Last November, I wrote about the basics of cloud computing as well as some best practices for protecting trade secrets stored in the cloud. Given the fast pace of innovation, and the exponential number of recent reports of hacking and cybertheft, my colleague John Molnar and I decided an update was in order. We have assembled a number of posts on the cloud issue and incorporated our own recommendation.
The Legal Analysis: To date, no court has yet considered the question of whether a company’s placement of trade secrets in a cloud-based network would be unreasonable. However, as the title of my post suggests, there has been no shortage of articles and posts from legal and technical commentators.
For example, in a guest post for Forbes entitled “Is It Safe To Store Your Trade Secrets In the Cloud?”, Finnegan lawyers Rob McCauley, Ming Yang, and Jared Schuettenhelm worry about the legal ramifications of storing trade secrets in the cloud. According to their post, if the cloud is known to not be 100% secure, a court might find that a company failed to take reasonable efforts to maintain the confidentiality required for most trade secret claims. Such a ruling would have potentially great ramifications when one considers the fact that cloud computing typically includes e-mail services like Google’s Gmail and Microsoft’s Hotmail as well as document synchronization like Apple’s iCloud.
To demonstrate that a company protected its trade secrets, Peter Vogel of Gardere recommends negotiating the right to regularly conduct audits, as well as a provision ensuring deletion of all information if and when the relationship with the cloud provider is terminated. These provisions would help insulate a business from any claim that it acted unreasonably in storing confidential information in the cloud.
In a post entitled “How to Avoid Losing Your Trade Secrets When Moving to the Cloud,” IP blogger Peter Toren proposes a two step test for determining if a trade secret owner has made a reasonable effort to ensure confidentiality in the cloud. First, Peter advocates that a business require its cloud service vendor to certify that it has appropriate security procedures. Second, the trade secret owner needs to do more than simply accept the vendor’s assurances at face value, and Peter believes a showing that a company performed due diligence to verify the vendor’s claimed security procedures would demonstrate that it acted reasonably. I would tend to agree.
Technical Considerations: Given the importance of due diligence for verifying the security of cloud storage, what should be checked? Jon Brodkin of InfoWorld gives seven recommendations from the technology research firm Gartner, Inc. While his post is several years old, it provides sound advice like demanding transparency from the cloud service vendor, checking on the specific jurisdiction where the data will be stored in, and ensuring data segregation — all of which remain important today.
Similarly, as Mary Beth Hamilton of Eze Castle Integration notes in the Wall Street & Technology Blog, a trade secret owner needs to check how the vendor handles external security threats as well as internal data comingling. But it is not just a vendor’s technology that needs to be investigated. Due diligence should include the vendor’s physical facility as well. Cloud computing expert George Hulme recommends redundant data backup beyond the cloud vendor. Trade secret data would be saved to the cloud while still being backed up locally.
The Takeaway? If concerns about security cannot be resolved, a company may want to consider an in-house private cloud as Bart Copeland, CEO of cloud software provider ActiveState, recommends. While a private cloud might not be right for every enterprise, it would allow the trade secret owner to exercise full control. Of course, some of the benefits of cloud computing would be lost but the risk of losing those trade secrets and the inability to get legal relief to retrieve or protect them should outweigh those considerations.
Lastly, the best defense of trade secrets in the cloud may be the simplest. A trade secret owner needs to be sure that the benefits of storing a trade secret in the cloud outweigh the risks. Put differently, that which is not stored in the cloud cannot be stolen from the cloud. Consequently, the best protection for a company’s crown jewels is to keep them out of the cloud entirely and only store trade secrets of lesser value in the cloud.