As businesses increasingly store and access confidential information in the cloud, questions arise as to how to safeguard a company’s private data once it becomes part of an external computing network. Standards for adequately protecting intellectual property are still evolving as cloud computing continues to gain popularity. At the same time, changes in patent law have made trade secrets a more attractive strategy for preserving proprietary information and competitive advantage. Inevitably, tensions will arise between the use of cloud computing and efforts to protect corporate innovation through trade secret law. Insights into best practices for both can help alleviate those tensions, allowing companies to take advantage of cloud technologies while maintaining the value of trade secret assets.
Turning to Trade Secrets
Traditionally, companies chose patent law as the way to protect proprietary innovation. In the past, patent rights seemed broad, and large patent infringement verdicts, along with strong patent sales, resulted in significant patent valuations.
Recently, however, this trend has shifted. Newly created mechanisms allowing challenges to patents and recent decisions related to patent damages and patentability raise serious questions about the reliability of patent protection—especially for software-based innovations. Looming potential patent reform legislation adds to the uncertainty about patentability for software in the future, making patent protection an unreliable choice for companies looking to preserve intellectual property that is managed in the cloud.
These changes have made trade secret protection more attractive, particularly for software. While trade secret law varies from state to state, trade secret law generally protects 1) information; that 2) is valuable because it is unknown to others and; 3) that the owner has attempted to keep secret.1 When these elements are met, companies can recover significant damages for the misappropriation of trade secret-protected information—as recent jury verdicts for trade secret claims demonstrate.2
A Legal Framework for Protecting Secrets in the Cloud
Despite their growing popularity, trade secrets present a problem to those who utilize third-party cloud computing services: To remain eligible for trade secret protection, companies must be vigilant about maintaining secrecy so as not to compromise the confidential nature of their trade secrets. Does use of a third party provider to manage and store a company’s sensitive information compromise that secrecy?
To answer that question, in-house counsel needs to scrutinize the boundaries of placing sensitive corporate data within the cloud. The key question is whether the use of cloud services can be reconciled with the organization needing to take reasonable efforts to keep the materials secret.3
While the law on trade secret protection of data stored in the cloud is anything but developed, the reality is that the use of cloud services is becoming commonplace for enterprises. Courts may, therefore, be reluctant to find that cloud storage is a per se unreasonable way to store trade secrets even when an outside vendor obtains custody of that data. In-house counsel, however, should be mindful when negotiating agreements with providers about the various disparities in contractual terms since these disparities may become important when determining the reasonableness of the handling of the data.
A. Terms of Service
The contours of the relationship between cloud providers and service users most frequently get defined in the Terms of Service—and those terms may vary significantly between providers. Whether an organization is using off-the-shelf services from large providers or custom offerings from smaller providers, it is essential to scrutinize the applicable terms for a particular provider before allowing confidential organizational data to be stored on these services.
Pay particular attention to five areas that are critical in any trade secret dispute.
1. Ownership of Data
Who owns the data once the provider becomes involved? Contracts specifically address ownership, so the inclusion of language that protects data ownership after it is transferred to the cloud is essential. Some providers use language disclaiming ownership. Others specify contingencies to ownership. Verify that the use of services will not create any unwanted licenses or shared ownership rights in the provider that may weaken trade secret protection. Given that numerous large providers expressly disclaim any ownership to their customers’ data, insisting on similar terms should not create any difficulties—and should raise red flags if it does.
2. Access of Data
Limiting access to confidential materials becomes an important consideration when determining whether an organization took reasonable steps to protect the secrecy of information.4 Allowing a third party access to otherwise secret information may not destroy trade secret status for the material. For example, an organization does not necessarily forfeit trade secret protection by disclosing secret information to "a limited number of outsiders for a particular purpose."5 Absolute secrecy is not a requirement of trade secret protection, as disclosures are often necessary to ensure the “efficient exploitation of a trade secret.”6 Be especially careful as to how reasonable the disclosures may be under the circumstances.
Cloud terms of services vary significantly in how the provider may access and use stored data. Staying aware of these differences may be critical to ensuring that stored data remains a secret. For example:
- Some terms of service agreements do not allow the provider to access the customer’s data.
- Some cloud providers allow limited access for the purpose of responding to legal inquires and to maintain cloud provider services.
- Some limit use to management of services, but extend the right of access to third parties.
- Some permit more expansive disclosure or use of customer data, allowing third parties to process and manipulate user data for a variety of purposes, including addressing technical issues and assessing contract compliance.
Which disclosure provisions a court would find to be an unreasonable protection of secrets remains unclear. Given the significant disparities among the various offerings—and the fact that other providers’ agreements may contain an even more dramatic disparity—make careful decisions about these terms during negotiation with potential providers.
3. Assurances of Confidentiality
Consider assurances of confidentiality as they relate to determining the reasonableness of disclosure to a third party. An express agreement to maintain confidentiality may be a strong sign that your company took reasonable steps to maintain confidentiality as “the presence or absence of confidentiality agreements or other means to convey confidentiality ... has a significant and predictable bearing on the outcome of the case.7
Bear in mind that an express agreement may not be necessary. Disclosure—particularly when there are assurances to keep information confidential—may create a duty of non-disclosure for a vendor notwithstanding the existence of an express agreement.8 Some cloud providers provide assurances about keeping information “confidential.”
Although assurances of confidentiality do not end the inquiry, some courts have held that a reasonable “understanding” of confidentiality may be sufficient to protect a trade secret.9
4. Movement of Data
Consider also the extent to which a cloud provider intends to move your customer data around the globe. Moving and replicating data worldwide can ensure redundancy and speed of access, a benefit to using cloud technology. Yet different geographical regions may provide significantly different regulatory and legal protections for data. Cloud service agreements vary considerably in how they limit the provider from moving data from different regions. Some cloud providers expressly agree to store data in designated geographic regions, while others expressly allow movement of data to different regions. Be deliberate about how and where your information will be used and transferred.
5. Security Obligations
Can your company reasonably rely upon a cloud provider to keep your secrets secure? The security of cloud services continues to be a legitimate concern.10 Yet most of the high-profile data breaches have involved internal systems, not the major cloud providers. Again, the terms of service for these providers may provide support for the reasonability of storing data in the cloud. Many providers grant assurance that they will implement security measures that are at least as sophisticated as the ones they rely upon themselves. For example, Google agrees to secure data at a level consistent with security of its own data. Whether or not it may be reasonable to rely upon such assurances depends upon the circumstances. Indeed, a key reason for using cloud services is so that organizations can outsource the highly technical data security function to perceived industry experts.
B. Additional Considerations
Although the use of cloud computing may not be in itself an unreasonable means to protect the secrecy of confidential information, it remains an intensely factual inquiry. The how, why, and where of cloud storage may therefore evolve into the focus of inquiry for trade secret protection. For this reason, taking a number of steps, some of which listed below, may be beneficial for an organization seeking to preserve its trade secrets.
1. Negotiating Terms of Service
As cloud services become further commoditized, vendors may be reluctant to negotiate custom terms of service. However, for larger enterprise clients there may be opportunities to negotiate select terms to help better ensure the security and secrecy of an organization’s data. Some suggestions for potential negotiation include:
- Seeking additional confidentiality terms: Cloud providers may be willing to agree to non-disclosure and confidentiality clauses as either side agreements or as part of a custom master services agreement. These terms may prove highly impactful when determining whether an organization took reasonable steps to protect the secrecy of its data.
- Ensuring data ownership: Ensuring data ownership may be essential to preventing data from being lost or disclosed, particularly in circumstances where a provider becomes a victim of acquisition or bankruptcy. Having clear terms outlining what happens to data in such circumstances—and, more importantly, making it clear who owns the data—may help ensure the data is not released or transferred to parties that will not protect confidentiality.
- Negotiating geographical limitations on data transfer: Many providers allow customers to elect geographical zones where data will reside, providing a customer greater assurance that data will not be subject to less stringent regulatory environments, or that personal information will not be transferred across borders contrary to local laws.
- Ensuring notice when confidential information may have been stolen or inadvertently released: An inadvertent or wrongful release of a trade secret should not in itself destroy trade secret protection. In those circumstances, however, it becomes imperative that an organization rapidly respond to the disclosure and seek to minimize dissemination. Receiving prompt notification of a breach or release of information may mean the difference between a company being able to effectively stop dissemination of the secret, or the leak becoming too expansive to preserve protection.
2. Limit Use of Public Cloud Services When Storing Confidential Information
Should your company decide to store trade secret information in the cloud, strongly consider doing so only within a private cloud environment. Storing secret corporate data on a public cloud service significantly increases the risk of accidental or malicious disclosure.
The most important strategy your company can implement to ensure that its information does not end up on less secure, shared public cloud services may be to provide access to private cloud services to your employees. Using a cloud option may actually be more beneficial than having no corporate cloud option at all. Failing to provide a cloud option may result in employees seeking out similar services on their own. Given the convenience of these services, employees may use their own cloud accounts to move data from one computer to another, or to transfer large files among other employees or outside entities, creating significant risk of inadvertent disclosure.
3. Inventory and Mark Trade Secrets
Identifying information as confidential can be key to what is considered a reasonable approach to protecting the secrecy of materials.11 Detail what constitutes a business’s secret competitive advantage, as well as any design or other internal documents that may embody secret information. Unambiguously mark these materials before transferring them to the vendor for cloud storage, or at least segment them into “confidential” folders.
Clearly segmenting and identifying confidential materials stored on the cloud helps avoid inadvertent disclosure of the materials and makes clear to users of the information that your company considers these materials confidential. It may also be necessary to trigger confidentiality provisions in cloud service agreements.12
4. Address Internal Policies
Review internal policies related to confidential information in order to ensure that those materials remain secret. Policies to review—and modify as necessary—include determining how and when a company requires non-disclosure agreements, ensuring employees have signed confidentiality agreements, developing rules for use of public or non-sanctioned off-site storage for materials, and defining how your company treats its confidential material. At a minimum, update these policies to disclose that storage and applications are now moving offsite.
5. Conduct Internal Training
Employees must be familiar with their company’s policies in order to follow them. Conduct regular training sessions designed to inform employees about trade secret policies in order to protect the secrecy of corporate data.
6. Encrypt Data
Whenever third parties handle highly sensitive data the risk of unauthorized access, by either outside parties or by the cloud provider itself, can never be completely eliminated. Encrypting data before storing it in a cloud service provides an additional layer of protection. Although the cloud provider may need to access the data for maintenance of the services, the provider would be unable to view the content of the data if encrypted, and a breach of those services would not expose the confidential information.
7. Silo Data
Along with encrypting data, also silo data whenever possible. Break up data, making it difficult to locate or access it in a single place or by a single person. Limiting access to information remains an important consideration when assessing the reasonableness of a company’s conduct.13 Doing so can limit the damage of an accidental or intentional disclosure of confidential information.
8. Establish a Response Team
When a disclosure does occur, take prompt action to limit the exposure.14 Establishing a rapid response team prior to such a disclosure may be instrumental in not only demonstrating the reasonable steps taken by a business to ensure the secrecy of data, but also in minimizing the impact when such a disclosure does occur.
As technology and business continues to evolve, so, too, will guidelines regarding trade secret protection. Continue to ask: is your organization taking reasonable steps to maintain its secrets? Implementing common sense approaches to data protection and staying true to industry trends will likely provide significant protection for secrets, even as industry continues to push those secrets into the cloud.
The articles on our Website include some of the publications and papers authored by our attorneys, both before and after they joined our firm. The content of these articles should not be taken as legal advice.