As many businesses look to reduce the expenses associated with their information technology services, lower cost alternatives to traditional storage are becoming more and more commonplace. The growing trend has been for businesses to opt out of expensive system hardware, and instead store their confidential data with internet storage services, such as the “cloud.” Apart from their financial advantages, cloud-based servers also provide the benefit of easy remote access to information for any employees on whom an employer wants to bestow such a privilege (and responsibility). The growing popularity of the cloud as a place to store confidential information, including trade secrets, inevitably begs the question: Is all proprietary information that is stored in a cloud-based server entitled to trade secret protection? A recent decision of the Court of Special Appeals of Maryland confirms that the question is not easily answered, and there are legal risks associated with storing trade secrets in the cloud.
A brief reminder of what a trade secret is will inform the unique issues raised by cloud storage. Under Maryland law, a trade secret is defined as information (including a formula, pattern, compilation, program, device, method, technique, or process) that: (1) derives independent economic value from not being generally known to or readily ascertainable by others; and (2) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. So, for example, the formula for Coca-Cola creates economic value for the Coca-Cola company because the formula is secret, and not generally known. If the company were to fail to take reasonable efforts to protect the secrecy of the formula, though, it would lose trade secret protection.
The Court of Special Appeals recently addressed the issue of what efforts are reasonable, in the context of cloud storage. In ProExpress Distributors v. Grand Electronics, LLC, the Court of Special Appeals signaled to businesses everywhere that dangerous storms roll in when trade secrets are not properly kept in the cloud.
ProExpress Distributors, an online retailer of electronic products (“PED”), sued Grand Electronics, a competitor (“GE”), for misappropriation of trade secrets. PED electronically stored various business records, including its purported trade secret, on various cloud-based servers such as Dropbox and Google Drive. PED shared access to its internet storage accounts with CNEST Solutions, Inc. and its employees (a separate, non-party entity). The accounts were password-protected, but once granted initial access, all PED and CNEST employees had free and open access to all of the accounts without having to enter any password to further access the site. PED alleged that a former at-will employee of CNEST Solutions (a non-party with whom PED voluntarily shared its internet storage accounts (such as Dropbox and Google Drive), discovered that he had continued access to PED’s Dropbox account, and viewed PED’s trade secrets while employed by GE.
PED claimed that the trade secrets misappropriated by GE’s employee (the former employee of CNEST) provided GE with a commercial advantage, as evidenced by a significant jump in GE’s sales and a corresponding decrease in PED’s sales.
The Court of Special Appeals focused its analysis on whether PED demonstrated efforts that were “reasonable under the circumstances to maintain secrecy,” and examined a 2004 Court of Appeals decision, LeJeune v. Coin Acceptors, Inc. In LeJeune, the Court of Appeals found that a company had taken reasonable steps to safeguard secrecy by: negotiating non-disclosure agreements with its customers to prevent price disclosure, marking all important documents as “confidential,” and communicating the secret nature of its methodology to its employees through an employee handbook.
Applying the LeJeune Court’s rationale, the Court of Special Appeals found that PED failed to produce any evidence that it took reasonable efforts to protect its purported trade secrets. First, PED did not change the password to its Dropbox account after a group of its employees left to found GE. Furthermore, PED failed to limit access on a “need to know” basis within the company, as all employees had free and open access once granted initial access. Finally, PED provided Dropbox access not only to all of its own employees, but also to all CNEST employees without the protections of confidentiality or non-disclosure agreements. In short, PED took almost no steps to protect the secrecy of its supposed trade secret. The Court easily and correctly found that PED’s supposed efforts were not reasonable under the circumstances, and that its supposed trade secret was not entitled to protection.
As the Court’s decision demonstrates, businesses that utilize cloud-based servers risk losing trade secret protection when valuable data is not properly kept on a third-party server. Maryland case law on the issue remains sparse. Nonetheless, the ProExpress decision suggests that traditional principles of trade secret law will still apply in the context of cloud storage. In other words, courts will continue to focus on a company’s own actions to maintain confidentiality in determining whether use of cloud-based servers is a reasonable way to store trade secrets. As a practical matter, businesses that are utilizing cloud storage should engage in efforts such as limiting access to trade secrets to only those with a need-to-know, maintaining written trade secret policy that guides employees, and requiring employees and third party service providers to sign confidentiality or non-disclosure agreements.