February 22, 2012
Forbes
Authored by Robert F. McCauley III and Ming-Tao Yang
A CIO's nightmare may be realized if several seemingly-plausible assumptions regarding "cloud" computing and storage turn out to be untrue. These may include the assumption 1) that it is safe to put "everything" my company has in the cloud; 2) that my company's trade secrets will remain protectable "secrets" in the cloud, even after an accidental leak or an intentional hack is stopped; and 3) in the event of leaks or hacks, the cloud service providers are liable for our losses under our cloud-service agreements. Unfortunately, these assumptions may not be correct.
Companies and their staff may choose to store all kinds of information in the cloud:
The trouble is, there are things the CIO has no control over when the company's information is in the cloud. For example, such information can be stored essentially anywhere in the world, including locations outside the direct reach of U.S. law. Moreover, the company's data can now be accessed remotely, sometimes by unauthorized subscribers. Finally, back-up, extra, or unsecured copies can exist even after the files are removed, modified or encrypted later. Each of these factors may impact the trade secret status of the information.
A trade secret is any information (e.g., a formula, pattern, compilation, program, device, method, technique or process) that:
One of the key issues courts focus on in assessing entitlement to trade secret protection is whether the measures the company implemented to protect its information are reasonable under the circumstances.
Cloud providers tout having resources and abilities to secure highly-confidential or sensitive data. But no data stored online is perfectly secure, and intentional hacking and unintentional security breaches have become all too common. Two headlines from the last two years are good reminders:
Given such security vulnerabilities, might a court find that, by placing highly-sensitive and valuable information in the cloud, a company did not take "reasonable" efforts to maintain the secrecy of its information? While the courts have yet to grapple with this question, it deserves careful consideration.
Traditionally, courts have recognized common efforts, such as signing non-disclosure agreements, limiting employee access to a "need to know" basis, and controlling access to facilities, as examples of reasonable efforts. But in view of security risks, it is possible that a court might find that a company that placed its "crown jewels" in the cloud failed to take reasonable efforts to protect its data.
Moreover, the fact that cloud providers may contractually limit their liability to far less than the likely value of such "crown jewels" could further undermine a company's efforts to show that it took reasonable precautions to protect its data. For instance, cloud provider Salesforce.com has limited its liability for a data breach to the lesser of $500,000 or the amount paid by the subscriber in the twelve months preceding the breach. Given the potentially vast differential between the value of trade secrets and limitations on a provider's liability, a court might find that it is simply unreasonable for a subscriber to have placed such valuable information in the cloud.
Accordingly, by placing valuable information in the cloud, a company might risk losing its trade secrets in the event of a security breach. This is especially concerning, because the courts recognize that a trade secret, once lost, is lost forever.
The widespread use and "public" nature of social networks has also impacted what courts deem to be protectable trade secrets. For example, employees' information-exchanging communities on LinkedIn, Facebook or Twitter are outside of their employers' reach, making private information public by sharing it with connections and friends. Once posted, this information is hardly "protected" information.
For instance, in the case of Sasqua Group, Inc. v. Courtney, the plaintiff, a financial advisor business, brought a claim against a former employee for misappropriating its customer information. But the former employee suggested that virtually all personnel in the capital markets industry have contact information on social networks, making the customer information readily accessible. Finding that the information was not protectable, the court observed that "the exponential proliferation of information made available through full-blown use of the Internet and the powerful tools it provides to access such information in 2010 is a very different story."
A company should take extra care to protect its trade secrets. Accordingly, we suggest at least the following:
In so doing, your company may be able to avoid potential pitfalls in protecting its confidential and sensitive information in this age of proliferating technology and the cloud.
©Forbes. Reprinted by permission. This article is for informational purposes, is not intended to constitute legal advice, and may be considered advertising under applicable state laws. This article is only the opinion of the authors and is not attributable to Finnegan, Henderson, Farabow, Garrett & Dunner, LLP, or the firm's clients.
Conference
Best Practices in Intellectual Property– A Decade of Dedication to IP Excellence
April 8-9, 2024
Tel Aviv
Articles
Cracking the Code: How Do Courts Decide Where Internationally Stored Source Code Should Be Reviewed?
February 20, 2024
Due to international data regulations, we’ve updated our privacy policy. Click here to read our privacy policy in full.
We use cookies on this website to provide you with the best user experience. By accepting cookies, you agree to our use of cookies. Please note that if you opt not to accept or if you disable cookies, the “Your Finnegan” feature on this website will be disabled as well. For more information on how we use cookies, please see our Privacy Policy.
Finnegan is thrilled to announce the launch of our new blog, Ad Law Buzz, devoted solely to breaking news, developments, trends, and analysis in advertising law.