Trade Secrets Outlook: Cloudy with a Chance of Exposure

Cloud-based computing provides numerous benefits in today’s modern, hybrid work economy, such as allowing employees to work from anywhere, to seamlessly transition between home and office, and to more efficiently collaborate with colleagues and partners. Businesses, especially Silicon Valley tech companies, are increasingly choosing to leverage cloud-based solutions, such as Google Workspace (Gmail, Drive, Sheets, etc.), Microsoft M365, or Apple iWork with iCloud, for their information management. Such solutions enable employees to access and edit documents across their devices and save copies of those documents locally for offline access. But cloud-based document management comes with its own set of risks.

As a trade secrets litigator and a forensic expert, respectively, we have witnessed how the expansion of cloud computing has created new challenges for companies seeking to protect their trade secrets, as well as new opportunities for unscrupulous employees who might want to pilfer them. In a number of recent cases we’ve been involved with, confidential information was dispersed widely via cloud systems (sometimes intentionally, sometimes inadvertently), resulting in costly and sometimes confounding litigation. How does this happen? What does this mean for handling today’s trade secrets disputes? And what best practices can companies follow to minimize risk?

Trade Secrets on the Move

 In the 1990s, trade secret misappropriation typically entailed walking out with a sheath of papers or copying files onto a floppy disk or CD-ROM. The early 2000s brought numerous cases where employees emailed information to personal email accounts or utilized USB drives. Although those fact patterns persist, misappropriation-via-cloud is the new frontier.

Unlike a generation ago, most companies (particularly tech-centric companies) now utilize Bring Your Own Device (BYOD) policies, at least for mobile devices. BYOD policies allow employees to use personally-owned assets, such as smartphones or computers, for their daily work. In combination with cloud computing, this means that employees have access from their personal devices to sensitive company emails and documents (as stored in OneDrive, SharePoint, iCloud, or Google Drive), making it all too easy to save local copies, further propagate sharing, or copy confidential information to a separate, personally-controlled account.

The mechanisms of misappropriation can be quite simple. For example, in one scenario we have seen repeatedly, an employee logs in to a corporate Google Drive, extends sharing privileges to his personal Google account, downloads confidential documents to that personal account, and promptly revokes the sharing privileges to cover his tracks. Cloud storage systems also allow local downloads, by which a copy is created on the local device. Records of this sharing and download might be captured in the company’s logging but often are not discovered until too late.

Complicating matters further, BYOD practices make it difficult to follow the scent trail of potential misappropriation. When an employee working on her personal smartphone departs, so does her device. And, short of litigation, the former employer typically has no recourse to get the device back or perform forensics on it.

The issues get even thornier when companies allow employees to use BYOD laptops, or when a company-issued Mac is authenticated to the employee’s personal Apple ID and iCloud account. This latter scenario allows a wayward employee to almost effortlessly move company confidential documents to a personal iCloud account, which will often then be rapidly synchronized to all other Apple devices associated with that Apple ID (such as a home computer, family computers, tablets, even Apple TV)..

This spread of trade secrets can even happen inadvertently. We have seen multiple variations of the following fact pattern:  A senior technical employee is allowed to use his personal iCloud credentials on a company-issued Mac, with instructions to save work and personal files in different folders. Company documents are thus stored in the employee’s personal iCloud account, and on all other personal Apple devices using that same account (tablets, phones, etc.). When the employee leaves to start work for a competitor, he attempts to delete all the work files from both his iCloud account and the synced devices. But the documents don’t actually disappear; they just get moved to a “deleted items” folder in iCloud (and on the associated synced devices). When he logs into iCloud on his new work computer, iCloud asks if he’d like to sync, and when he says yes, the full contents of his iCloud account sync to his new machine, including that Deleted Items folder. Just like that, his new employer now suddenly possesses a competitor’s confidential materials. When the employee and his new company get accused of trade secret misappropriation months later (maybe just on information and belief), lo and behold, hundreds of his old employer’s files are found on his new company computer, adding rocket fuel to the litigation fire.

Implications for Trade Secret Litigation

Leakage across cloud-based systems can have numerous impacts on a trade secrets case. Under both the Defend Trade Secrets Act and the state Uniform Trade Secrets Acts, a plaintiff must establish that it took “reasonable measures to protect the secrecy” of its supposed trade-secret information. Courts may perceive that allowing employees to utilize their personal iCloud or Google Drive logins for corporate activity, or failing to monitor which cloud-storage systems are being used by employees, is not “reasonable” protection.

For example, in Patterson Dental Supply v. Daniele Pace et al. (D. Minn. 2022), a federal district court granted summary judgment against a plaintiff because the alleged trade secrets “were regularly saved and shared” on a Dropbox account and emailed to personal email accounts; access to Dropbox was not terminated when employees left; and the company did not use exit interviews to ensure that information had been removed from employees’ personal email and computers used for work activities. The whole case foundered on leaky cloud-computing practices.

Cloud computing also has implications for the misappropriation element in a trade-secrets case. “Misappropriation” includes both acquisition of a trade secret by improper means, and disclosure or use without consent. Employees who copy trade secret materials onto personal cloud accounts (even as a result of automatic syncing after signing into a personal iCloud account from a company-issued Mac), may be responsible for misappropriation, especially if that information ends up on the devices or systems of a new employer and is subsequently used. Depending on the circumstances (e.g., what protections were in place, whether managers looked the other way), the new employer could be liable as well.

Courts confronting these issues have engaged in fact-intensive inquiries. In Apple v. Rivos (N.D. Cal. 2003), the viability of the trade-secret claims depended on whether the distribution of information over the cloud happened automatically or was triggered by the defendant, and whether there was evidence that the information had been used by the new employer. Similarly, in CAE Integrated v. Moov Technologies (5th Cir. 2022), a preliminary injunction was denied where the plaintiff could not prove that the defendant had accessed his Google Drive (which contained plaintiff’s information) since joining his new employer. But, of course, that exculpatory result was achieved only after months of litigation confirmed the true facts.

Implications for Trade Secret Forensics

From a forensic perspective, cloud-based systems pose additional challenges for defendants to demonstrate that they didn’t use documents found on their personal devices or those of their new employer. Documents stored on computers include a metadata value called “last accessed,” which is a common source of confusion in trade secrets litigation. This value can be updated both by human actions (e.g., opening, copying, sharing, etc.), and by system-caused actions (such as virus scans, indexing, or thumbnail generation). Proper forensic interpretation of this value can be nuanced, depending on variables such as the operating system in play and the file systems used on the involved storage media. Countless defendants have struggled to establish that they never used (or did anything) with documents they unwittingly copied over from their prior employer, when the “last accessed” values post-date their departure.

Relatedly, Apple devices and iCloud utilize a different metadata value called “last opened” (or “kMDItemLastUsedDate” for the nerds among us). While this artifact more accurately reflects when a document was “last opened,” it can be synchronized via iCloud. This means that the metadata for a document on a MacBook can show it was “last opened” yesterday, when in fact that opening occurred on a different computer and the value was simply synchronized via iCloud. From both an offensive and defensive perspective, obtaining early forensic preservation of these metadata values is of the utmost importance.

Where’s the ‘Silver Lining’ on this Cloud?

Despite the added risks associated with cloud-based sharing, the good news is that there are a number of steps companies can take to minimize their trade-secret exfiltration risk or liability:

• Require the use of company-issued Apple IDs or Google Drive accounts for work activities, and restrict outside-the-company cloud-sharing of documents from those corporate Drive or iCloud systems (without at least one level of approval).
• If your company allows BYOD, build into the formal Computer Use policy provisions that provide the company a right to examine (and remotely lock/wipe, if necessary) BYOD devices used to access company resources.
• Implement Data Loss Prevention (DLP) software. DLP tools provide logging and alerts about data movement that might constitute exfiltration, such as copying to USB drives, uploading to cloud accounts, etc. If you already leverage a DLP system, confirm it is set to capture if an employee’s company-issued Mac is synching its Desktop and My Documents folder to a personal iCloud account.
• Use exit interviews to ask employees about any files that exist on their BYOD devices or personal cloud-storage systems and ask them to verify that they have searched and removed.
• When employees with confidential access depart, examine the DLP and Google Workspace logging (AI tools can help). Those records contain critical evidence of exfiltration, but they typically expire after a few months.
• When hiring new employees, explicitly ask them to confirm that their cloud storage systems do not contain any third-party confidential information (and if so, to remove it before they begin). A few companies have even taken the extraordinary step of requiring new hires with a high risk of drawing scrutiny from their former employer to submit to forensic analysis of their personal accounts and devices, as part of the onboarding process.
• Educate, educate, educate. Even technical workers may not realize the degree to which transferring information to a personal account (even for innocuous purposes) may result in inadvertent distribution or retention, and headaches down the road.

Cloud computing, and BYOD, are here to stay. Whether you’re a trade secret owner, a company seeking to avoid litigation, or a litigator in trade secret matters, catching up to the new risks and issues posed by this cloud-centric world are critical to avoiding liability and loss.

Image rights acquired by 123RF.com