A company’s decision to move the storage of its data and information to the cloud is not without business and legal risks and should not be taken lightly. One of the legal issues that has not figured prominently in a discussion of the risks is whether and how the storage of confidential information on the cloud may affect its classification as a trade secret. Given the importance of trade secrets to many companies’ bottom line, this issue should not be overlooked in deciding whether to move to the cloud.
The crucial issue in many trade secret litigations is whether the trade secret owner has undertaken “reasonable efforts” under the circumstances to maintain secrecy. So long as secrecy is maintained, the trade secret remains protectable under trade-secret law. This means that unlike other forms of intellectual property, trade secrets can remain protected indefinitely. Conversely, public or other inadvertent disclosure of the trade secret results in the loss of its protection.
The test of what constitutes a “reasonable effort,” focuses primarily on the actions of the trade secret owner and the value of the trade secret. There are literally hundreds of decisions discussing what does and what does not constitute a reasonable measure when undertaken by the trade secret owner. However, there is little or no guidance as to what happens when an owner gives up control and protection of the trade secret to a third party, for example, by contracting with a vendor to store their confidential information in the cloud. The issue is no longer whether the trade secret owner has undertaken reasonable efforts to protect the trade secrets, but whether the trade secret owner has hired a third party who is required to adequately protect the confidential information and does, in fact, do so.
Although there have been no reported decisions addressing this issue, the test to determine whether the trade secret owner has employed reasonable measures would seem to involve a two-part inquiry, whether the trade secret owner (1) has hired a vendor who claims to use reasonable measures; and (2) has conducted sufficient due diligence that makes it reasonable to believe that the cloud vendor actually does employ such measures. In other words, the test involves both objective and subjective components.
First, with regard to the protective measures claimed by the cloud vendor, it is essential for the trade secret owner to understand the technical details of how the cloud vendor processes, transmits, and destroys customer data. In particular, and at a minimum, a trade secret owner should ensure that its data is kept separate from other customers, that it is encrypted using a robust encryption standard, that the servers storing the data are physically protected and that when the customer no longer needs the information that it is actually deleted from all of the systems.
Second, it is not enough for the trade secret owner to simply rely on the representations of the cloud vendor, but the trade secret owner must be satisfied that the cloud vendor actually does follow the claimed protective measures. In that respect, the vendor should warrant to the protective steps it undertakes, and that the confidentiality terms should extend beyond the termination of the agreement. In addition, the vendor must accept responsibility for its employees, agents and subcontractors and, trade secret owners should consider requiring the cloud vendor to have insurance covering all types of events leading to the loss in value of the information at levels that reflect the value of the information being stored.
How a court will determine under what circumstances information stored in the cloud will lose its trade secret status has yet to be determined. However, by being aware of the issue, and undertaking the steps described above, a company should be in a better position should it have to convince that it took reasonable steps to maintain the secrecy of its trade secret stored in the cloud.