Launching Documents Natively and Redaction
December 17, 2015
The Interplay between Proportionality and Information Governance
January 25, 2016

Polluting the Corporate Environment with Employee Use of Personal Clouds

The consumerization of IT has brought tremendous opportunity to the business world. By empowering employees with the convenience of smart phones, tablet computers, and cloud computing, companies can transact business across the globe at any time and in any place.

Despite the obvious benefits, consumerization has also introduced a number of problems into the corporate environment. As I discussed recently on a podcast with ACEDs, this is especially the case with employee use of personal cloud computing providers such as Dropbox, Box, and iCloud.

“Bring your own cloud” (BYOC) environments in the workplace can complicate efforts to maintain the confidentiality of proprietary information. As described in a recent case, this is because they allow “a user to store and access files from virtually any computer, smart phone or similar device that has internet access.” Indeed, upstream information governance programs that fail to address employee use of personal clouds can result in downstream disasters for enterprises such as compromised trade secrets. The PrimePay v. Barnes case is particularly instructive on this issue.

PrimePay v. Barnes

In PrimePay, plaintiff filed a trade secret misappropriation suit against one of its former executives (Barnes) who had established a competing enterprise. Plaintiff sought a preliminary injunction against the operation of Barnes’ business, arguing that he had taken several categories of confidential company information and stored it with Dropbox. Plaintiff argued that Barnes used the Dropbox-stored data to help start a competing company and then destroyed the materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”

Nevertheless, the court rejected plaintiff’s argument because Barnes’ Dropbox account fell under the company-approved BYOC policy:

"Barnes created the Dropbox [account] . . . so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin.

Given that Barnes’ Dropbox account was a company-approved BYOC provider and in
light of other factors suggesting Barnes did not access the Dropbox files after leaving his employment with plaintiff, the court did not find evidence of trade secret misappropriation. While the court did order the destruction of plaintiff’s remaining confidential information that was stored on the Dropbox account, it refused to issue a preliminary injunction against the operation of Barnes’ competing company."

Keeping the Corporate Environment Clean

PrimePay spotlights the importance of developing actionable BYOC policies to secure proprietary information and protect other corporate interests. If those policies permit the use of personal clouds, they will need to clearly describe what data can or cannot be transferred to the cloud. They must also include audit and enforcement mechanisms to gauge policy observance and disciplinary measures for noncompliance. Related procedures are also advisable for those organizations that forbid personal cloud use since many employees will likely circumvent such a policy if it lacks audit and enforcement measures.

BYOC policies should also define the nature and extent of the organization’s right to access, retain, and/or destroy data on a personal cloud for information governance purposes. In addition, they should delineate the organization’s right to disable a BYOC account either during or after employment to address the problems created in PrimePay. Furthermore, those policies should outline the extent of any employee privacy rights in the data stored in the cloud.

Following these suggestions can help enterprises prevent or ameliorate the pollution that personal clouds have introduced into the corporate ecosystem.

Philip Favro
Philip Favro
Philip Favro brings over fifteen years of experience to his position as a consultant for Driven. Phil is a thought leader and a legal scholar on issues relating to the discovery process, the confluence of litigation and technology, and information governance. His articles have been published in leading industry publications and academic journals and he is frequently in demand as a speaker for eDiscovery education programs. Phil’s expertise has been enhanced by his practice experience as a litigation attorney. During his eleven years of practice, Phil advised a variety of clients regarding business disputes and complex discovery issues. Phil is a member of the Utah and California bars. He actively contributes to Working Group 1 of The Sedona Conference and to the Coalition of Technology Resources for Lawyers (CTRL). Phil has also served as a Judge Pro Tempore for the Santa Clara County Superior Court based in Santa Clara, California.
X
//]]>