Proper means of trade secret discovery include: public display, reverse engineering, independent invention, and published literature such as patent or other government filings. Cloud users must be particularly wary of the public display of trade secrets, as a New York court recently held that a company’s customer list was not a trade secret because the company previously uploaded the data to the cloud and the customer information was accessible on a variety of social networks hosted in the cloud.^[9] Although trade secret protection typically extends to customer lists, the court noted that perhaps the accessibility of personal information in the 21st century is broadening the definition of public information.^[10]

            Taking “reasonable efforts” to protect a secret is the primary method through which a company might demonstrate the existence of a trade secret.^[11] Reasonableness is an imprecise standard that depends upon the foreseeability of the risk of misappropriation in each unique circumstance.^[12] Although the owner of the trade secret bears the risk and consequence of actual loss of the secret, in the public cloud model responsibility of actually protecting against misappropriation shifts externally to a third-party provider. Traditional internal efforts such as express confidentiality agreements, security badges, and locked vaults are ineffective when a secret is accessible with a single company password or by commandeering access to an employee’s mobile phone or tablet.  A provider agreement based upon the results of a scrupulous risk assessment is the ideal way to ensure reasonable efforts in protecting secrets in the cloud.

            When considering a cloud agreement it is important to realize that ultimate risk and responsibility for misappropriation cannot shift to the cloud provider. California business law mandates a minimum level of security by requiring that all businesses that transmit information to nonaffiliated third parties must include contractual provisions requiring the third parties maintain “reasonable” security measures.^[13] The meaning of the term “reasonable” in the business law circumstance is disparate to the meaning in the context of trade secret law, so clients must be proactive in taking security measures rather than relying upon third-party boilerplate language guaranteeing "reasonable" data security.

            Taking reasonable precaution to protect information is particularly important when considering that cloud user agreements contain provisions disclaiming most provider liability. Courts are increasingly willing to enforce such liability clauses, leaving plaintiffs with no adequate remedy and sometimes without a basis on which to file suit.^[14] Carefully reading the agreement is necessary as courts will not invalidate an agreement based upon the user’s failure to fully understand the agreement and carefully consider the terms.^[15]

Consider the Amazon user agreement, which places sole security responsibility on the user and states, “We strive to keep Your content secure, but cannot guarantee that we will be successful in doing so, given the nature of the Internet.”^[16] Deep within the Google user agreement is language granting Google a worldwide license in all uploaded content, even after the user ceases using the service.^[17] In addition to protecting the provider from an improper means claim, agreements aimed at disclaiming confidentiality place users on notice that no confidential agreement exists, thus precluding a trade secret claim based upon a breach of confidence cause of action.

            Potential users should consider how many employees would access the cloud and take measures to limit exposure to the trade secret. Employees bound by company confidentiality agreements are unlikely to appreciate how often secret information is uploaded, as protected information is sent to the cloud during routine data backup, collaborative projects, and even through certain e-mail clients. Internal company policies must strike a careful balance between limiting employee exposure to critical information and stifling creation and productivity. Even the cloud providers must consider employee security, as hackers recently obtained the e-mail password belonging to an employee of DropBox.^[18] The employee used the same password for all of her accounts and hackers easily accessed her personal cloud storage account and obtained a document with an undisclosed number of DropBox users’ personal account information. Despite the well-publicized security breach, DropBox is doing well and recently announced that each day 110 employees overlook 500 million files belonging to 50 million users.^[19]

            In conclusion, companies reliant upon trade secrets should undergo a risk-assessment analysis in order to determine whether the cost-savings, accessibility, and scalability of the cloud business model outweigh the threat to confidential information. Despite the tremendous growth of the public cloud, a user must act wisely with regard to the storage of sensitive data. Currently user agreements benefit providers, yet as the cloud market becomes more saturated competition will surely necessitate provider concessions in the form of more favorable agreement terms. Only through an individualized and diligent analysis will a user have the proper timing and best opportunity to smoothly and securely transition into the future of IT.  

            If you would like to speak with a Niesar & Vestal attorney about any matter discussed in this law alert, please contact Stephen Rush (srush@nvlawllp.com), Oscar Escobar (oescobar@nvlawllp.com) or Jay Begler (jbegler@nvlawllp.com).