Launching Documents Natively and Redaction
December 17, 2015
The Interplay between Proportionality and Information Governance
January 25, 2016

Polluting the Corporate Environment with Employee Use of Personal Clouds

The consumerization of IT has brought tremendous opportunity to the business world. By empowering employees with the convenience of smart phones, tablet computers, and cloud computing, companies can transact business across the globe at any time and in any place.

Despite the obvious benefits, consumerization has also introduced a number of problems into the corporate environment. As I discussed recently on a podcast with ACEDs, this is especially the case with employee use of personal cloud computing providers such as Dropbox, Box, and iCloud.

“Bring your own cloud” (BYOC) environments in the workplace can complicate efforts to maintain the confidentiality of proprietary information. As described in a recent case, this is because they allow “a user to store and access files from virtually any computer, smart phone or similar device that has internet access.” Indeed, upstream information governance programs that fail to address employee use of personal clouds can result in downstream disasters for enterprises such as compromised trade secrets. The PrimePay v. Barnes case is particularly instructive on this issue.

PrimePay v. Barnes

In PrimePay, plaintiff filed a trade secret misappropriation suit against one of its former executives (Barnes) who had established a competing enterprise. Plaintiff sought a preliminary injunction against the operation of Barnes’ business, arguing that he had taken several categories of confidential company information and stored it with Dropbox. Plaintiff argued that Barnes used the Dropbox-stored data to help start a competing company and then destroyed the materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”

Nevertheless, the court rejected plaintiff’s argument because Barnes’ Dropbox account fell under the company-approved BYOC policy:

"Barnes created the Dropbox [account] . . . so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin.

Given that Barnes’ Dropbox account was a company-approved BYOC provider and in
light of other factors suggesting Barnes did not access the Dropbox files after leaving his employment with plaintiff, the court did not find evidence of trade secret misappropriation. While the court did order the destruction of plaintiff’s remaining confidential information that was stored on the Dropbox account, it refused to issue a preliminary injunction against the operation of Barnes’ competing company."

Keeping the Corporate Environment Clean

PrimePay spotlights the importance of developing actionable BYOC policies to secure proprietary information and protect other corporate interests. If those policies permit the use of personal clouds, they will need to clearly describe what data can or cannot be transferred to the cloud. They must also include audit and enforcement mechanisms to gauge policy observance and disciplinary measures for noncompliance. Related procedures are also advisable for those organizations that forbid personal cloud use since many employees will likely circumvent such a policy if it lacks audit and enforcement measures.

BYOC policies should also define the nature and extent of the organization’s right to access, retain, and/or destroy data on a personal cloud for information governance purposes. In addition, they should delineate the organization’s right to disable a BYOC account either during or after employment to address the problems created in PrimePay. Furthermore, those policies should outline the extent of any employee privacy rights in the data stored in the cloud.

Following these suggestions can help enterprises prevent or ameliorate the pollution that personal clouds have introduced into the corporate ecosystem.

Philip Favro
Philip Favro
Philip Favro acts as a trusted advisor to organizations and law firms on issues surrounding discovery and information governance. Phil provides guidance on data preservation practices, litigation holds, data collection strategies, and ESI search methodologies. In addition, he offers direction to organizations on records retention policies and the need to manage dynamic sources of information found on smartphones, cloud applications, and social networks. Phil is available to serve as a special master on issues related to electronic discovery. Phil is a nationally recognized thought leader and legal scholar on issues relating to the discovery process. His articles have been published in leading industry publications and academic journals and he is frequently in demand as a speaker for eDiscovery education programs. Phil is a member of the Utah and California bars. He actively contributes to Working Group 1 of The Sedona Conference where he leads drafting teams and serves as the Steering Committee project manager. Prior to joining Driven, Phil practiced law in Northern California where he advised a variety of clients regarding business disputes and complex discovery issues. He also served as a Judge Pro Tempore for the Santa Clara County Superior Court based in Santa Clara, California.