There’s been a lot of talk in recent years about “BYOD” (“Bring Your Own Device”) policies, which are becoming increasingly common in the workplace. Employees want the flexibility and ease that comes with being able to use a personal device for work purposes, but employers have long been warned about risks to information security and other perils that come with the territory. Employers take on a separate and distinct set of risks when employees use personal cloud storage services at work—an increasing trend that’s been dubbed “Bring Your Own Cloud” or “BYOC.”
The utility of cloud storage in the business world is substantial; it offers efficiency, facilitates professional collaboration, and simplifies knowledge management. However, in a recent article for the Richmond Journal of Law & Technology, information governance consultant Philip Favro points out that “the very aspects that make personal clouds so attractive—cheap and unlimited storage, simplified transfers, and increased collaboration—pose serious threats to the enterprise.” As Favro points out, the potential issues implicated by BYOC policies run the gamut. BYOC policies may have the greatest ramifications in the context of trade secrets, where cybersecurity can make or break a company’s valuable confidential and proprietary information.
A recurring problem with respect to BYOC and trade secrets is the surreptitious use of cloud services by employees. Cases of outright theft, with employees utilizing third-party software and network storage to copy and disseminate confidential information, are especially troubling. In Toyota Indus. Eq. Mfg., Inc. v. Land (S.D. Ind. July 21, 2014), an engineering design manager (Land) was accused of using Google Drive to share Toyota’s confidential industrial and financial data with a competitor. Despite signing both a confidentiality agreement and an assignment of “all inventions, ideas, written works, conceptions, [and] designs” that he created while working for Toyota, Land used Google Drive to retain and access copies of hundreds of confidential documents after accepting a position with one of Toyota’s competitors. The district court issued an injunction prohibiting Land from continuing to work for the competitor until the court was “satisfied that Land no longer possesses or has access to [Toyota’s] confidential information and trade secrets.”
These issues are not confined to rank-and-file or even managerial employees. As several recent cases illustrate, company executives have also been the targets of litigation based on their use cloud technologies.
In Frisco Medical Center, L.L.P. v. Bledsoe (E.D. Tex. Nov. 30, 2015), Cynthia Bledsoe, Chief Operating Officer for the plaintiff-hospital and Michael Bledsoe, the hospital’s Information Services Administrator, had access to confidential/proprietary information, trade secrets, and patient health information. Cynthia Bledsoe resigned from her post in November 2011 and Michael Bledsoe similarly resigned in December 2011. Three separate forensic investigations revealed that, in the months immediately prior to their resignations, the Bledsoes had used the third-party platform Dropbox to appropriate various confidential documents in violation of their employment agreements. The district court ultimately granted Frisco’s motion for summary judgment on its claims for breach of contract and violation of the CFAA and the Electronic Communications Privacy Act/Stored Communications Act.
By way of contrast, in De Simone v. VSL Pharmaceuticals v. Exegi Pharma, LLC, (D. Md. Sept. 23, 2015), VSL Pharmaceuticals’ Chief Executive Officer utilized Dropbox in a way that denied his company access to valuable and vital information needed for day-to-day operation of the company. Specifically, the CEO (De Simone) became entangled in a dispute over ownership of the intellectual property “a pharmaceutical combination of eight strains of pure lactic acid bacteria” that were used to create a probiotic known as VSL#3. As a result of this dispute, De Simone transferred the bulk of the corporation’s records and documents to his personal “drop box” and wiped the company-owned computers clean, thereby “depriv[ing] VSL of the ability to manage and operate the business.” De Simone also ignored shareholder requests for the information, and subsequently resigned as CEO. At trial, VSL made various claims related to breach of fiduciary duties, conversion, and trademark infringement. The district court ultimately granted an injunction for various types of relief to VSL, but concluded that De Simone had not appropriated trade secrets.
While employment agreements (i.e., confidentiality and non-disclosure agreements) arguably served as an effective “sword” in eventually enforcing compliance in the cases of Land and Bledsoe, it required an enormous investment of resources by the affected corporations. In particular, Bledsoe underscores the potential costs that companies may incur in prosecuting BYOC cases, with roughly $1.4 million in fees related to the lawsuit and the attendant forensic computer investigations. As Favro states in his article, “the non-disclosure and employment agreements did nothing to stop the perpetrating employees from misappropriating company trade secrets.” More troubling, all of the trade secret appropriations discussed above were discovered afterwards. Two of the companies involved apparently did not have appropriate cybersecurity measures in place. Furthermore, the one company that did install blocking software (RLI) was unsuccessful in protecting itself because the employee simply utilized a previously unknown cloud service to circumvent the system protections.
BYOC policies that merely prohibit the use of third-party cloud services by employees will have little impact in protecting trade secrets. This is especially the case because internal company cloud systems (i.e., “enterprise content”) are often cumbersome when compared to sleeker, consumer-driven options, which leads even well-meaning employees to seek work-arounds. Additionally, in contrast to the context of BYOD, where employers have tools to perform technological oversight when employees use their personal devices, there are not necessarily as many “quick fixes” to the issue of BYOC from an IT perspective.
Companies that are concerned about these issues should be proactive by clearly defining the scope and specific restrictions imposed by BYOC policies. Those companies that wish to prohibit third-party cloud applications altogether should ensure that their IT departments can respond to employee complaints. Additionally, companies may wish to consider adopting comprehensive security protocols to protect their data. Such considerations are unique, and should be guided by the individual needs of the business.