By: Abbey Duhé
Cloud computing, whether that refers to data storage or service models like Software as a Service (SaaS) offers businesses an attractive cost-saving opportunity but leaves users at risk of losing valuable trade secrets. This blog post argues that the current avenues for legal recourse, though bountiful, are not enough to actually protect the value of these assets. The cloud computing industry imposes expanding demands on the reasonableness requirements to keep trade secret information confidential, but merely provides as a default the opportunity to litigate once the trade secret has already been lost. Solutions for companies may include keeping trade secret information out of the cloud altogether, but also more formalized standards to adapt to growing cybersecurity concerns.
The focus of this blog post is trade secrets in the context of cloud computing, which refers to an industry encompassing a variety of services, systems, and technology that provides users with access to shared computing resources through the internet.[i] The concept delivers the opportunity to save money that would otherwise be spent on acquisition or development costs, maintenance, or physical storage of software, servers, and data storage.[ii]Implementation of these services by a provider can be organized in a variety of cloud-based solutions, each with varying degrees of privacy and benefits for its users.[iii]
In terms of trade secrets, cloud computing poses some inherent risks, for both providers[iv] and users. Not only are there privacy and data security concerns for a user relinquishing information into the hands and (one would hope) sufficient cybersecurity measures of a cloud host, but the owner of that information is also potentially risking the loss of a competitive advantage should any trade secret information be inadvertently disclosed.
Generally, a trade secret is information which derives its economic value from being kept a secret from potential competitors.[v] Further, the owner of this valuable information must take “reasonable measures” to prevent disclosure in order to bring a successful claim against someone who misappropriates the information.[vi] Reasonable measures serve to put others on notice of the existence of trade secrets.[vii] Reasonable efforts are determined by the subjective circumstances and can therefore be unpredictable.[viii]
Causes of Action for Trade Secrets Misappropriated from the Cloud
Presently, an aggrieved cloud computing user may have three different causes of action under which to bring a claim of trade secret misappropriation. Traditionally, trade secret law claims have been brought under state law causes of action. Almost every state has adopted some version of the Uniform Trade Secret Act (UTSA) and has developed its own case law, interpreting what establishes whether a company has met reasonable efforts to prevent disclosure of its trade secrets.[ix] If federal court was preferred, a cloud computing user could get bring an appropriate claim under the Computer Fraud and Abuse Act (CFAA) [x] and bring the trade secret claim along with it under the supplemental jurisdiction statute as long as the trade secret claim is part of the same “case or controversy” as the federal CFAA claim.[xi] Then in 2016, the Defend Trade Secrets Act (DTSA)[xii] was signed into law, creating a federal cause of action that is substantially similar to the UTSA. Following the enactment of the DTSA, it is clear that the DTSA is not meant to preempt state trade secret law, but instead to conform to it while providing a larger map for appropriate jurisdiction.[xiii] In theory, this federal cause of action serves to provide legal recourse to members of an industry that supersedes traditional geographic jurisdiction. Further, by now providing multiple causes of action through both state law and similar, though not identical, federal law, costs of litigating trade secret misappropriation will be increased.[xiv]
The current avenues for recourse fail to protct the trade secrets of cloud computing users. Instead, they drive up costs of litigation where there are breaches, and still do not provide guidance on how much is enough when it comes to reasonable measures for protecting trade secrets stored in a cloud setting. The current avenues for recourse do not do enough to protect the trade secrets of cloud computing users, instead driving up costs of litigation where there are breaches, and still not providing guidance on how much is enough when it comes to reasonable measures for protecting trade secrets stored in a cloud setting. Additionally, by the time a trade secret is litigated for misappropriation, the secret has already been disclosed, losing any commercial and asset value it may have brought to the owner company.
Reasonable Efforts in the Cloud
Whether a company has put forth reasonable efforts to maintain the secrecy of its information is to be determined “based upon the circumstances.”[xv] It follows that because trade secrets lose their protected status as such once they become “generally known or readily ascertainable,” the more valuable a trade secret, the more extensive the efforts should be to protect it.[xvi] In that regard, cloud computing presents a couple of particular challenges.
First, since cloud computing and the internet allow and often require information to be more easily transferred between parties, the risk for disclosure of any trade secrets that are being transferred through or stored on a provider’s cloud service will increase as the ease of reproduction and sharing is facilitated by the nature of cloud computing.[xvii]
Second, there is a concern about what is next for computing and how much data will be legally accessible through processes such data scraping[xviii] and the emerging technology of quantum computing.[xix]
These challenges put data at risk both from the internal risk of misappropriation by the provider or third parties and through external risk factors like hackers or other cyber-espionage. It could be an option to increase cybersecurity and other reasonable measures, but as potential avenues for improper access increase, it would make sense that reasonable measures to keep trade secret information in the cloud confidential will have to would have to also become more expansive (read: expensive).
Because the cost-benefit of increasing efforts to protect one’s information has the potential to outweigh the costs of litigation, a company would most likely default to seeking a post hoc legal remedy. [xx] The DTSA focused its attention on providing legal recourse for trade secret owners, rather than on encouraging more stringent efforts to protect information at risk of misappropriation.[xxi]
Proactive Protection of Cloud-based Trade Secrets
To retain the competitive value of a trade secret asset, rather than relying on post hoc legal recovery, companies using cloud-based software or data storage have a couple of options. One option is to avoid the risk of disclosure of trade secrets through cloud computing altogether, keeping cloud services limited to routine computing functions.[xxii]Where that is not an option, given the nature of the growing cloud industry and norm of cloud-based services, the best action for now is to always make sure the provider and any third party with access to your cloud-space is on notice that data you are storing in the cloud system or software is confidential. This can be achieved through the inclusion of non-disclosure requirements in licensing agreements. You will also want to limit access to discreet individuals or groups and ensuring that access is stripped when no longer needed. Further, consider tracking data access and flagging abnormalities in views, uploads and downloads. A company could try to renegotiate liability in the case of a cybersecurity breach to the provider of the cloud services, who may have more resources and knowledge of the potential risks of its own data encryption system. From a systemic perspective, moving cloud computing to a regulated industry could serve to allocate risks and provide transparency through the creation of national standards for cybersecurity and how potential risks may affect a user’s competitive assets like tra
[i] Susan Metcalfe & Michael Doctrow, Blue Skies and Stormy Weather: Balancing Risks and Rewards of IP in the Cloud, Law.com: The Legal Intelligencer (Oct. 11, 2011), https://www.law.com/thelegalintelligencer/almID/1202517960925/blue-skies-and-stormy-weather/ [hereinafter Blue Skies].
[v] 18 U.S.C.S. § 1839(3); Unif. Tr. Secrets Act §1(4) (amended 1985), 14 U.L.A. 529-625 (2005) [hereinafter UTSA].
[vii] Sharon K. Sandeen, Lost in the Cloud: Information Flows and the Implications of Cloud Computing for Trade Secret Protection, 19 Va. J.L. & Tech. 1, at 22
[viii] Id. at 23
[ix] Danielle A. Duszczyszyn, Ph.D., & Daniel F. Roland, Three Years Later: How the Defend Trade Secrets Act Complicated the Law Instead of Making It More Uniform, IP Litigator (July / August 2019) [hereinafter Three Years Later].
[x] 18 U.S.C. §1030 (2006).
[xi] Kyle W. Brenton, Trade Secret Law and The Computer Fraud and Abuse Act: Two Problems and Two Solutions, 2009 U. Ill. J.L. Tech. & Pol’y 429, at *431.
[xii] Defend Trade Secrets Act of 2016, Pub. L. No. 113-153, §2, 130 Stat. 376, 376-82 (codified at 18 U.S.C. § 1836 (2012)) [hereinafter DTSA].
[xiii] Three Years Later.
[xiv] Three Years Later.
[xv] UTSA §1(2) (definition of “trade secret”).
[xvi] Sandeen, at 23.
[xviii] See HiQ Labs, Inc. v. LinkedIn Corp, No. 19-1116 (petition for cert. filed Mar. 9, 2020 No.19-1116) (petitioning a dispute on whether businesses can “scrape” information that is publicly available for commercial resale).
[xix] See generally, Nicholas Smith and Ryan McKenney, What to Expect in the Emerging Age of Quantum Computing, Law360 (Apr. 21, 2020, 5:23 PM EDT), https://www.law360.com/articles/1260531/what-to-expect-in-the-emerging-age-of-quantum-computing, (giving a short synopsis of what quantum computing is, and an analysis on its impact to the digital economy and on potential risks of encryption and data security).
[xx] David S. Levine, School Boy’s Tricks: Reasonable Cybersecurity and the Panic of Law Creation, 72 Wash. & Lee L. Rev. Online 323, at *334.
[xxi] Id. at *327.
[xxii] Blue Skies, supra note i.