16
Is Your Secret Safe in the Cloud? Trade Secrets, Security, and Cloud Computing Seth A. Northrop - Robins Kaplan LLP 1 As corporations continue to globalize, so too have their data, applications, and information technology environments. Over the last several years the growth of “cloud” computing has accelerated. Organizations looking to focus on their business have turned to providers that promise centralized and managed services without the need for costly specialized IT personnel and continuing hardware and infrastructure investment. That shift has not been lost on the technology bellwethers with Google, Microsoft, Oracle and others have rapidly pushed traditional “behind the firewall” applications and services into the cloud. Yet, as the way companies do business is dramatically shifting, so too has the intellectual property landscape. Newly created mechanisms to challenge patents, recent decisions related to patent damages and patentability, and the prospect of potential additional patent reform legislation have all generated renewed interest in leveraging trade secret protection as a viable means to protect technology investment. This paper will address the legal and business intersection between the use of cloud computing and protecting corporate innovation through trade secret law. As both fields continue to advance, organizations will have to remain vigilant in how they leverage the value of cloud computing with the need to take reasonable steps to protect the secrecy of its most valuable data. I. An Introduction to the Cloud A. What is the Cloud? Cloud computing refers to the centralization and sharing of computing resources across a network. In other words, it is a mechanism for both large and small enterprises to move file storage, application services, and networking infrastructure to either internally or externally managed central facilities. Often, cloud resources are owned and managed by a third party and then distributed to organizations over either a public or private internet link. Consequently, cloud services are often classified as “public,” “private” or “hybrid.” Public cloud services are typically delivered over an open network (such as the internet) on architecture that is usually shared between individuals and organizations. It does not necessarily mean the data is open to all, but, the service is not typically stored or delivered on infrastructure dedicated to a single customer. Some of the more widely known public cloud services include Dropbox and Amazon’s Web Services (AWS). Private cloud services on the other hand tend to be dedicated services. Although they can 1 Seth A. Northrop is a Principal at Robins Kaplan LLP. His practice focuses on large-scale technology-centric litigation involving intellectual property, business and technology sourcing, cybersecurity, privacy, and software disputes. Seth also assists emerging and growth-stage companies strategically manage and monetize their investments in technology development. [email protected].

Is Your Secret Safe in the Cloud? Trade Secrets, Security and Cloud Computing

Embed Size (px)

Citation preview

Page 1: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

Is Your Secret Safe in the Cloud? Trade Secrets, Security, and Cloud Computing

Seth A. Northrop - Robins Kaplan LLP1

As corporations continue to globalize, so too have their data, applications, and information technology environments. Over the last several years the growth of “cloud” computing has accelerated. Organizations looking to focus on their business have turned to providers that promise centralized and managed services without the need for costly specialized IT personnel and continuing hardware and infrastructure investment. That shift has not been lost on the technology bellwethers with Google, Microsoft, Oracle and others have rapidly pushed traditional “behind the firewall” applications and services into the cloud. Yet, as the way companies do business is dramatically shifting, so too has the intellectual property landscape. Newly created mechanisms to challenge patents, recent decisions related to patent damages and patentability, and the prospect of potential additional patent reform legislation have all generated renewed interest in leveraging trade secret protection as a viable means to protect technology investment. This paper will address the legal and business intersection between the use of cloud computing and protecting corporate innovation through trade secret law. As both fields continue to advance, organizations will have to remain vigilant in how they leverage the value of cloud computing with the need to take reasonable steps to protect the secrecy of its most valuable data.

I. An Introduction to the Cloud

A. What is the Cloud?

Cloud computing refers to the centralization and sharing of computing resources across a network. In other words, it is a mechanism for both large and small enterprises to move file storage, application services, and networking infrastructure to either internally or externally managed central facilities. Often, cloud resources are owned and managed by a third party and then distributed to organizations over either a public or private internet link. Consequently, cloud services are often classified as “public,” “private” or “hybrid.”

Public cloud services are typically delivered over an open network (such as the internet) on architecture that is usually shared between individuals and organizations. It does not necessarily mean the data is open to all, but, the service is not typically stored or delivered on infrastructure dedicated to a single customer. Some of the more widely known public cloud services include Dropbox and Amazon’s Web Services (AWS).

Private cloud services on the other hand tend to be dedicated services. Although they can

1 Seth A. Northrop is a Principal at Robins Kaplan LLP. His practice focuses on large-scale technology-centric litigation involving intellectual property, business and technology sourcing, cybersecurity, privacy, and software disputes. Seth also assists emerging and growth-stage companies strategically manage and monetize their investments in technology development. [email protected].

Page 2: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

2

be managed either internally or externally, an organization’s data resides on dedicated hardware or is segregated by other virtual walls. Connections to these systems are also typically virtually segregated from the rest of the internet using techniques such as virtual private networks.

Finally, hybrid cloud services combine elements of both public and private cloud services.

B. How Business is using the Cloud

Although the cloud computing industry continues to be in its infancy, its adoption by enterprises is accelerating as organizations of all sizes are moving from testing the waters to hosting mission critical enterprise applications in the cloud.2 International Data Corporation (IDC) anticipates that the global market for cloud services, including private, public and hybrid clouds, will climb to $118 billion in 2015 and go as high as $200 billion by 2018.3 Not surprisingly, industry surveys highlight that cloud computing initiatives are reported as some of the most important projects being undertaken by the majority of IT organizations.4

1. Explaining the Growth

Growth in the use of cloud services by enterprises can largely be attributed to some of the key advantages it can offer.

First, it helps organizations more efficiently predict and allocate information technology resources. Traditional information technology models required organizations to build out costly data centers that were designed to handle the maximum load of an enterprise. This strategy brought with it significant inefficiencies as expensive hardware and human resources were often underutilized when the organization was not experiencing spikes in utilization. Cloud services in contrast allow organization to “share” infrastructure, connectivity, and resources among other enterprises allowing them to rapidly ramp up capacity without the full scope of cost associated with increasing such capacity in-house. This pay for what you use model therefore allows small and large enterprises alike to more responsively augment IT infrastructure without the capital expense typically associated with increasing capacity.

Second, as enterprise networks grow in complexity organizations are faced with finding more and more highly specialized and difficult to find software and system engineering to keep the environment maintained. Again, cloud services have allowed enterprises to outsource highly specialized system management responsibilities to cloud providers. By outsourcing this expertise organizations are better able to focus on their core business areas.

2 See Paul Miller, Cloud Computing Marketing Trends in 2015, Gigamon Research, Feb. 2, 2015, available at http://research.gigaom.com/report/cloud-computing-market-trends-in-2015/. 3 Sharon Gaudin, Hybrid cloud adoption set for a big boost in 2015, Computer World, Dec, 18, 2004, available at http://www.computerworld.com/article/2860980/hybrid-cloud-adoption-set-for-a-big-boost-in-2015.html. 4 IDG Enterprises, Computerworld Forecast Study 2015, Nov. 21 2014, available at http://www.idgenterprise.com/report/computerworld-forecast-study-2015.

Page 3: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

3

Third, availability of services has become essential for enterprises. In order to ensure system availability enterprises traditionally had to rely upon hardware and geographic redundancy that exponentially increased cost. With cloud services hardware and geographical redundancy is baked in as cloud providers distribute their server and data centers around the planet and replicate corporate data across their networks.

2. Services Provided

Cloud providers generally provide three different types of services that comprise what is referred to as the cloud “stack.” Understanding these various services may provide important context when evaluating the legal and business considerations implicated by the use of the cloud.

a. Infrastructure as a Service (IaaS)

IaaS is the most basic of the cloud services offered. It generally refers to cloud-based infrastructure and architecture such as storage, servers, and networking devices that you might otherwise find in a data center. Customers use these services as a means to scale and distribute network infrastructure throughout the enterprise while otherwise maintaining higher level software and management responsibilities. Examples of IaaS include services such as Amazon AWS which provides enterprises scalable, distributed, and offsite storage for data.

b. Platform as a Service (PaaS)

PaaS provides a development environment for enterprises wishing to develop distributed business applications. Cloud providers manage the architectural backend and middleware components of an application and provide the enterprise tools that can be used to rapidly develop applications. Examples of this type of service include Microsoft Azure and Google App Engine. In such environments, organizations only need to worry about developing front-end applications and can therefore leave the complexity of hardware purchasing and scaling and backend software design to the provider.

c. Software as a Service (SaaS)

SaaS solutions provide a more comprehensive and typically an “out of the box” software and hardware platform to enterprises. Instead of merely providing infrastructure or a development environment, these services aim to provide complete enterprise software solutions to enterprises. Although organizations using SaaS offerings may need to conduct some level of customization, the bulk of the software development, management, and deployment are handled by the cloud provider. Examples of these types of services include Oracle’s Cloud which provides enterprises sophisticated business applications from the cloud that traditionally had to be developed and deployed within an enterprise.

C. Consequences of the Cloud’s Expansion

Although the cloud offers significant promise for enterprises struggling to balance to complexity and costs associated with advances in technology with the desire to stay laser-focused on their businesses, it comes with one key risk: it means companies’ most secret

Page 4: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

4

materials, along with the personal and business information of their clients and employees, are being stored and managed by third-party cloud providers. In-house counsel therefore must wrestle with what, if any, consequences such a development has upon the organization’s approach to protecting sensitive data.

II. The Resurgence of Trade Secret Protection

Simultaneous with the advancement of the use of cloud computing within enterprises is trade secret protection playing a resurgent role in corporate intellectual property strategies.

A. What is Trade Secret Protection?

For the 47 of 50 states that have adopted the Unified Trade Secrets Act (UTSA), a trade secret is: information, including a formula, pattern, compilation, program, device, method, technique, or process, that:

(1) Derives independent economic value, actual or potential, from not being generally known to the public or to other persons who can obtain economic value from its disclosure or use; and

(2) Is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.5

A trade secret therefore consists of three elements: (a) information; (b) which is valuable because unknown to others; and (c) which the owner has attempted to keep secret.6

Trade secret law is unique in that it provides the owner a “right to control the dissemination of information.”7 Trade secret law therefore provides a means to prevent dissemination of an idea that is currently secret or a means to sanction someone who has improperly misappropriated or otherwise improperly made public the secret.8

B. Why a Resurgence?

Owners of intellectual property have few options to protect proprietary processes and ideas. Typically, the choice is between two often mutually exclusive doctrines: patent protection and trade secret protection. Trade secret law protects the secrecy of an idea or process so long as it remains secret. Patent law, in contrast, protects the subsequent use of a novel process or idea. The rub is that to obtain patent protection a patentee must publicly disclose their invention vitiating any trade secret protection that may have existed (whether or not a patent is ultimately

5 Unif. Trade Secrets Act § 1.4; See also Cal. Civ.Code § 3426.1(d). 6 Abba Rubber Co. v. Seaquist, 235 Cal.App.3d 1, 18 (1991). 7 Altavion, Inc. v. Konica Minolta Sys. Lab. Inc., 226 Cal.App.4th 26 (Cal. App., 2014). 8 Id.

Page 5: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

5

acquirable). In contrast, deciding to keep an idea secret may ultimately jeopardize the patentability of the idea and only provides protection so long as the secret remains secret.

Over the past several decades the calculus has largely favored patent protection. Patent rights were perceived as broad. Large patent infringement verdicts and strong patent sales contributed to significant patent valuations. Many, however, have recognized a decided shift. Newly created mechanisms to challenge patents, recent decisions related to patent damages and patentability, and the prospect of potential additional patent reform legislation have all served as headwind to rising patent valuations.

Life has been especially difficult for one group of patent owners that often utilize cloud resources: software developers. Following the Supreme Court’s decision in Alice9 there are serious questions about the scope of patentability for software. In Alice, the unanimous Supreme Court reiterated a two-part test for determining patent eligibility of software: (1) “determine whether the claims at issue are directed to one of those patent-ineligible concepts”; and (2) “search for the ‘inventive concept,” in other words, “an element or combination of elements that is ‘sufficient to ensure that the patent in practice amounts to significantly more than a patent upon the [ineligible concept] itself.”10 The application of this test by lower courts has created significant challenges for software patent holders—with the vast majority of decisions finding software patents ineligible for patent protection under Section 101 of the patent act. Subsequent Federal Circuit decisions initially were no more favorable to software patent owners. For example, the Federal Circuit’s reconsideration of Ultramercial resulted in the invalidation of the patent owner’s software patent.11 Applying Alice’s two-part test, the Federal Circuit reversed itself and found software-related claims (related to making the display of multimedia content contingent on viewing advertisement) to be ineligible subject matter.12 The Federal Circuit’s decision in DDR was one of the few bright spots for software patent owners.13 There, despite there being software claims, the Federal Circuit determined the claim to be eligible patent subject matter.14 The reality, however, is that for software developers patent law has become a far less reliable protection of intellectual property rights than it was just years ago.

Questions about patentability, patent damages, and looming potential patent reform may

continue to introduce uncertainty into patent valuations and consequently shift the calculus in favor of companies maintaining some of its intellectual property as trade secrets. Erosion in

9 Alice Corp. v. CLS Bank Int’l, 134 S. Ct. 2347 (2014). 10 Id. at 2355. 11 Ultramercial v. Hulu, LLC,. No. 2010-1544, 2014 U.S. App. LEXIS 21633 (Fed. Cir. Nov. 14, 2014). 12 Id. at *17. 13 DDR Holdings, LLC v. Hotels.com, L.P. No. 2013-1505, 2014 U.S. App. LEXIS 22902 (Fed. Cir. Dec. 5, 2014). 14 Id. at *26. For more information on state of software patentability and the decisions discussed above, See Andrea Gothing, Seth A Northrop, and Li Zhu, Are Courts the New Death Squads for Software Patents? Not So Fast., Bloomberg BNA, 89 PTCJ 389, Dec. 12, 2014.

Page 6: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

6

patent viability is not the only driver. Trade secrets have been driving higher jury verdicts. Over the last several years numerous high-profile, high-dollar verdicts have been based upon findings of trade secret misappropriation.15 As these trends continue, corporations will need to become vigilant in how their information remains secret as any slip can result in trade secret protection evaporating.

III. Legal Framework for Protecting Secrets in the Cloud

With cloud computing playing a growing role in corporate organizations and trade secret protection becoming increasingly important among enterprises’ intellectual property strategies, in-house counsel are rightly scrutinizing the boundaries of placing sensitive corporate data within the cloud. The key question is whether the use of cloud services can be reconciled with the organization needing to take reasonable efforts to keep the materials secret.16

While the law on trade secret protection of data stored in the cloud is anything but developed, the reality is that the use of cloud services is becoming commonplace for enterprises. Courts may, therefore, be reluctant to find that cloud storage is a per se unreasonable way to store trade secrets even when an outside vendor obtains custody of that data. In-house counsel, however, should be mindful when negotiating agreements with providers about the various disparities in contractual terms since these disparities may become important when determining the reasonableness of the handling of the data.

A. Terms of Service

The Terms of Service published by cloud providers or negotiated master services agreements between the customer and provider often define the contours of the relationship between the cloud provider and the organizations using it. These terms may vary significantly between providers. Some of these differences can be seen within the terms of service of the major cloud providers. But, whether an organization is using off the shelf services from large providers or custom offerings from smaller providers, it is essential to scrutinize the applicable terms for a particular provider before allowing confidential organizational data to be stored on these services.

B. Dissecting the Terms of Service

There are five key components of the typical cloud terms of service that may be scrutinized in a potential trade secret dispute. These include terms related to: (1) who owns data hosted on the services; (2) who and in what circumstances may access the data; (3) what assurances have been provided relating to confidentiality; (4) where geographically data can be stored; and (5) the respective data security obligations of the parties.

15 See, e.g., Kerry Bundy, Top 10 Trade Secrets Developments of 2014, Law360, Dec. 16, 2014, available at http://www.law360.com/articles/603592/top-10-trade-secrets-developments-of-2014-part-1. 16 Unif. Trade Secrets Act § 1; See also Machen, Inc. v. Aircraft Design, Inc., 828 P.2d 73, 78 (Wash. App., 1992).

Page 7: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

7

1. Ownership of the Data

The first provision within cloud sourcing agreements that organizations should scrutinize is ownership of stored data. Many cloud providers expressly disclaim ownership of customer data. For example:

Amazon AWS: “8.1 Your Content. As between you and us, you or your licensors own all right, title, and interest in and to Your Content. Except as provided in this Section 8, we obtain no rights under this Agreement from you or your licensors to Your Content, including any related intellectual property rights.”17

Dropbox: “When you use our Services, you provide us with things like your files, content, email messages, contacts and so on ("Your Stuff"). Your Stuff is yours. These Terms don't give us any rights to Your Stuff except for the limited rights that enable us to offer the Services.”18

Oracle Cloud: “4.1 You retain all ownership and intellectual property rights in and to Your Content and Your Applications.”19

Other providers may grant a license contingent upon how their services are used. For example, Apple’s iCloud service provides that:

Apple does not claim ownership of the materials and/or Content you submit or make available on the Service. However, by submitting or posting such Content on areas of the Service that are accessible by the public or other users with whom you consent to share such Content, you grant Apple a worldwide, royalty-free, non-exclusive license to use, distribute, reproduce, modify, adapt, publish, translate, publicly perform and publicly display such Content on the Service solely for the purpose for which such Content was submitted or made available, without any compensation or obligation to you.20

Obviously, submitting content to servers that are “accessible by the public” could create its own significant challenges to maintaining trade secret protection. Apple’s agreement, however, provides an important wakeup call to organizations to verify that use of services will not create any unwanted licenses or shared ownership rights in the provider that may weaken trade secret protection. More importantly, given that numerous large players are willing to expressly disclaim any ownership to their customer’s data, similar terms should be sought for whatever provider an 17 Amazon AWS Customer Agreement, Mar. 15, 2012, available at: http://aws.amazon.com/agreement/ (emphasis added). 18 Dropbox Terms of Service, Jan. 22, 2015, available at https://www.dropbox.com/terms (emphasis added). 19 Oracle Cloud Terms of Service, Oct. 10, 2014, available at http://www.oracle.com/us/corporate/contracts/cloud-csa-us-en-2351289.pdf. 20 Apple iCloud Terms and Conditions, § V.H.1 Oct. 20, 2014, available at https://www.apple.com/legal/internet-services/icloud/en/terms.html

Page 8: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

8

organization uses.

2. Access to the Data

Limiting access to confidential materials is an important consideration when determining whether an organization took reasonable steps to protect the secrecy of information.21 Allowing a third party access to otherwise secret information is not itself sufficient to destroy trade secret status for the material. For example, an organization does not necessarily forfeit trade secret protection by disclosing secret information to "a limited number of outsiders for a particular purpose."22 The reason for this is that absolute secrecy is not a requirement of trade secret protection and indeed such disclosures are often necessary to ensure the “efficient exploitation of a trade secret.”23 It is instead an inquiry into whether the disclosure was reasonable under the circumstances.

Cloud terms of services vary significantly in how the provider may access and use stored data. Staying aware of these differences may be critical to ensuring stored data remain a secret. For example, some terms of service agreements do not allow the provider to access the customer’s data:

Rackspace: “Rackspace agrees that it will not use or disclose Customer Data. We do not acquire any ownership interest in or right to your Customer Data. Customer Data is and at all times shall remain the exclusive property of Customer and will remain in the exclusive care, custody, and control of Customer.”24

Other cloud providers allow limited access for the purpose of responding to legal inquires and to maintain the cloud provider:

Oracle Cloud: “3.3 To enable Oracle to provide You and Your Users with the Services, You grant Oracle the right to use, process and transmit, in accordance with this Agreement and Your order, Your Content and Your Applications for the duration of the Service Period plus an additional post-termination period during which Oracle provides You with access to retrieve an export file of Your Content and Your Application.”25

21 See, e.g., Lincoln Park Sav. Bank v. Binetti, No. 10 CV 5083, 2011 U.S. Dist. LEXIS 7320, at *9 (N.D. Ill. Jan. 26, 2011). 22 Rockwell Graphic Sys., Inc. v. DEV Indus., Inc., 925 F.2d 174, 177 (7th Cir.1991). 23 Id. 24 Rackspace Terms of Service, Nov. 13, 2014, available at http://www.rackspace.com/information/legal/cloud/tos/ (emphasis added). 25 Oracle Cloud Terms of Service, Oct. 10, 2014, available at http://www.oracle.com/us/corporate/contracts/cloud-csa-us-en-2351289.pdf.

Page 9: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

9

Microsoft Azure: Customer Data will be used only to provide Customer the Online Services including purposes compatible with providing those services. Microsoft will not use Customer Data or derive information from it for any advertising or similar commercial purposes. As between the parties, Customer retains all right, title and interest in and to Customer Data. Microsoft acquires no rights in Customer Data, other than the rights Customer grants to Microsoft to provide the Online Services to Customer.26

Some providers similarly limit use to management of Services but extend the right of access to third parties:

IBM: Each Cloud Service is designed to protect the proprietary content that Client inputs into the Cloud Service and to provide for access and use only as part of the Cloud Service. Except as otherwise specified in an Attachment or TD, IBM will only provide access and use of Client’s proprietary content to IBM employees and contractors as needed to deliver the Cloud Service. IBM will not disclose Client’s proprietary content and will return or destroy it upon the expiration or cancellation of the Cloud Service, or earlier upon Client’s request.27

Finally, other providers allow more expansive disclosure or use of customer data. For example, DropBox’s terms of service allows it to use third parties to process and manipulate user data:

We need your permission to do things like hosting Your Stuff, backing it up, and sharing it when you ask us to. Our Services also provide you with features like photo thumbnails, document previews, email organization, easy sorting, editing, sharing and searching. These and other features may require our systems to access, store and scan Your Stuff. You give us permission to do those things, and this permission extends to trusted third parties we work with. . . . Dropbox uses certain trusted third parties to help us provide, improve, protect, and promote our Services. These third parties will access your information only to perform tasks on our behalf and in compliance with this Privacy Policy.28

Apple’s iCloud Terms of Service allows it to disclose user content for a variety of purposes including addressing technical issues and assessing contract compliance:

You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple

26 Microsoft Azure Service Agreement & Terms, Nov. 2014, available at http://azure.microsoft.com/en-us/support/legal/. 27 IBM Cloud Services Agreement, Mar. 12, 2014, available at http://www-05.ibm.com/support/operations/files/pdf/csa_us.pdf (emphasis added). 28 Dropbox Terms of Service, January 22, 2015, available at https://www.dropbox.com/terms (emphasis added).

Page 10: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

10

believes is reasonably necessary or appropriate, if legally required to do so or if Apple has a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users, a third party, or the public as required or permitted by law.29

Amazon’s AWS customer agreement and Google’s Terms of Use allows disclosure as it believes is necessary to deliver (or in the case of Google improve) the Services:

Amazon AWS: You consent to our use of Your Content to provide the Service Offerings to you and any End Users. We may disclose Your Content to provide the Service Offerings to you or any End Users or to comply with any request of a governmental or regulatory body (including subpoenas or court orders).30 Google Cloud: “5.2 Use of Customer Data. Google may use Customer Data and Applications only to provide the Services to Customer and its End Users and to help secure and improve the Services. For instance, this may include identifying and fixing problems in the Services, enhancing the Services to better protect against attacks and abuse, and making suggestions aimed at improving performance or reducing cost.”31

It is unclear whether a court would find any of the above use and disclosure provisions an unreasonable protection of secrets. But, the significant disparities among the various offerings—and, the fact that other providers’ agreements may contain even more dramatic disparity—should warrant careful consideration when considering potential providers.

3. Assurances of Confidentiality

Assurances of confidentiality may also be an important consideration when determining the reasonableness of disclosure to a third party. An express agreement to maintain confidentiality may be a strong sign that a party took reasonable steps to maintain confidentiality as “the presence or absence of confidentiality agreements or other means to convey confidentiality ... has a significant and predictable bearing on the outcome of the case.”32 But, an express agreement may not be necessary. Disclosure—particularly when there are assurances to

29 Apple iCloud Terms and Conditions, § V.H.1, Oct. 20, 2014, available at https://www.apple.com/legal/internet-services/icloud/en/terms.html (emphasis added). 30 Amazon AWS Customer Agreement, Mar. 15, 2012, available at: http://aws.amazon.com/agreement/ (emphasis added). 31 Google Cloud Platform Terms of Service, § 5.2, Jan. 26, 2015, available at https://cloud.google.com/terms/?csw=1 (emphasis added). 32 CMBB LLC v. Lockwood Mfg., 628 F.Supp.2d 881, 885 (N.D.Ill.2009).

Page 11: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

11

keep information confidential—may create a duty of non-disclosure for a vendor notwithstanding the existence of an express agreement.33

Some cloud providers provide assurances about keeping information “confidential.” For example, Google Cloud’s Terms of Service provides the following assurance:

7. Confidential Information. The recipient will not disclose the Confidential Information, except to Affiliates, employees, agents or professional advisors who need to know it and who have agreed in writing (or in the case of professional advisors are otherwise bound) to keep it confidential. The recipient will ensure that those people and entities use the received Confidential Information only to exercise rights and fulfill obligations under this Agreement, while using reasonable care to keep it confidential.34

Although assurances of confidentiality do not end the inquiry, some courts have held that a reasonable “understanding” of confidentiality may be sufficient to protect a trade secret.35

4. Movement of Data

Another important element of the terms of service is the extent in which a cloud provider may move customer data around the globe. The reality—and, in some cases benefit—of cloud services is that data can be moved and replicated around the globe to ensure redundancy and speed of access. The problem is different geographical regions may provide significantly different regulatory and legal protections for data. Cloud service agreements vary significantly in how they limit the provider from moving data from different regions.

For example, some cloud providers expressly agree to store data in designated geographic regions:

Microsoft Azure: “Microsoft will not transfer Customer Data outside the geo(s) customer specifies (for example, from Europe to U.S. or from U.S. to Asia) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements.”36

Amazon AWS: “3.2 Data Privacy. We participate in the safe harbor programs described in the Privacy Policy. You may specify the AWS regions in which Your Content will be stored and accessible by End Users. We will not move Your

33 United States v. Howley, 707 F.3d 575, 580-81 (6th Cir. 2013); Centrifugal Acquisition Corp. v. Moon, 849 F.Supp.2d 814, 834 (E.D. Wis., 2012). 34 Google Cloud Platform Terms of Service, § 7, Jan. 26, 2015, available at https://cloud.google.com/terms/?csw=1. 35 See, e.g., Von Holdt v. A-1 Tool Corp., No. 04 C 04123. 2013 U.S. Dist. LEXIS 636 at *9-16 (N.D. Ill., Jan. 3, 2013). 36 Microsoft Azure Privacy Policy, Sept. 2014, available at http://azure.microsoft.com/en-us/support/trust-center/privacy/ (emphasis added).

Page 12: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

12

Content from your selected AWS regions without notifying you, unless required to comply with the law or requests of governmental entities.”37

And others expressly allow movement of data to different regions:

DropBox: To provide you with the Services, we may store, process and transmit information in locations around the world - including those outside your country. Information may also be stored locally on the devices you use to access the Services.38

5. Security Obligations

There is no shortage of concern about the security of cloud services.39 Yet, most of the high profile data breaches have involved internal systems, not the major cloud providers. The question remains whether it’s reasonable for an organization to rely upon a cloud provider to keep its secrets secure. Again, the terms of service for these providers may provide support for the reasonability of storing data on the cloud.

Many providers provide assurance that they will implement at least as sophisticated of security measures that they themselves rely upon. For example, Google agrees to secure data at a level consistent with security of its own data:

1.3 Facilities and Data Transfer. All facilities used to store and process an Application and Customer Data will adhere to reasonable security standards no less protective than the security standards at facilities where Google processes and stores its own information of a similar type. Google has implemented at least industry standard systems and procedures to ensure the security and confidentiality of an Application and Customer Data, protect against anticipated threats or hazards to the security or integrity of an Application and Customer Data, and protect against unauthorized access to or use of an Application and Customer Data.40

Depending on the circumstances, it may be reasonable to rely upon such assurances. Indeed, one of the key reasons for using cloud services is so that organizations can outsource the highly technical data security function to perceived industry experts.

37 Amazon AWS Customer Agreement, § 3.2, Mar. 15, 2012, available at: http://aws.amazon.com/agreement/ (emphasis added). 38 DropBox Privacy Policy, Feb. 13, 2015, available at https://www.dropbox.com/terms#privacy (emphasis added). 39 See, e.g., Charles Babcock, 9 Worst Cloud Security Threats, Information Week, March 3, 2014, available at http://www.informationweek.com/cloud/infrastructure-as-a-service/9-worst-cloud-security-threats/d/d-id/1114085. 40 Google Cloud Platform Terms of Service, § 1.3, Jan. 26, 2015, available at https://cloud.google.com/terms/?csw=1 (emphasis added).

Page 13: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

13

IV. Recommendations

The growing prominence of cloud usage by industry provides a strong case that it is becoming increasingly accepted as a trusted and commonly utilized tool to store corporate data. At least one court applying the USTA has held that “[i]f a voluntary disclosure occurs in a context that would not ordinarily occasion public exposure, and in a manner that does not carelessly exceed the imperatives of a beneficial transaction, then the disclosure is properly limited and the requisite secrecy retained.”41 Yet, although the use of cloud computing may not be in itself an unreasonable means to protect the secrecy of confidential information, it remains an intensely factual inquiry. The how, why, and where of cloud storage may therefore evolve into the focus of inquiry for trade secret protection. For this reason, taking a number of steps, some of which listed below, may be beneficial for an organization seeking to preserve its trade secrets.

A. Conducting Due Diligence

As outlined above, the nature of the relationship between an organization and its cloud provider may be critical in protecting the secrecy of a trade secret. Poorly negotiated terms of service or gaps in the technical architecture of the provider may transform otherwise reasonable conduct (storing important corporate data in the cloud) into unreasonable protections of the data (doing so on a service that does not reasonably protect the secrecy of data).

An organization considering cloud services may, therefore benefit from conducting significant technical, legal, and financial due diligence of the provider to ensure that any risks of disclosure are mitigated or eliminated.

B. Negotiating Terms of Service

As cloud services become further commoditized, vendors have become reticent to negotiate custom terms of service. However, for larger enterprise clients there may be opportunity to negotiate select terms to help better ensure the security and secrecy of an organizations data. Some suggestions for potential negotiation include:

Seeking additional confidentiality terms: Cloud providers may be willing to agree to non-disclosure and confidentiality clauses as either side agreements or as part of a custom master services agreement. As noted above, such terms may be highly impactful when determining whether an organization took reasonable steps to protect the secrecy of its data.

Ensuring data ownership: Ensuring data ownership may be essential to ensuring data is not lost or disclosed. This may be particularly important in circumstances where a provider becomes a victim of acquisition or bankruptcy. Having clear terms outlining what happens to data in such circumstances—and, more importantly making it clear who owns the data—may help ensure the data is not released or transferred to parties that will not protect confidentiality.

Negotiating geographical limitations on data transfer: Many providers will allow customers to elect geographical zones where data will reside. This provides a customer greater

41 Taco Cabana Intern., Inc. v. Two Pesos, Inc., 932 F.2d 1113, 1124 (5th Cir.1991).

Page 14: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

14

assurances that data will not be subject to less stringent regulatory environments or that personal information is not transferred across borders contrary to local laws.

Ensuring notice when confidential information is believed to have been stolen or inadvertently released: An inadvertent or wrongful release of a trade secret should not in itself destroy trade secret protection. However, in such a circumstance, it becomes imperative that an organization rapidly respond to the disclosure and seek to minimize dissemination. Receiving prompt notification of a breach or release of information may mean the difference between an organization being able to effectively stop dissemination of the secret or the leak becoming too expansive to preserve protection.

C. Limit Use of Public Cloud Services When Storing Confidential Information

If it becomes necessary—or advantageous—to store trade secret information in the cloud, an organization should strongly consider doing so only within a private cloud environment. Storing secret corporate data on a public cloud service significantly increases the risk of accidental or malicious disclosure.

Having some cloud option, however, may be better than having none. Failing to provide a cloud option may result in employees seeking out similar services on their own. Given the convenience of these services, employees may use their own cloud accounts to move data from one computer to another or to transfer large files among other employees or outside entities. This creates significant risk of inadvertent disclosure. The most important strategy an organization can implement to ensure its information does not end up on less secure, shared public cloud services therefore may be to provide access to private cloud services to its employees.

D. Inventory and Mark Trade Secrets

Identifying information as confidential is often recognized as a key component in a reasonable approach to protecting the secrecy of materials.42 Part of this process is taking the time to identify the “secret sauce” of the business, as well as design and other internal documents that may embody secret details. The company should then unambiguously mark these materials before transferring them to the vendor for cloud storage or at least segment them into “confidential” folders.

Clearly segmenting and identifying confidential materials stored on the cloud will help avoid inadvertent disclosure of the materials and makes clear to users of the information that the organization considers the materials confidential. It may also be necessary to trigger confidentiality provisions in cloud service agreements.43

42 Huawei Techs. Co., Ltd. v. Motorola, Inc., No. 11-cv-497, 2011 U.S. Dist. LEXIS 17165 at *28 (N.D. Ill. Feb. 22, 2011). 43 For example, the Google Cloud Terms of Service defines “Confidential Information” as “information that one party (or an Affiliate) discloses to the other party under this Agreement, and which is marked as confidential or would normally under the circumstances be considered confidential information. It does not include information that

Page 15: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

15

E. Address Internal Policies

Reviewing internal policies related to confidential information is an important step in ensuring those materials remains secret. Policies that should be reviewed—and modified as necessary—include how and when a company requires non-disclosure agreements, ensuring employees have signed confidentiality agreements, developing rules for use of public or non-sanctioned off-site storage for materials, and defining how the company treats its confidential material. At a minimum, these policies should be updated to address the new reality that storage and applications are moving offsite.

F. Conduct Internal Training

Policies are only effective if the organization’s employees are familiar with them. Conducting regular training sessions designed to inform employees about these policies is an important component of an overall approach to protecting the secrecy of corporate data.

G. Encrypt Data

When dealing with third parties handling highly sensitive data there is no way to completely eliminate the risk of unauthorized access by either outside parties or by the cloud services provider. Encrypting data before storing in a cloud service, however, will provide an additional layer of protection. Although the provider may need to access the data for maintenance of the services, the provider would be unable to view the content of the data if encrypted. Likewise, a breach of those services would not expose an organization’s confidential information.

H. Silo Data

For many of the same reasons that it is important to encrypt data, organizations should also silo data whenever possible. In other words, break up the data so that it is not located or accessible in a single place or by a single person. Limiting access to information is an important consideration when assessing the reasonableness of an organization’s conduct.44 Doing so can limit the damage of an accidental or intentional disclosure of confidential information.

I. Establish a Response Team

When a disclosure does occur, taking prompt action to limit the exposure is essential.45 Establishing a rapid response team prior to such a disclosure may be instrumental in not only

is independently developed by the recipient, is rightfully given to the recipient by a third party without confidentiality obligations, or becomes public through no fault of the recipient. Customer Data is considered Customer’s Confidential Information.” Google Cloud Platform Terms of Service, § 15, Jan. 26, 2015, available at https://cloud.google.com/terms/?csw=1 (emphasis added). 44 See, e.g., Lincoln Park Sav. Bank v. Binetti, No. 10 CV 5083, 2011 U.S. Dist. LEXIS 7320 at *9 (N.D. Ill. Jan. 26, 2011). 45 See, e.g., Lockheed Martin Corp. v. L-3 Commc’ns Corp., No. 1:05-CV-902-CAP, 2008 U.S. Dist. LEXIS 109615 at *30-32 (N.D. Ga. Sept. 30, 2008).

Page 16: Is Your Secret Safe in the Cloud?  Trade Secrets, Security and Cloud Computing

16

demonstrating the reasonable steps taken by the organization to ensure the secrecy of data, but also to minimize the impact when such a disclosure does occur.

V. Conclusion

As technology and business continues to evolve, the guideposts companies look to for trade secret protection may shift. That said, the inquiry will remain the same: is the organization taking reasonable steps to maintain its secrets? Implementing common-sense approaches to data protection combined with staying true to industry trends will likely provide significant protection for secrets even as industry continues to push those secrets into the cloud.