Strategies for Protecting Trade Secrets in the Cloud

Recent studies estimate that trade secrets may account for up to two-thirds of most companies’ information portfolios, and that the annual cost of trade secret misappropriation to U.S. companies ranges between $45 and $300 billion. Given the importance of trade secrets to many companies’ competitive success, it is no surprise that trade secret litigation is booming. Indeed, federal courts have seen it doubling roughly every decade for the past 30 years, and jury verdicts in the hundreds of millions are becoming almost commonplace.

Not long ago, many companies’ trade secret protection policies consisted of erecting physical barriers preventing unauthorized access to information typically maintained in hard-copy form, and in limiting employee access to the most sensitive information on a “need-to-know” basis. While such measures are still important, in today’s digital world, where an ever-increasing amount of trade secret and commercially sensitive information is maintained in electronic form, these policies are dangerously outdated. Growing reliance on cloud computing—broadly defined as providing services and/or information over a digital network (typically the Internet)—has led to greater opportunities for trade secret theft as more and more businesses store such information in the cloud. Today companies must balance promoting easy and remote access to information, enabling a diverse workforce spread across geographies to innovate and cooperate, with protecting the intellectual property that drives their businesses.

This is no easy task, particularly where companies have increasingly mobile workforces. The idealized notion of a “company man/woman” who stays with one employer for his or her entire career is becoming a thing of the past. One government study found that a person born in the later years of the Baby Boom (between 1957 and 1964) held an average of 11 jobs between the ages of 18 and 42. Anyone following trade secret disputes can see that companies are suing former employees for alleged theft of proprietary data maintained in electronic format with almost alarming frequency.

The primary source for most states’ trade secret laws is the Uniform Trade Secrets Act (UTSA), originally adopted in 1979 and now enacted (with some jurisdictional variations) in 47 states, the District of Columbia and the U.S. Virgin Islands. To qualify for protection as a trade secret under the UTSA, information must meet three requirements:

It must be secret; i.e., not generally known or readily ascertainable.
It must derive independent economic value from its secrecy.
It must be the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

Litigation concerning misappropriation of trade secrets stored in the cloud will inevitably focus on the “reasonable measures” requirement and will raise questions of whether it is ever reasonable to allow trade secrets to be stored in the cloud—and, if so, what security measures are required to maintain secrecy. Despite the proliferation of litigation involving cloud-enabled misappropriation of trade secrets, courts have yet to provide definitive answers to these questions.

At this point, it is helpful to draw a distinction between internal clouds—networks set up and administered by companies owning trade secret information—and third-party data-hosting services. Many companies have established internal clouds to help pool computing resources and foster higher employee utilization and efficiency. While internal clouds might be advantageous for data protection, because it is easier for companies to track workflow and ensure the implementation of security guidelines, the trade-off relative to economies of scale can be significant. Many smaller companies and start-ups simply lack the financial resources to set up internal clouds with sufficient bandwidth to meet the needs of their employees, and therefore turn to third-party hosts as a matter of necessity.

The UTSA does not require trade secret owners to maintain information in absolute secrecy. However, to avoid running afoul of the “reasonable measures” requirement, when trade secrets are entrusted to third-party data hosts the owner must ensure that either an express or implied duty of confidentiality is created; i.e., the data host must know or have reason to know that it is receiving trade secret information.

Generally, the relationship between data hosting services and their customers are controlled by the Terms of Service (TOS) promulgated by the services. The dilemma for trade secret owners using these services is that many—if not most—of the TOS for third-party data hosts expressly disclaim responsibility for the security and secrecy of information stored in their systems. While larger enterprises representing significant accounts may have sufficient leverage to negotiate terms providing additional safeguards for any information entrusted to the host, the current reality is that smaller companies (and individuals) lack such ability. Absent modifications to the TOS, in most instances the relationship between a trade secret owner and a third-party data host is not one that will create an express or implied duty of confidentiality.

Lacking that, can a trade secret owner allow its trade secrets to be hosted by a third party without risking disclosure of that information? There are competing views on what constitutes a disclosure of information sufficient to deprive it of trade secret status. On the one hand, the “third-party rule” would dictate that any disclosure of trade secret information to a third party not subject to a duty of confidentiality automatically destroys the information’s trade secret status. On the other, Roger Miligrim (one of the leading commentators on trade secret law and the author of the leading treatise on the subject), suggests that no waiver of trade secret protection occurs until there is an actual disclosure and the information becomes “generally known or readily ascertainable.” While no published opinions have addressed whether merely allowing a third-party cloud company to host trade secrets destroys the protected status of the information, prior opinions finding that protection is not automatically lost when information is posted on a website, or is kept in the public files of a court’s Clerks Office, provide strong support for Miligrim’s position that no waiver occurs until there is an actual disclosure.

While cautious advice might be to identify trade secrets and never store them in the cloud, in today’s digital workplace such advice may not be commercially feasible. In a study published in February 2013, the Poneman Institute released the results of a survey of 4,000 people in seven countries about their companies’ data-encryption projects. The study found that more than half of the respondents said that their companies transfer sensitive data to the cloud, and 31 percent said that their companies would likely do so within the next 12-14 months. See Poneman Institute, 2012 Global Encryption Trends Study [PDF] (February 2013).

As more sensitive information moves to the cloud, the critical issue becomes what security measures will be deemed “reasonable” for protecting the information from disclosure. To determine reasonableness, courts often examine: (1) the nature of the information; and (2) the circumstances under which it will be stored and used. The more sensitive the information at issue, the more sophisticated the data-security measures may be required to meet the reasonableness standard. While no published opinions explain what will constitute reasonable measures to protect the secrecy of information entrusted to a third-party data host, prior cases involving information maintained in electronic format suggest that the following security measures—individually or used in concert—may be appropriate:

Hardware security modules to manage data encryption and security keys.
Electronic tagging of trade secret information, coupled with a data segregation application (such as a firewall), which would prohibit uploading of the most sensitive trade secrets to a cloud server.
Encryption of data during transfer from the company to the cloud host, and from the host to authorized users.
Maintaining the data in encrypted form while in the cloud.
Use of regularly variable secure passwords or sign-ins to limit access to the cloud platform on a need-only basis.
Electronic monitoring systems to monitor and record access to files stored on the cloud, which provide alerts when files are electronically transmitted via email, uploaded to the cloud or copied on external media (such as thumb drives).

Featured Firms

Law Offices of Gary Martin Hays & Associates P.C.

75 Ponce De Leon Ave NE Ste 101

Atlanta, GA 30308

(470) 294-1674

www.garymartinhays.com

Law Offices of Mark E. Salomone

2 Oliver St #608

Boston, MA 02109

(857) 444-6468

www.marksalomone.com

Smith & Hassler

1225 N Loop W #525

Houston, TX 77008

(713) 739-1250

www.smithandhassler.com

Presented by BigVoodoo

More From ALM

As generative artificial intelligence inspires one of the biggest transformations in generations, Practical Guidance continues to provide the latest tips to help you prepare for the rapid evolution in the way attorneys work.

Practical Guidance Journal: Protecting Work Product in a Generative AI World

Brought to you by LexisNexis®
Download Now

The recent SEC release comes with significant changes for private fund managers. Hear expert insights on what happened, what it means, and what the compliance considerations are.

Countdown to Compliance: SEC Private Fund Reforms

Brought to you by Ontra
Download Now

Find out what features make a code of conduct most effective. Hint: it’s not just the rules.

9 Ethical Code of Conduct Examples for the Business Professional

Brought to you by LRN
Download Now

Premium Subscription

With this subscription you will receive unlimited access to high quality, online, on-demand premium content from well-respected faculty in the legal industry. This is perfect for attorneys licensed in multiple jurisdictions or for attorneys that have fulfilled their CLE requirement but need to access resourceful information for their practice areas.
View Now

Team Accounts

Our Team Account subscription service is for legal teams of four or more attorneys. Each attorney is granted unlimited access to high quality, on-demand premium content from well-respected faculty in the legal industry along with administrative access to easily manage CLE for the entire team.
View Now

Bundle Subscriptions

Gain access to some of the most knowledgeable and experienced attorneys with our 2 bundle options! Our Compliance bundles are curated by CLE Counselors and include current legal topics and challenges within the industry. Our second option allows you to build your bundle and strategically select the content that pertains to your needs. Both options are priced the same.
View Now

From Data to Decisions

Dynamically explore and compare data on law firms, companies, individual lawyers, and industry trends.

Exclusive Depth and Reach.

Law.com Compass includes access to our exclusive industry reports, combining the unmatched expertise of our analyst team with ALM’s deep bench of proprietary information to provide insights that can’t be found anywhere else.

Big Pictures and Fine Details

Law.com Compass delivers you the full scope of information, from the rankings of the Am Law 200 and NLJ 500 to intricate details and comparisons of firms’ financials, staffing, clients, news and events.

General Counsel Summit (GCS) 2024

August 12, 2024 - August 13, 2024
Sydney, New South Wales

General Counsel Summit is the premier event for in-house counsel, hosting esteemed legal minds from all sectors of the economy.

Learn More

General Counsel Conference Southwest 2024

September 18, 2024 - September 19, 2024
Dallas, TX

Join General Counsel and Senior Legal Leaders at the Premier Forum Designed For and by General Counsel from Fortune 1000 Companies

Learn More

Women, Influence & Power in Law (WIPL) 2024

September 23, 2024 - September 24, 2024
Chicago, IL

WIPL is the original global forum facilitating women-to-women exchange on leadership and legal issues.

Learn More