How to Protect Your Trade Secrets in the Cloud
When businesses think about the Internet these days, they're often thinking about moving to a cloud computing model. This article is about maintaining your trade secrets in the cloud.
Let's start by defining the term “trade secret.” Generally, a “trade secret” is any information that is valuable because it is not generally known to or readily ascertainable by other people who could profit from knowing it. To maintain its trade secret status, you must make reasonable efforts to maintain its secrecy. Once information is generally disclosed, you can no longer claim that it's a trade secret. Put another way, you can't put the cat back in the bag.
There are some variations on this basic definition depending on your state. Some definitions require that you use your trade secret continuously in your business or risk losing your legal protections. Some states require actual economic value, while some states protect trade secrets with only “potential” value.
In deciding whether information is a trade secret, courts look at many factors. For example, how widely known is the information outside of the business claiming the trade secret status? How many people know the secret? What security measures are used to maintain secrecy? How valuable is the information to its owner and competitors? How much effort and money were used to develop the secret? How hard would it be for a competitor to duplicate the information using proper methods?
Don't underestimate the value of your information nor the legal protection available to you. Trade secrets are quite different than other types of intellectual property. Unlike with copyrights and patents, your information need not be novel, creative, original, nor tangible to be entitled to protection. When in doubt, consult with your tech lawyer.
Trade Secrets in the Cloud
If you think that the concept of “trade secret” has no place in the cloud think again. Nothing about trade secret law requires that all information about your trade secret be stored locally. The cloud is fine as long as you take appropriate measures to protect your information.
You can store information in the cloud and still retain trade secret status. How? The “how” doesn't require any voodoo. What it does require is some common sense security procedures.
The law recognizes that a trade secret that is absolutely secret is useless. You have to share it with some to exploit it. As long as you control access to those that have a reasonable need to know and follow the other procedures outlined below, you can maintain trade secret status for your information.
This clearly means that you can't post a trade secret online or allow online access to your trade secret for the world to see. Still, you can share information online with those who need to know or work with your trade secrets. When you do, you need to do things like require a password to access the information and encode the transmission so that only your intended recipient can read it. I believe that a court will likely see these measures as part of a reasonable security plan.
Unless, of course, your judge has absolutely no understanding of the cloud and thinks that you can’t cloud compute on a sunny day. If that describes your judge, well then, good luck and remember the word “appeal.” Better yet, why are you even litigating? You should hire a negotiator who is focused on an economical resolution of your issues and not preparing for trial.
The Battle Plan
It's not possible to provide rules that are always right. The law doesn't require absolute secrecy, but only secrecy that's reasonable under the circumstance. Here are some guidelines.
Nobody should ever touch your confidential material until they have signed an appropriate confidentiality agreement. This includes contractors, employees, investment bankers, and developers. If you're making trade secrets available online, make sure that the receiver doesn't get the password until she signs the agreement. A well-drawn agreement will place the other party on notice that you're revealing information that you consider to be a trade secret and will require them to use the information only for your intended purpose.
You must have appropriate employment and consulting agreements in place. If you don't, you may have to battle over who owns the intellectual property rights for the work product. Just because you pay someone to do some work for you doesn't always mean that you own the copyright or other intellectual property rights to the result.
You should label everything that contains confidential trade secrets as such. Your documents, data files, tapes, disks, videos, and everything relevant should say “Confidential and Proprietary.”
You must store your confidential material under lock and key. Papers should be stored in a locked file cabinet in a locked room in a secure building with an alarm system that's monitored. Confidential computer data and programs should be encrypted using a good encryption program and a good password. (Sorry, your dog's name won't cut it here.) Then store the computer in a locked room in a secure building, etc.
You must restrict access to the information to only those that have a need to know.
You should periodically subject yourself to a trade secret audit with the assistance of your lawyer. This will include determining the integrity of your trade secrets, destroying unneeded copies, requesting the return of copies from employees, consultants and others if they no longer need them, and reviewing your computer security procedures. In some ways, maintaining trade secrets is no different from or easier than the task of maintaining state secrets.
Have your lawyer create a written trade secret policy. Distribute it, post it and have those with access to trade secrets sign it. Then periodically discuss it, redistribute it and repost it. People need to be reminded.
If security is breached, contact your lawyer immediately. Your lawyer will probably recommend immediate action to try to protect the trade secret status of your information.
If you take all these steps, you've done as much as you reasonably can to protect your intellectual capital. If you're forced to ask a court to enjoin the improper dissemination of your trade secrets, you are more likely to get a favorable result if you can convince the court that you did everything you could to protect your secrets.
If you go into court without agreements, security procedures and the other things I've discussed, you're more likely to find a judge who isn't very enthusiastic about using his injunction powers. Courts will protect you, but only if you do your part in protecting your own information.