Thursday, November 13, 2014

Are you doing enough to protect your trade secrets from theft in the cloud?

Do your employees use Dropbox (or Google Drive, or Box, or iCloud, etc.) to store work documents? The appeal of these cloud services is easy to see. Because they provide the ability to store electronic files and access them across multiple devices linked to the same account (i.e., one’s office PC, home computer, iPhone, and iPad), they have exponentially increased the work-life balance of employees who need to work beyond the traditional 9-5. With that benefit, however, comes significant risk to employers.

You may think Dropbox and other cloud services don’t present a risk. After you, your employees are loyal and trustworthy. But, it only takes one layoff to turn a loyal employee into a desperate job seeker looking to provide value to turn a prospective employer into a new job. In that instance, the trade secret cat is out of the bag, and you are spending, and spending, and spending, to try to wrangle it back in.

I’ve seen two cases in which a company alleged that an employee absconded with trade secrets or other confidential information by storing them remotely on a cloud service.

  • In a lawsuit filed last week, Lyft accused its former COO of snatching thousands of sensitive documents when he left to work for its chief competitor, Uber. The mode of theft? The downloading of emails and documents to his personal Dropbox account in the months leading up to his defection.
  • Last year, Zynga settled a lawsuit it had filed against a former manager whom it alleged had used Dropbox to steal its trade secrets upon leaving for a rival startup.

What can an employer do to minimize risk of trade-secret misappropriation or other breach of confidentiality, short of filing expensive and protracted litigation? Consider these 8 steps, courtesy of the ABA Section of Litigation’s Intellectual Property Committee:

    1. Limit access to trade-secrets on a need-to-know basis. The fewer people with access to trade secrets, the more likely the information will remain secret.
    2. Limit access to cloud-based solutions on company computers and prohibit any use of personal cloud solutions for company materials. Consider installing software to limit access to any cloud solutions that are not approved by the company.
    3. Implement policies and train employees about the use (or non-use) of cloud solutions and, more generally, about the protection of confidential information. Employee handbooks, new-employee orientations, posted company policies, and annual employee training sessions all provide opportunities to address these issues.
    4. Monitor when files are accessed or downloaded, and by whom. This will allow the company to take immediate action in the event it discovers suspicious activity.
    5. Require employees to sign NDAs. All employees should sign NDAs prohibiting them from taking or using company information for any purpose other than their work for the company. These obligations should extend beyond termination.
    6. Conduct exit interviews. This will allow the company to explore whether the employee retained any confidential information and to instruct him or her that any such information should be immediately returned or destroyed.
    7. Collect and secure computers used by terminated employees. By examining the computer of a former employee, a company can often determine if any information was taken before the employee’s departure and what that information was.
    8. Label or name files containing trade secrets as “Confidential” or “Trade Secret.” While this probably will not prevent unauthorized use or access, it may help a company to persuade a court that any misappropriated information still qualifies for trade-secret protection. This is because confidentiality labels help show that the company took reasonable steps to maintain secrecy by notifying the employee as to the sensitivity of the information.

You cannot absolutely protect against the use of the cloud by your employees. All an employee has to do is email a file to a personal email account, and your control over that file is gone. Implementing these 8 measures, however, will place your business in the best position possible to limit your risk, and secure against theft of sensitive information by exiting or otherwise disgruntled employees.