An increasingly prevalent trend throughout corporate America is employee use of personal cloud applications in the workplace. This is not surprising since personal cloud applications like Dropbox and Google Drive have tremendous functionality. They simplify data sharing and teamwork among employees while providing seamless storage options that obviate traditional network storage.
Troubles with Personal Clouds
Despite such benefits, personal cloud applications pose a serious threat to organizations’ trade secrets and proprietary information. This is particularly the case with shadow use of personal clouds. Such a scenario involves employees who use cloud applications at work in violation of company policy or without express approval. While many employees use Dropbox and Google Drive to facilitate their work, others do so furtively to sabotage the company or to gain a competitive advantage after leaving the enterprise.
Judges and lawyers have witnessed this growing trend as various companies have filed trade secret misappropriation suits over the past couple of years. In these actions, organizations seek to prevent the dissemination of customer lists, pricing information, design specifications, and other confidential materials that employees have taken from their former employers with the help of personal clouds. In some instances, companies have successfully enjoined former employees from sharing such information with others or for working for their new employer. However, as recently discussed in article published by Legaltech News, not every lawsuit ends favorably for the employer, as exemplified by a recent opinion from Free Country v. Drennen.
Trade Secret Theft in Free Country v. Drennen
In Free Country, the plaintiff apparel manufacturer (Free Country) brought suit against two of its former employees and their new employer (Rousso) for trade secret theft. Free Country claimed that its former employees took “customers sales information, design packages, and production packages for past, present, and future business” in violation of their employment agreements. One of the employees (Drennen) used Dropbox to remove Free Country’s proprietary data.
Drennen apparently downloaded Dropbox to his company computer and transferred Free Country data to the cloud application throughout his employment. However, in his final days at Free County, Drennen removed “a substantial quantity of information from Free Country’s server into his Dropbox account, including customer orders and design information for the fall 2017 season.” In total, Drennen took “nearly 50,000 files” before leaving the company to start a competitive line of apparel for Rousso.
To prevent its trade secrets from being divulged, Free Country sought a temporary restraining order against Drennen that would both stop him from disclosing its proprietary information found on Dropbox and enjoin him from working for Rousso. While agreeing that Drennen must not divulge the Free Country data in his Dropbox account, the court declined to enjoin Drennen from working at Rousso. Even though Drennen might recall some proprietary information, the court concluded that it would be impossible for him to memorize the contents of nearly 50,000 Free Country files. Given that Drennen did not share the files with his new employer and without more evidence of actual misappropriation, the court refused to issue a TRO preventing Drennen from working for Rousso.
IG Lessons from Free Country v. Drennen
Free Country reinforces the notion that organizations need to be aware of personal cloud use among employees and that a laissez-faire approach can lead to disasters. While Free Country may never know how much of its information was used to start Rousso’s competitive apparel line, a more proactive approach to information governance may have prevented the removal of its proprietary data.
A first step in this regard is to create a data map that identifies the locations both on and off the corporate network where company information resides. While a data map is useful for both information retention and litigation purposes, it is essential for controlling ingress and egress to proprietary information – precisely the data endangered by personal cloud applications.
Once the data map is in place, organizations can then proceed to develop policies that address personal cloud use. The policy should include audit and enforcement mechanisms to gauge policy observance. Those mechanisms ought to include the right to monitor, access, and disable employee use of personal clouds.
Companies should also consider examining terminated employees’ computer activity and corporate devices to detect whether there was illicit use of personal clouds. Such a step may not be practicable for many clients who lack the resources for a thorough review of every employee device. If a comprehensive sweep is cost prohibitive, clients should consider conducting a review of those employees whose exposure to proprietary information would carry the greatest risk to the enterprise if disclosed.
The challenges with consumer cloud applications need not be an intractable problem. Following industry best practices can help enterprises mitigate the harm created from personal cloud use and avoid many of the worst problems associated with personal cloud use in the workplace.