The business community’s growing use of cloud-based computing services provides great benefits due to cost-savings and mobile information access. However, business leaders should understand the risks of storing valuable trade secrets in the cloud. This article provides the business community tips on how to safeguard valuable trade secrets stored in the cloud from being freely disclosed to the public, thus putting the business at risk of losing protections that courts grant trade secrets.
As businesses’ profit margins have continued to shrink since the Great Recession, more companies have looked to reduce costs by reducing growing expenses related to their information technology departments. The first line item to draw attention in the IT budget is frequently the rising costs associated with maintaining and upgrading system hardware. Businesses often find that housing and operating multiple servers stretches IT budgets thin by increasing maintenance, labor, and operational costs. The solution so many businesses have turned to is to move their valuable data to virtual servers, or the “cloud.” A recent survey of IT executives provides that companies will triple their IT spending on cloud-based services in 2014 over 2011. Cloud service providers have also seen demand increase as they increase their cloud capabilities.
Although cloud-based servers provide businesses with substantial financial and operational benefits, businesses must recognize that there are perils to shifting data to the cloud. One of the key concerns businesses should consider before moving data to the cloud is the risk that its valuable trade secrets will lose protection as a result of insufficient safeguards to protect against disclosure. This article addresses that concern and provides businesses keys for seeking to protect valuable secrets in the cloud.
What is a Protectable Trade Secret
The initial step for a business to determine how to protect its trade secrets is to understand how the law characterizes a trade secret. Information qualifies as a trade secret only if it derives independent economic value as a result of not being generally known or readily ascertainable, and be subject to reasonable efforts to maintain its secrecy. Trade secrets are broadly defined as information, including technical or non-technical data, a formula, pattern, compilation, program, device, method, technique, drawing, process, financial data, strategies, pricing information, and lists of customers, prospective customers, and suppliers.
Businesses Need to Take Reasonable Efforts to Protect Trade Secrets in the Cloud
Trade secrets are only protectable when the owner takes reasonable efforts to prevent them from being freely disclosed to the public so that the information does not become generally known.
Information does not have to be cloaked in absolute secrecy to be a trade secret, as long as a business’s efforts to maintain secrecy or confidentiality are reasonable. It is easy for one to imagine how a business may protect confidential documents that are stored locally. Computer files may be password-protected with several layers of encryption software, with access limited to specified personnel. Similarly, paper files may be stored in locked cabinets, in secured rooms, where only specified personnel are granted access.
However, those seemingly straight-forward security protocols become murky when information is stored in the cloud. Unlike storing data on local servers, storing data in the cloud requires the owner to disclose confidential information to a third-party vendor. In most situations, disclosing data to a third-party eliminates trade secret protections. Therefore, businesses must take additional steps to ensure that its data remains secure.
Three Keys to Protecting Trade Secrets Stored in the Cloud
There are no fail-safe measures to protect data stored in the cloud. The best way for a business to protect its trade secrets is to locally store and protect its most valuable data with the proper data security protocols. A business, however, should not fear the cloud as long as it takes certain steps to ensure that it exercises reasonable efforts to protect its cloud-based data.
First, business leaders must conduct appropriate due diligence before selecting a cloud-provider. The business should conduct necessary research to select a reputable, well-established company that has the physical and technological capabilities to store and protect data.
Conducting due diligence on a provider includes ensuring that the provider has taken necessary steps to establish appropriate physical and virtual security protocols to protect the confidentiality of your information. Inquire how the provider establishes physical security measures, and monitoring capabilities to prevent unauthorized access to its data centers and infrastructure. Also, learn how the provider limits its employees’ access to customer data and determine the internal controls that the provider has in place to prevent unauthorized viewing, copying, or emailing of customer information.
A business should also inquire about the provider’s virtual security protocols. A business must generally understand how its cloud-provider’s encryption software and security management systems work to protect data. If your business is not capable of independently evaluating whether the provider has proper security protocols, a good indicator is to ask the provider for its client list. If the provider has clients that are typically security-conscious companies, such as financial institutions or healthcare facilities, that is a good indication that the provider has been vetted and it has proper security measures in place. Finally, the provider should maintain sufficient data-protection insurance coverage to protect against potential data breaches or system failures.
Second, a business must have contractual safeguards in place with its cloud-provider to adequately protect its intellectual property and trade secrets. The contract should establish that the business owns the data, that it will be segregated from other data groups, and that the business may enjoy unfettered access to the data. The contract should specify that the business can demand that the data be deleted or returned request, and detail how the provider will purge the data to ensure that it is properly deleted upon termination of the relationship. The contract should require regular data backup and recovery tests, while restricting the provider from accessing, using or copying data for its own purpose. Finally, the contract should establish the provider’s obligations to notify the business of a data breach or system failure.
Third, a business should also consider adding multiple layers of authentication and encryption to data containing trade secrets before transmitting it to the cloud-provider. However, a business should consider if the additional encryption efforts could adversely affect the business’s ability to access, utilize, and port data for its normal business use.
There are several financial and operational benefits for a business to store data in the cloud. However, businesses must understand that there are also risks to storing its valuable trade secrets on virtual servers. Businesses need to take reasonable efforts to protect the confidentiality and secrecy of its most valuable data and information.
 Dave Rosenberg. Reducing IT Infrastructure Costs via Outsourcing. May 7, 2009. news.cnet.com/8301-13846_3-10235742-62.html
 Thor Olavsrud. How Cloud Computing Helps Cut Costs, Boost Profits. March 12, 2013. http://www.cio.com/article/730036/How_Cloud_Computing_Helps_Cut_Costs_Boost_Profits
 Andrew Horne. Transformational Change in IT Will Drive 2014 Spending. November 5, 2013. http://blogs.wsj.com/cio/2013/11/05/transformational-change-in-it-will-drive-2014-spending/
 IBM Commits $1.2bn to Cloud Data Centre Expansion. January 17, 2014. http://www.bbc.co.uk/news/business-25773266
As a result of all of the media coverage surrounding the Ebola issues, many of our clients have wondered whether they need to do anything, as employers, to prepare for similar issues and to address related employment issues. Whether it is the Ebola virus or another virus or pandemic, the general rules for employers remain the same.
The Ebola Virus Basics
The key to contracting the Ebola virus is direct contact (through broken skin or mucous membranes in, for example, the eyes, nose or mouth) with someone who is carrying the virus. The Centers for Disease Control and Prevention (“CDC”) has a website dedicated to understanding, preparing for and preventing the spread of the Ebola virus. For additional information regarding the Ebola virus, including symptoms and other useful information, please visit the CDC’s website.
For employers, the key is not to panic. Given that we are at the early stages of flu season, employers should avoid overreacting at the first sight of an employee with flu-like symptoms. Employers concerned about particular employees should consult with legal counsel before taking any steps that may lead to liability under various employment laws (more on this below).
Important Employment Issues Each Employer Should Consider
Pandemics (whether the Ebola virus, the 2009 H1N1 virus or influenza) implicate a number of employment laws. Employers must strike a proper balance between protecting employees from infection and operating within the confines of applicable law.
1. Consider the requirements of the Americans with Disabilities Act before requiring employees to undertake a medical examination.
The Americans with Disabilities Act (“ADA”) prohibits, among other things, medical examinations for applicants and employees. An employer cannot require a current employee to undergo a medical examination unless the examination is job related and consistent with business necessity. According to the Equal Employment Opportunity Commission (“EEOC”), medical examinations of an employee are job-related and consistent with business necessity when an employer has a reasonable belief, based on objective evidence, that (1) an employee’s ability to perform essential job functions of his/her job will be impaired by a medical condition; or (2) an employee will pose a direct threat due to a medical condition. “Direct threat” means “a significant risk of substantial harm to the health or safety of the individual or others that cannot be eliminated or reduced by reasonable accommodation.” 29 C.F.R. § 1630.2(r). For additional guidance on direct threats, please see the EEOC’s website.
The EEOC’s 2009 guidance specific to the H1N1 virus sheds additional light on how employers should make direct threat assessments before requiring a medical examination. The EEOC states that whether a pandemic virus rises to the level of a direct threat depends on the severity of the illness. Helpful data points to determine the severity—and associated direct threat—of a virus are the warnings and guidance from government agencies such as the CDC, state health departments and other recognized authorities on illness and disease.
2. Consider the Occupational Safety and Health Act when accessing your workplace practices.
In addition to the ADA’s medical inquiry restrictions, most employers must follow the safety and health regulations dictated by the Occupational Safety and Health Administration (“OSHA”) under the Occupational Safety and Health Act (“OSH Act”). Although OSHA does not specifically regulate Ebola or other pandemics, employers may trigger workplace safety violations under OSHA’s General Duty Clause if they do not take proper steps to protect their employees.
Employers run the risk of receiving citations under the General Duty Clause if they expose employees to a hazard that the employer could reasonably have reduced and that the employer recognized would cause or likely would cause serious physical harm to employees. Employers in industries with a high risk of disease contamination (e.g., healthcare employers) should therefore evaluate potential hazards and determine whether they can take steps to reduce the risk of exposure to employees.
Employers should also keep in mind that an employee who reasonably refuses to report to work because of a dangerous work condition—including contracting a pandemic virus—may be protected from retaliation.
3. Employees may be entitled to leave under the Family and Medical Leave Act.
Federal and state (where applicable) family and medical leave laws (“FMLA”) complicate the web of responsibilities an employer has to navigate when it comes to dealing with ill employees. For employers covered by these laws (generally employers with 50 or more employees under federal law), an eligible employee who has contracted the Ebola virus or another pandemic virus may qualify for leave based on a serious health condition. Similarly, an eligible employee may qualify for leave if an eligible family member contracts a virus that qualifies as a serious health condition.
If an emergency situation prompts the need for FMLA leave, administering the leave in a lawful manner gets more complicated than under normal circumstances. For example, it may not be practical to solicit and review medical certification forms. In these situations, employers must have sufficient information (including the employee’s statements) that the underlying condition qualifies as a serious health condition. Designating leave as FMLA without sufficient information establishing a serious health condition can result in a retaliation claim. In emergency situations, employers may also need to exercise forbearance on the return of medical certification forms, particularly if an employee needs to assist a family member who is ill. For additional FMLA guidance, please visit the United States Department of Labor website.
Steps Employers Should Take to Minimize Workplace Safety and Health Issues
As with any other workplace safety and health issues, the recent Ebola-related news has raised many questions about what employers should do when facing similar situations. Although each employer is unique and each industry must confront different obstacles and risks, employers should, at a minimum, follow the steps outlined below.
Have a plan. Consult with internal safety experts and review the guidance provided by government agencies regarding specific safety issues. Create a plan (preferably with the assistance of legal counsel) that addresses issues specific to your workplace and your industry.
Communicate your plan to employees. Your company’s protocols for dealing with safety issues should not be a secret to any of your employees. Publicize the plan internally and ensure that employees have ready access to the plan.
Train your employees. Train your employees about your company’s safety protocols on a yearly basis. If you are concerned about a particular risk that is not usually common to your workplace or if you update your plan, provide additional training as needed to address these issues.
Supervise implementation of the plan. Having a plan in place and training your employees to follow certain procedures is meaningless if no one supervises the process. Designate individuals to review employee actions to ensure that the plan’s protocols are followed and to identify potential shortcomings of/improvements to the plan. Whenever necessary, update your plan to ensure that it addresses all major safety risks and train employees on the changes made to the plan.
Employers that consult government and other advocacy organization websites to adopt ideas, disseminate information and prepare practices and procedures for addressing workplace safety and health issues will be in a good position to protect against unwanted legal action.