Strategies for Protecting Trade Secrets in the Cloud
Dana J. Finberg, Corporate Counsel
Not long ago, many companies’ trade secret protection policies consisted of erecting physical barriers preventing unauthorized access to information typically maintained in hard-copy form, and in limiting employee access to the most sensitive information on a “need-to-know” basis. While such measures are still important, in today’s digital world, where an ever-increasing amount of trade secret and commercially sensitive information is maintained in electronic form, these policies are dangerously outdated. Growing reliance on cloud computing—broadly defined as providing services and/or information over a digital network (typically the Internet)—has led to greater opportunities for trade secret theft as more and more businesses store such information in the cloud. Today companies must balance promoting easy and remote access to information, enabling a diverse workforce spread across geographies to innovate and cooperate, with protecting the intellectual property that drives their businesses.
This is no easy task, particularly where companies have increasingly mobile workforces. The idealized notion of a “company man/woman” who stays with one employer for his or her entire career is becoming a thing of the past. One government study found that a person born in the later years of the Baby Boom (between 1957 and 1964) held an average of 11 jobs between the ages of 18 and 42. Anyone following trade secret disputes can see that companies are suing former employees for alleged theft of proprietary data maintained in electronic format with almost alarming frequency.
The primary source for most states’ trade secret laws is the Uniform Trade Secrets Act (UTSA), originally adopted in 1979 and now enacted (with some jurisdictional variations) in 47 states, the District of Columbia and the U.S. Virgin Islands. To qualify for protection as a trade secret under the UTSA, information must meet three requirements:
- It must be secret; i.e., not generally known or readily ascertainable.
- It must derive independent economic value from its secrecy.
- It must be the subject of efforts that are reasonable under the circumstances to maintain its secrecy.
At this point, it is helpful to draw a distinction between internal clouds—networks set up and administered by companies owning trade secret information—and third-party data-hosting services. Many companies have established internal clouds to help pool computing resources and foster higher employee utilization and efficiency. While internal clouds might be advantageous for data protection, because it is easier for companies to track workflow and ensure the implementation of security guidelines, the trade-off relative to economies of scale can be significant. Many smaller companies and start-ups simply lack the financial resources to set up internal clouds with sufficient bandwidth to meet the needs of their employees, and therefore turn to third-party hosts as a matter of necessity.
The UTSA does not require trade secret owners to maintain information in absolute secrecy. However, to avoid running afoul of the “reasonable measures” requirement, when trade secrets are entrusted to third-party data hosts the owner must ensure that either an express or implied duty of confidentiality is created; i.e., the data host must know or have reason to know that it is receiving trade secret information.
Generally, the relationship between data hosting services and their customers are controlled by the Terms of Service (TOS) promulgated by the services. The dilemma for trade secret owners using these services is that many—if not most—of the TOS for third-party data hosts expressly disclaim responsibility for the security and secrecy of information stored in their systems. While larger enterprises representing significant accounts may have sufficient leverage to negotiate terms providing additional safeguards for any information entrusted to the host, the current reality is that smaller companies (and individuals) lack such ability. Absent modifications to the TOS, in most instances the relationship between a trade secret owner and a third-party data host is not one that will create an express or implied duty of confidentiality.
Lacking that, can a trade secret owner allow its trade secrets to be hosted by a third party without risking disclosure of that information? There are competing views on what constitutes a disclosure of information sufficient to deprive it of trade secret status. On the one hand, the “third-party rule” would dictate that any disclosure of trade secret information to a third party not subject to a duty of confidentiality automatically destroys the information’s trade secret status. On the other, Roger Miligrim (one of the leading commentators on trade secret law and the author of the leading treatise on the subject), suggests that no waiver of trade secret protection occurs until there is an actual disclosure and the information becomes “generally known or readily ascertainable.” While no published opinions have addressed whether merely allowing a third-party cloud company to host trade secrets destroys the protected status of the information, prior opinions finding that protection is not automatically lost when information is posted on a website, or is kept in the public files of a court’s Clerks Office, provide strong support for Miligrim’s position that no waiver occurs until there is an actual disclosure.
While cautious advice might be to identify trade secrets and never store them in the cloud, in today’s digital workplace such advice may not be commercially feasible. In a study published in February 2013, the Poneman Institute released the results of a survey of 4,000 people in seven countries about their companies’ data-encryption projects. The study found that more than half of the respondents said that their companies transfer sensitive data to the cloud, and 31 percent said that their companies would likely do so within the next 12-14 months. See Poneman Institute, 2012 Global Encryption Trends Study [PDF] (February 2013).
As more sensitive information moves to the cloud, the critical issue becomes what security measures will be deemed “reasonable” for protecting the information from disclosure. To determine reasonableness, courts often examine: (1) the nature of the information; and (2) the circumstances under which it will be stored and used. The more sensitive the information at issue, the more sophisticated the data-security measures may be required to meet the reasonableness standard. While no published opinions explain what will constitute reasonable measures to protect the secrecy of information entrusted to a third-party data host, prior cases involving information maintained in electronic format suggest that the following security measures—individually or used in concert—may be appropriate:
- Hardware security modules to manage data encryption and security keys.
- Electronic tagging of trade secret information, coupled with a data segregation application (such as a firewall), which would prohibit uploading of the most sensitive trade secrets to a cloud server.
- Encryption of data during transfer from the company to the cloud host, and from the host to authorized users.
- Maintaining the data in encrypted form while in the cloud.
- Use of regularly variable secure passwords or sign-ins to limit access to the cloud platform on a need-only basis.
- Electronic monitoring systems to monitor and record access to files stored on the cloud, which provide alerts when files are electronically transmitted via email, uploaded to the cloud or copied on external media (such as thumb drives).
Dana Finberg is a partner in the San Francisco office of Arent Fox, where he is a member of the firm’s Complex Litigation and Intellectual Property practices. He serves as trial counsel in trade secret, patent, trademark, trade dress and copyright litigation throughout the United States.