to encrypt your data on your PC before they upload it to their cloud, e.g. [MEGA](https://mega.nz/#info). – mucaho Oct 12 '15 at 19:20
1

Thank you, this is very useful. I was also reading about other solutions to encrypt the files before storing them and then to view them later like [boxcryptor](https://www.boxcryptor.com/en/google-drive) – epool Oct 12 '15 at 19:23
Would the ToS be met if Google decrypted (i.e. 'translated/adapted/changed/created a derivative work') your data, so long as they did it for their their 'limited' purposes? "Oh, we gave your decrypted data to the X so they wouldn't limit our access to Y. We really need access to the Y market'? Might be an expensive lesson/lawsuit to find out. – JS. Oct 12 '15 at 23:52
@JS. like you said, depends on how you interpret the scope of their _limited_ purpose. However, you would probably want to encrypt your data securely, making it nearly impossible for them to decrypt it using their available resources – mucaho Oct 13 '15 at 00:17
2

@mucaho but with MEGA I'd be worried about the authorities taking them down and your data with it. – Chris H Oct 13 '15 at 09:05
@ChrisH Would you elaborate why they could be taken down? – mucaho Oct 13 '15 at 11:08
2

MEGA is the successor to megaupload, which was taken down by the authorities for hosting copyright infringement. Its founder is still a target for law enforcement from that case. I suggest that despite their use of encryption, they are more vulnerable than the likes of Google and Microsoft to having the whole site taken down at short notice. After all, users leaking encryption keys could easily demonstrate what's being hosted. – Chris H Oct 13 '15 at 11:24
2

Be aware that even Dotcom says not to trust Mega any more. http://www.wired.co.uk/news/archive/2015-07/31/kim-dotcom-mega-3 – kirb Oct 13 '15 at 22:42
@edward.pool: the clause about publishing refers to a feature in Google Doc and Sheet where users can choose to publish a document for public viewing. It doesn't allow Google to publish documents without your express permissions. – Lie Ryan Oct 15 '15 at 00:36

pedromendessk · Answer 3 · 2015-11-13T10:02:15.500

Storing sensitive data outside of a private network is always a risk.

It's much more easy for malicious users to get access to the data. Using fishing techniques, or if you log on your account on an infected computer, or even worse if your computer gets infected a malicious user could get access to your credentials and use them to access the data. Since Google servers are available on the web it wouldn't be hard to connect and do some damage.

On the other hand if you keep the sensitive data in a private network it's always harder to access the data even if the malicious users have the credentials, because they would have to enter your network first.

To help avoiding situations like that, a two-factor authentication is allways recommended. Unless the malicious user could have access to your physical device, the two-factor authentication would make it harder to access the data even with the credentials.

Another important aspect is the way you storage the information. I'd recommend to store the information encrypted (you can try Truecrypt) because that way even if somebody could get physical access to device or for some reason could log and see the data it would be unreadable.
And the Google policies for uploaded data allows them to use the data for multiple purposes (like advertising, translations, etc), so you never know.

score 8 · Answer 4 · answered Oct 12 '15 at 15:18

I'm making the assumption they would be responsible for physical breaches ...

I doubt that they will be responsible for this in the way you expect it. Especially I doubt that they would cover all costs caused by the loss or leak of these data. Unless they explicitly cover thus costs it is primarily your problem because you've uploaded the data there.

You might check with you cyber-insurance provider if they would cover thus costs (I hope that you have such an insurance if you deal with such sensitive personal data).

score 4 · Answer 5 · answered Oct 12 '15 at 20:39

Encrypt the data no matter what! Sensitive data should not even be sitting within your own network without being encrypted and access control in place. If it's encrypted in the first place you at least have a lot less to worry about in any circumstance. Don't trust someone else to do the job you should have done in the first place and it's more about protecting yourself. Depending on the data you transmit it could be illegal to transmit and store it un-encrypted. And it should never be outside of the company un-encrypted. If you must do something like transport it on a laptop or flash drive, those devices need to be encrypted. You lose the data for improper practices its your fault.

score 0 · Answer 6 · answered Oct 15 '15 at 22:12

0

Why not set up your own server in your company? My father in-law worked in an accounting firm and set up their own servers for their data.

answered Oct 15 '15 at 22:12

Robert

5
3

score -2 · Answer 7 · answered Oct 13 '15 at 21:56

-2

It was revealed at this years DefCon that there's a new kind of attack vector being used called MITC, or Man-In-The-Cloud, that has already compromised several G-Drive and DropBox accounts. I would STRONGLY advise against this.

answered Oct 13 '15 at 21:56

gr3y h47

1

2

Add a reference please. – Matthew Peters Oct 14 '15 at 00:19
MITC has been known since before the most recent DefCon. I'm not sure this is a strong enough reason not to store this data in the cloud - there are so many other better reasons. – schroeder Oct 14 '15 at 03:54

Greg · Answer 8 · 2015-10-14T20:56:04.360

-2

In addition to the above comments, I'd add a small tidbit. The vast majority of the cloud storage providers do not encrypt the data "at rest" on their servers for their "standard" consumer offer. There is a HUGE notable exception to this and this is "Box" (not Dropbox, just "Box"; they are at box.com). They are not as cheap as Google Drive, but there is some value in the fact that the data is in fact encrypted at rest. This could alleviate some of the challenges with encrypting it yourself before you store it in the cloud.

Additionally, their service does have a HIPAA-compliant variant that should more than satisfy concerns about data protection.

See more here: Box Security and Privacy (click the Encryption tab at the top for more specifics)

edited Oct 14 '15 at 20:56

answered Oct 14 '15 at 19:16

Greg

11
1

1

[citation needed] for "vast majority of the cloud storage providers do not encrypt the data "at rest"" – schroeder Oct 14 '15 at 19:17
1

Can you describe how "encryption at rest" in a cloud environment helps in the problem described in the Question? – schroeder Oct 14 '15 at 19:19
Dropbox appears to employ "encryption at rest": https://www.dropbox.com/business/trust/security/architecture – schroeder Oct 14 '15 at 19:23
iCloud and Google Drive also encrypts at rest (AES 128). OneDrive encrypts at rest but only for business customers. – schroeder Oct 14 '15 at 19:26
The question of liability is a complex legal issue that is heavily dependent on jurisdiction and state law. From a HIPAA point of view (and I recognize the OP is not necessarily an obligated agency), there is specific language related to "business associates" which a cloud provider could potentially be considered. From HHS: [link] (http://www.hhs.gov/ocr/privacy/hipaa/understanding/summary/index.html) See the section on Business Associate in the above link. – Greg Oct 14 '15 at 19:28
So if the OP encrypts the data before storage, does encryption at rest matter on the service provider end? – schroeder Oct 14 '15 at 19:29
@schroeder of course not. The larger issue is managing that encryption prior to storing it on an enterprise scale. Box has accounted for all of that complexity by layering on all of the access controls including 2-factor auth and more. – Greg Oct 14 '15 at 19:32
@schroeder I cannot provide citations for all of the cloud providers who do not encrypt at rest, partially because very few of them actually call it out. Those that DO encrypt at rest make a big deal of it. The following do NOT encrypt at rest in their ordinary consumer service: Google Drive MS OneDrive iCloud Drive – Greg Oct 14 '15 at 19:34
as to the OP's original question, there is nothing inherently illegal with storing those documents in the cloud. Liability is determined in part by "due diligence." By choosing a cloud provider that offers encryption in transit and at rest, data center physical controls, HIPAA compliance statements, etc. IMHO the OP could withstand a due-diligence test. State law + case law for the OP's state would provide the best guidance on exactly how much risk is being taken. Storing that data internally unencrypted and/or without sufficient access control would likely fail due-diligence tests. – Greg Oct 14 '15 at 19:39
@schroeder please provide citations for backing up the statement that iCloud and Google Drive encrypt at rest. Both companies have replied to my emails on that very topic with the opposite statement - that data is not encrypted at rest. – Greg Oct 14 '15 at 19:41
Did you email the business side? Many of those services have a HIPAA-compliant offering that is not obvious. I'm not going to cite all my sources (it is easily searchable) but for iCloud: https://support.apple.com/en-ca/HT202303 – schroeder Oct 14 '15 at 19:52
No, my comment *SPECIFICALLY* identified the consumer side. – Greg Oct 14 '15 at 19:57
2

You have a couple problems with your answer: 1) you make a broad statement about cloud providers that appears to be untrue, 2) you also made a comment that your statement in your answer only applied to "ordinary consumer service", a qualification that you did not make in your answer, but your link to Box was for the business-grade service. – schroeder Oct 14 '15 at 20:06
Box doesn't have a consumer service... Or perhaps it's better stated that they don't differentiate like the others do. It's a single service. You don't "choose" whether or not to get encyption at rest like you can with some of the others. And I apologize - I apparently thought I cited the "consumer" services in my answer but in looking back, I didn't. I think I chopped it by accident in editing for length. – Greg Oct 14 '15 at 20:53
@schroeder I just edited my original answer related to the consumer side – Greg Oct 14 '15 at 20:56

Should we store personally identifiable information on google drive?

8 Answers8

Edit