But what happens if the employee, not the employer, started the account? Does the employer still have to preserve information on that account? Most times, the answer is yes. This is an issue of custody and control. Just because the account is personal does not mean that employer can ignore it. In fact, most employees have Dropbox accounts so they can store their employers' information and access it from remote computers, their smartphones and tablets. Because most employers allow this, are on notice of it, benefit from it and can force employees to turn over information stored on these accounts if needed for businesses purposes, most courts will find that an employer has a duty to preserve these cloud accounts. Thus, if there's any doubt, you should make sure that individual employees who store business-related information on their cloud accounts preserve their accounts until it can be determined whether unique and potentially relevant information is stored on the account.
Once discovery starts, parties should be on alert for ways in which Dropbox and other cloud storage devices could impact the discovery process. This may include modifying definitions, document requests and interrogatories in written discovery and adapting questions posed during depositions, particularly during the deposition of an IT custodian or other key witness custodian, to include cloud storage devices.
During the collection phase of the discovery process, custodians should be carefully directed on how relevant data will be collected from Dropbox. When information is collected from Dropbox, it is important to carefully document the chain of custody, just as it is important to do so when collecting data from other electronic sources. As a result, securing the services of a computer forensic team may be the best policy when Dropbox is a significant data source. The computer forensic consultant also could serve as a helpful witness if a party's discovery process is questioned down the road or if specific electronic information becomes a key source of evidence.
Even before the outset of litigation, outside counsel should have an open discussion with their clients about how the client stores electronic data. This conversation should include a discussion about whether the client uses Dropbox or a similar cloud storage system to store electronic data. Awareness up front about how a client's electronic data is secured, regardless of form, can create a more effective and efficient reaction when litigation arises. It is also critical to understand how a client's data is stored, because employers that use cloud-based storage to store all of their own electronic data can face a host of privacy and ethical issues, as well as significant obstacles in the actual collection of data from the cloud.
Dropbox also has started to have an impact on many types of litigation, but is becoming especially prevalent in patent infringement, white-collar and employee trade secret litigation. Flash drives used to be the tool of choice for employees who wanted to abscond with their employer's confidential information and trade secrets. Now, Dropbox and other cloud storage sites are making flash drives obsolete. The last three trade secret cases I had involved the alleged use of Dropbox to steal information. Apparently, I'm not alone.
Last year, a very prominent case in Pennsylvania focused on a lawyer's use of Dropbox. In February 2012, Elliott Greenleaf sued its former partner and the partner's new law firm for violations of the Computer Fraud and Abuse Act, Pennsylvania's Trade Secrets Act, conversion, breach of fiduciary duty, unfair competition, tortious interference and conspiracy. (See No. 2:12-cv-00674 (E.D. Pa.).) Among other allegations, the complaint alleged that the partner downloaded Dropbox onto Elliott Greenleaf's computers and then downloaded more than 78,000 files, including confidential client information, onto the system before he left the firm. The partner allegedly continued to access the files saved to Dropbox once he joined his new firm. Ultimately, a confidential settlement was reached in the matter.
Similarly, in Zynga v. Patmore, No. CGC-12-525099, filed in Superior Court in San Francisco, Zynga alleged that a former employee stored more than 760 Zynga files on Dropbox before the employee left Zynga for a competitor. The complaint further alleged that because the files were stored on Dropbox, the former employee "could (1) retain these Zynga files after leaving Zynga and (2) access them from any computer or mobile device that [the former employee] links to his Dropbox account."
Despite the former employee's alleged attempts to delete his Dropbox account off of his work computer, Zynga still was able to gather "a forensic trail of his wrongful conduct." The court issued a temporary restraining order against the former employee and the case remains pending. In another case, PayPal sued Google in Superior Court in San Jose, Calif., in May 2011, after two senior executives from PayPal defected to Google and allegedly stole PayPal's confidential information and trade secrets on Dropbox.
Thus, parties should ensure that any forensic analyses conducted on electronic devices include investigation for cloud storage programs like Dropbox. A trained computer forensic analyst can search a device for evidence of a Dropbox account and the types of files stored in the account. This type of evidence can be traced even when a user has attempted to delete or cover up a Dropbox account. Often, this evidence must be gathered from the computer itself because Dropbox and its brethren do not generally make it easy to get information from them via a subpoena. These services also generally do not keep deleted information for an extended period of time.
Even when an employee has not intentionally stolen his or her employer's data, an employee still may have stored an employer's data on Dropbox during his or her employment. Employers can help protect themselves from unauthorized use of Dropbox by adopting policies that address where employees may store the employer's data. Specifically, employers should consider amending their confidentiality policies to cover external storage of confidential information. Employers also may consider adopting a policy that permits employees to store the employer's confidential information on a cloud storage service, but also requires that the employee agree to certain safeguards such as notifying the employer about the external storage, agreeing to use a password-protected service and agreeing to return or destroy any employer data at the termination of the employee's employment.