Consumer-grade cloud solutions are one of the most useful innovations in the digital age. With increased storage for photos, music, and other documents, personal cloud applications can help consumers avoid losing their data when a computer hard drive inevitably fails. Furthermore, the transfer functionality afforded by personal clouds enables users to seamlessly move information between computers, smartphones, and other devices.
As discussed in an article that ALM publication The Recorder first published earlier this month, it should come as no surprise that employees have used personal clouds to facilitate work duties. Providers like Box, Dropbox, and Google Drive can obviate clunky network storage options and simplify data sharing and teamwork among colleagues. These and other features seem to make personal clouds an ideal tool for facilitating business activities within an organization.
Appearances can be deceiving and such is the case with personal clouds in the workplace. From information retention to litigation readiness to cybersecurity, personal cloud use implicates a range of problems for organizations. One of the more troubling aspects of personal cloud use is the threat it poses to corporate trade secrets. Whether through corporate “bring your own cloud” (BYOC) practices or shadow use, personal cloud applications expose trade secrets to theft and corporate espionage.
Corporate Approved BYOC Accounts
Organizations have in some instances openly welcomed the use of personal clouds by their employees. Whether by policy or by practice, corporate IT departments have approved personal cloud use by expressly enabling its functionality. And yet, little effort is made to prevent employees from transferring confidential materials from company servers to a personal cloud. Such corporate inaction is problematic on multiple levels, particularly when an employee leaves with proprietary information and begins working for a competitor.
For example, in Selectica v. Novatus, plaintiff (Selectica) filed suit against defendant (Novatus), claiming Novatus misappropriated various trade secrets. At the heart of its suit was Selectica’s allegation that a former employee (Holt) shared its pricing information with a member of Novatus’ senior management after joining Novatus. Holt still had access to that information because it was stored with Box, a cloud storage provider. The Box account was not a stealth cloud drive concealed from Selectica. Instead, Selectica expressly authorized Holt to store that data with Box under a BYOC arrangement:
While employed by Selectica, [Holt] had a company laptop computer which, on Selectica’s recommendation, was configured so that it automatically synced to his personal cloud storage account at Box.com. This meant that when Holt saved a file to the laptop, the system pushed a copy to his Box account.
Despite having enabled the BYOC arrangement with Holt, Selectica apparently neglected to disable the Box account or remove any proprietary materials upon Holt’s departure. As a result, Holt had full access to the pricing information when he joined Novatus.
Selectica demonstrates the folly of a lax approach to personal cloud use. While Selectica enabled the Box account for backup purposes, the company took no action to protect its information from misappropriation. Selectica did not obtain Holt’s login credentials to the Box account or monitor Holt’s use of the account. Nor did Selectica disable the Box account when Holt left the company. Furthermore, Selectica took no action to confirm that Holt had returned or destroyed its information before going to work for Novatus. Any one of these steps – and certainly a combination of them – would likely have prevented the disclosure of Selectica’s product pricing information to a competitor. Selectica exemplifies the need for corporate oversight of BYOC accounts if organizations are to prevent their trade secrets from falling into the hands of competitors.
Shadow Use of Personal Clouds
Beyond the BYOC ecosystem stands the equally problematic scenario of shadow use of personal clouds. Such a scenario involves employees who use cloud applications at work in violation of company policy or without express approval. While some employees use clouds to facilitate their work, others do so clandestinely to sabotage the company or to gain a competitive advantage after leaving the enterprise.
For example, in Toyota Industrial Equipment Manufacturing v. Land, a managerial level employee (Land) used his Google Drive account to remove hundreds of critical documents from his employer (Toyota) before going to work for a competitor. On the eve of his departure from Toyota, Land placed approximately 800 “files and folders” on Google Drive that included technical specifications reflecting the proprietary design of certain industrial equipment, along with related pricing and financial information. That Land removed and then retained Toyota’s proprietary information after his departure from the company – in violation of his non-disclosure agreement – resulted in a court injunction that prevented Land from working for Toyota’s competitor.
The Toyota Industrial case is illustrative of the harm that employers may suffer if they fail to deploy safeguards to prevent or detect stealth use of personal clouds. For instance, Toyota did not establish a process to detect the possible use of personal cloud applications. Nor were any efforts made to either examine Land’s computer activity or to verify his next work destination after he tendered his resignation. Instead, Toyota allowed Land to work for another two weeks before his termination. It was only after discovering that Land was working for a competitor that Toyota began taking steps to protect its proprietary information.
Proactive Steps to Address Personal Cloud Use
With employees now regularly using personal clouds in connection with their work responsibilities, clients must be prepared to counteract their negative effects. They can generally do so through a proactive approach to information governance. A first step in this regard is to create a data map that identifies the locations both on and off the corporate network where company information resides. While a data map is useful for both information retention and litigation purposes, it is essential for controlling ingress and egress to proprietary information – precisely the data endangered by personal cloud applications.
Once the data map is in place, organizations can then proceed to develop policies that address personal cloud use. Whether an enterprise chooses to ban personal clouds or to adopt a BYOC-friendly environment, the policy should include audit and enforcement mechanisms to gauge policy observance. Those mechanisms ought to include the right to monitor, access, and disable employee use of personal clouds. Related steps like blocking programs will also be required for those organizations that proscribe cloud use since employees will likely circumvent such a policy.
In a BYOC ecosystem, applicable protocols should additionally describe what company data can or cannot be transferred to the cloud. Clients should also require the disclosure of user login credentials for approved cloud applications to ensure appropriate policy compliance. Upon an employee’s termination, BYOC accounts should either be disabled or the company should verify that company data previously maintained in the account has either been returned or destroyed.
Organizations should also consider examining terminated employees’ computer activity and corporate devices to detect whether there was illicit use of personal clouds. Such a step may not be practicable for many clients who lack the resources for a thorough review of every employee device. If a comprehensive sweep is cost prohibitive, clients should consider conducting a review of those employees whose exposure to proprietary information would carry the greatest risk to the enterprise if disclosed. Despite the expense of such a procedure, it would likely have obviated much of the litigation that ensued in Selectica and Toyota Industrial.
The challenges with consumer cloud applications need not be an intractable problem. Following industry best practices can help clients either obviate or mitigate the harm created from personal cloud use. While not a panacea, following such practices should help companies avoid many of the worst problems associated with personal clouds in the workplace.