Will the “Internet of Things” Be A Nightmare for Trade Secrets?

I’ve been on a bit of a hiatus from posting over the past couple of weeks, during which I had a bench trial on a trade-secrets injunction. Since that case is still pending, I’m not going to write about it just yet.

Today, let’s look at the so-called “internet of things” — the increasing number of household, business, and other objects that are now internet enabled. I love being able to access things like my home alarm and thermostat remotely via my iPhone. And there’s no question that the “internet of things” will be growing exponentially in the near future. But does this present a threat to trade secrets and proprietary information?

A recent blog post by Michael Jordon shows the risks. He exposed security weaknesses in internet-enabled printers by getting a Cannon Pixma wireless printer to run the classic video game “Doom.”

The post contains a lot of technical details. But most importantly, his exercise shows that internet-enabled printers lag far behind traditional network devices when it comes to security. This is critical: if someone can hack into your company’s printers, they could have access to all of the documents that were printed.

Jordon’s organization recommends avoiding the internet of things entirely:

Context recommends that you do not put your wireless printers on the Internet, or any other ‘Internet of Things’ device.  To defend against the CRSF [cross-site request forgery] attack, well don’t follow any dodgy links is the best advice I can come up with.  Context is not aware of anyone in the wild actively using this type of attack, but hopefully we can increase the security of these types of devices before the bad guys start to. Finally, make sure that you always apply the latest available firmware to your devices. This is often not an automatic process and may require checking on the manufacturer’s website for updates.

As time goes on, it will be very difficult, if not impossible, to avoid using the “internet of things” in a business context. When you do connect devices to the internet, assume that they have security vulnerabilities. Thus, before connecting the device to the internet, you need to work with your IT department/consultants to make sure that it has adequate security features.

 

Trade Secrets In the Cloud: When Can Cloud Providers Access and Share Your Information?

This is the second in a series of posts addressing trade secrets in the age of cloud computing.

In an earlier post, I talked about how cloud providers’ terms of service affect trade-secret protections. In particular, to the extent companies store proprietary information with cloud providers who can access and share stored files, those companies may not be taking reasonable efforts to protect their information (as required by the Uniform Trade Secrets Act).

Now, let’s take a closer look at some of the more popular cloud providers’ terms of service:

Dropbox: Dropbox can only share data without the user’s consent in very limited circumstances:

To be clear, aside from the rare exceptions we identify in our Privacy Policy, no matter how the Services change, we won’t share your content with others, including law enforcement, for any purpose unless you direct us to.

We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. . . . Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.

Amazon: As part of Amazon Cloud Drive’s terms of use, Amazon can access and use stored files:

We may use, access, and retain Your Files in order to provide the Service to you and enforce the terms of the Agreement, and you give us all permissions we need to do so.

Microsoft: In contrast, Microsoft’s service agreement grants Microsoft broader powers to use stored information:

When you upload your content to the services, you agree that it may be used, modified, adapted, saved, reproduced, distributed, and displayed to the extent necessary to protect you and to provide, protect and improve Microsoft products and services.

Apple: iCloud’s terms and conditions also give Apple relatively broad powers to access and share stored content:

You acknowledge and agree that Apple may, without liability to you, access, use, preserve and/or disclose your Account information and Content to law enforcement authorities, government officials, and/or a third party, as Apple believes is reasonably necessary or appropriate, if legally required to do so or if we have a good faith belief that such access, use, disclosure, or preservation is reasonably necessary to: (a) comply with legal process or request; (b) enforce this Agreement, including investigation of any potential violation thereof; (c) detect, prevent or otherwise address security, fraud or technical issues; or (d) protect the rights, property or safety of Apple, its users, a third party, or the public as required or permitted by law.

There are wide differences here. As I mentioned previously, I’m not aware of a court addressing this issue. But companies should feel more comfortable storing proprietary information with Dropbox or Amazon, which make clear they will only be sharing files in very limited circumstances. Also, companies should encrypt files containing proprietary information, which would further protect this information.

Microsoft and Apple have materially broader rights to access and share files. Storing documents with these providers could open the door for an argument that the user did not reasonably protect its proprietary information.

Trade Secrets in the Cloud: Stormy Weather?

Image

This is the first in a series of posts addressing trade secrets in the age of cloud computing.

As companies increasingly turn to the cloud to store content, I’ve been considering the implications for trade-secret protections. Mostly, I have been thinking about how companies should restrict sharing of data and documents through services such as Dropbox. I will be addressing these issues in future posts.

But an article I read recently on nbcnews.com titled Is your cloud drive really private? Not according to the fine print made me think of something entirely different: once in the cloud, companies are at the mercy of the cloud provider’s terms of service.

According to this article, several cloud providers’ terms of service allow them to actively search stored files. This includes Apple, Microsoft, and Verizon Online. While the article discusses terms of service in the context of  locating and preventing child pornography (which is obviously a critical effort), I wonder how these terms of service affect a company that stores confidential documents in the cloud.

To be classified as a trade secret under the Uniform Trade Secrets Act, reasonable efforts must be taken to protect the information. Is it reasonable to store a trade secret on a cloud server when the provider can actively search the stored documents?

I am not aware of any court decisions addressing this issue. But, as long as the cloud provider cannot share these documents with anyone else (unless a crime is being committed), it seems to me that the mere fact that the cloud provider itself can access documents should not make the use of cloud services to store trade secrets unreasonable. Companies have to be able to contract with third parties to provide routine services without threatening trade-secret protections.

Certainly, before selecting a cloud-storage provider, it is important to understand the provider’s terms of service.

As technology evolves and moves forward at warp speed, new and unique issues relating to trade secrets are sure to emerge. I’m going to try to keep up with these issues on this blog.

%d bloggers like this: