Gathering Storm Clouds: Intersecting Cybersecurity & Secrecy
Currently there is a lot of sunshine amongst the clouds. But to what extent is a storm gathering for cloud computing? To date, cloud computing service providers have been successful in offering customers a cost-efficient way to scale up their IT needs. As Forbes reported, “cloud computing spending is growing at 4.5 times the rate of IT spending since 2009 and is expected to grow at better than 6 times the rate of IT spending from 2015 through 2020.” Currently there is a turf war over this lucrative market engaging Alibaba, Microsoft, Google and Amazon. From a business perspective, cloud computing provides certain commercial advantages such as ease of managing and spreading risks associated with cybersecurity breaches. But cloud computing can also disrupt a business’ plans to maintain trade secrecy and attorney client privilege. This issue highlights how emerging technologies, like cloud computing, create new legal challenges that will fundamentally affect how businesses manage their legal risks against new perceived IT conveniences.
- Part I takes a look at the need for effective disaster recovery plans in light of increasing cyber-attacks.
- Part II examines the pros and cons of cloud computing from IP protection and attorney client privilege perspectives and explores the tension between corporate secrecy and disaster recovery.
- Part III recommends a hybrid cloud model to address the balance between disaster recovery and secrecy.
Part I: Sunny Cloud Benefits
Cloud computing offers businesses a simple way to scale up their IT needs in response to their operations, often avoiding the need to contribute much upfront capital expenditures in system hardware. Cloud computing also offers businesses to store or back-up mission critical data in multiple jurisdictions open to be accessed from anywhere over the Internet.
As I wrote here, cyber-attacks are at an all time high. The 2017 Cost of Data Breach Study: Global Overview conducted by the Ponemon Institute and IBM Security studied 419 companies in 13 countries who have suffered data breaches. It found that 27.7 percent of these companies will suffer another material data breach in the next 24 months. The study found that US$3.62 million is the average total cost of a data breach, with US$141 as the average cost per lost or stolen records.
Cloud computing helps mitigates the effects of cyber-hacking in two major ways.
First, it allows a business holding sensitive data like client credit history to be able to spread that information in multiple storage servers located in different jurisdictions. Instead of keeping sensitive information all in one server location, it can be broken down to smaller components and stored worldwide. Storing sensitive information in such a decentralized fashion discourages hackers from targeting it by reducing the incentives to do so. It also mitigates the effects of a hack since only a portion of the total information on storage worldwide has been compromised. Otherwise storing sensitive information in one location is akin to creating a “honeypot” that raises the financial incentives for thieves to hack it. The days of a centralized storage system or honeypot of sensitive information are limited in light of the recent Equifax hack in which records of over 55% of Americans over the age of 18 were compromised.
Second, cloud computing allows businesses to back-up important data and mission-critical software applications in multiple jurisdictions. This is a good thing from a cybersecurity perspective because it allows corporate clients to better react to cyber-attacks by engaging in faster disaster recovery protocols.
Both of the above functions allow businesses to engage in more efficient disaster recovery protocols. For example, applications codes can be configured on an equivalent disaster recovery environment operating those same codes for web-based servers. Corporate data may be stored directly on cloud-native databases which may be configured to do disaster recovery via the cloud platform.
Storing or backing-up corporate data in the cloud may be a good idea for most businesses. But for those that invest significantly in researching or developing intellectual property rights, they may be naturally hesitant to store or back-up such valuable information on an outside third party maintained cloud platform for security reasons.
Part II: Looming Legal Issues
Cloud computing has one major disadvantage from a legal perspective: it undercuts the ability of intellectual property intensive businesses (like most valuable companies in the world nowadays) to maintain the confidentiality of its trade secrets.
No one can doubt the importance of technology in creating wealth and jobs as well as its ever growing influence in all aspects of life within any society. The World Economic Forum reported in 2017 that “[t]en years ago, banks and energy companies dominated the top ten [companies by market cap]. Today, it’s technology companies, with US computer company Apple in the number one spot.” Technology-driven business models require to some extent on owning proprietary intellectual property rights like trade secrets which may not be conducive to being stored on the public cloud.
What is a “trade secret”?
As I have written here, there are many ways for a company to protect and monetize its intellectual property. They may do so under patents, trademarks or copyright laws. They may also do so by simply keeping whatever they are trying to monetize a secret. For example, a software code may be protected as a patent (assuming it satisfies subject matter eligibility amongst other requirements, which may be hard to do nowadays under unfavorable U.S. federal case law), copyright (which provides limited protection of the underlying inventive idea) or trade secret. Various jurisdictions define trade secrets differently, but the general principle is as follows.
A trade secret consists of:
- any information, formula, pattern, compilation, program, device, method, technique or process that:
- derives independent economic value from not being generally known to other persons who can obtain economic value from its disclosure or use; and
- is the subject of efforts that are reasonable under the circumstances to maintain its secrecy. (See here).
In other words, a trade secret protects anything that is valuable so long as its owner uses reasonable efforts to keep it a secret. If these requirements are met then the owner has the right to sue any person who misappropriate its secret trade for damages and/or injunction depending on the relevant jurisdiction. Unlike patents, there is no expiration to such right.
Keeping Trade Secrets in the Cloud?
There are two important considerations, legal and business, which should be kept distinct when it comes to deciding whether to put proprietary information on a third party maintained cloud platform. Each consideration should be analyzed carefully in designing a cloud use program.
From a legal perspective the key test for maintaining the confidentiality of a trade secret is “using reasonable efforts” to keep it a secret. Since the test is not absolute, what constitutes “reasonable efforts” depends on industry practice, the sensitivity of the underlying information, costs involved, the terms of the cloud services agreement and the actions of the company storing such information. Most legal experts would agree that storing proprietary data in an encrypted format along with strict access controls (such as multi-factor authentication) under a non-disclosure agreement with the cloud service provider would be a meaningful way to show that “reasonable efforts” have been taken to maintain the secrecy of trade secrets stored in the cloud.
However, from a business perspective, it may not be wise to store valuable proprietary information like trade secrets in a third party maintained cloud platform even if such information is stored in an encrypted format with strict access controls. For example, Intel spent US$12.7 billion in research and development in 2016 (which represented 22.4% of its semiconductor sales for 2016). This is a significant amount of money, which exceeds the gross revenue of most companies and Intel would be naturally hesitant to store the fruits of its very expensive R&D program off-site on servers shared with other cloud users who may or may not be its competitors (despite the advantages for doing so outlined in Part I above).
There are two major pitfalls in storing valuable trade secrets on a third party maintained cloud server.
First, cloud platforms offer only cybersecurity solutions that focus on preventing brute entry or network security exploits such as the use of firewalls. These solutions do not allow the owner of the information to maintain close control and oversight over extremely valuable sensitive information stored off-site on the public cloud. If something goes wrong at the public cloud and someone has hacked into valuable proprietary information, the owner may not get as immediate a response from the cloud service provider as from its own internal IT team. Businesses with valuable trade secrets are naturally hesitant in storing them on a third party cloud platform since they cannot maintain as much control over these information as they would prefer.
Second, there is the issue of whether the cloud service provider can meaningfully compensate the owner of valuable trade secrets compromised in a cyber-attack against the relevant cloud server. Most cloud services providers waive or significantly limit their liability in case of a data breach. Even if they are liable to make compensation up to a specified limit, such payment would hardly remedy the business and reputation loss suffered or to be suffered by the trade secret owner. Of course cyberinsurance may be purchased, but almost all major insurers that I know exclude coverage for intellectual property assets like trade secrets. For example Coca-Cola maintains its beverage formula as a trade secret on IT systems maintained, operated and stored under its own premises and control. Coca-Cola does not store its crown jewel formula in the public cloud. Naturally, Coca-Cola is cautious about storing this information on any third party maintained cloud platform even if it is done in an encrypted format. The risk of vesting control over one of its corporate crown jewels to a third party is simply too great, despite the advantages of cloud computing discussed in Part I.
Keeping Attorney Client Confidential Communications in the Cloud?
The above analysis on trade secrets in the cloud also apply to attorney client confidential communications (or any other communications or information which must be kept confidential for legal, business or ethical reasons). Communications between an attorney and its client as well as information relating to the representation of that client must be kept confidential by the attorney. This is a key principle underlying the client and attorney relationship. Without the client’s consent, the attorney is not permitted to reveal such communications. Otherwise the attorney could face administrative sanctions or malpractice lawsuits. (See Rule 1.6 of the Model Rules of Professional Conduct here.) This builds trust and encourages the client “to seek legal assistance and to communicate fully and frankly with the lawyer even as to embarrassing or legally damaging subject matter”. The standard for keeping attorney client communications confidential is similar to the test for trade secrets. Rule 1.6 sub-paragraph 18 of the Model Rules of Professional Conduct requires the lawyer to make “reasonable efforts to prevent the access or disclosure” of client communications and information related to its representation.
For example, the recent case of Harleysville Insurance Company v. Holding Funeral Home, (No. 1:15cv00057, memorandum op. (WD Va. Feb. 9, 2017)) sheds some light on what constitutes “reasonable efforts” to maintain the confidentiality of client information. There the court held that uploading sensitive client information to a publicly accessible third-party maintained file-sharing website caused the loss of any attorney-client privilege over those information. This is because Harleysville’s counsel did not use a password to protect the URL link created for the file shared online. This meant that anyone could have accessed those information as the information was not password protected. Therefore in that instance, no reasonable measures were taken to protect the confidentiality of the underlying client information.
The required actions to keep client communications confidential from a legal viewpoint mirror those for keeping trade secrets confidential: using encryption, implementing strict access control and keeping accurate data logs.
However, an attorney may be hesitant to upload confidential client information to a public cloud server even after implementing the required safeguards such as data encryption. For the same reasons in the trade secret context, the attorney loses control and oversight over sensitive client communications, which if breached in the public cloud, could undermine the ultimate success of its client legal position and case.
The recent hacking of a major global accounting firm (“Firm”) provides some guidance into this critical area. Although the Firm is primarily an accounting firm and not a law firm per se, it does provide legal consulting services to its clients. It also provides other consulting services like reviewing the adequacy of client cybersecurity measures. So the client information it stores on the public cloud is extremely valuable. Unfortunately, like a story often repeated in the business world today, the Firm was hacked (not sure exactly when per reports) and the intruder(s) was able to roam around client files stored in the public cloud freely (not sure how many files were affected). According to reports, the hackers “gained access to an administrator account of the email service, which is hosted in [a major public cloud service provider], granting extensive control and access to data. The account apparently was not protected by two-factor authentication, hinging on a single password.” The industry is not sure whether the information stored on the cloud had been encrypted.
In light of the above alleged lapses in security (such as the alleged failure to use two-factor authentication to secure the system admin account), it is debatable whether certain communications or trade secrets lost their confidential status as a result. Only a finding by a court of law or arbitration tribunal can determine this.
Part III: Balancing Safety & Secrecy
There seems to be a contradiction between implementing an effective cybersecurity-driven disaster response plan (which is “open” in nature) and the protection of confidential communications and trade secrets (which is “closed” in nature). To address this tension, the essay recommends businesses managing valuable proprietary trade secrets and confidential client communications to use a hybrid public-private cloud architecture.
The Open Nature of Disaster Recovery Plans
Disaster response plans assume that data is stored in multiple cloud servers spread throughout different physical locations and overseas jurisdictions. There is a direct relationship between the effectiveness of the response plan and the extent to which data had been stored in a decentralized nature. In case of emergency, corporate users of such data can access such data stored in the public cloud from any device any where in the world so long as they can access the Internet. Keeping secrets in the public cloud may be convenient from a disaster recovery perspective, but not from a trade secret perspective.
The Closed Nature of Confidential Information & Proprietary Assets
As noted above, Coca-Cola does not store its crown jewel beverage formula on the public cloud for fear of losing control and oversight. This is understandable. Companies that own mission-critical trade secrets also prefer to store them locally in their own IT system cut-off from the Internet. Keeping such trade secrets or confidential communications secure requires their owners to maintain a storage architecture that is closed off to the outside online world for maximum security. Maintaining maximum security is a good thing for keeping trade secrets confidential but doing so increases the risk of a very poor disaster response plan.
Hybrid Cloud Model Recommendation
Businesses that manage proprietary and confidential information should adopt a hybrid cloud approach. Less sensitive data and information may be stored on the public cloud in servers owned, operated and maintained by an outside cloud service provider with resources shared with other subscribers that can be accessed via the open Internet. Public clouds is also a good location for:
- software as a service (SaaS) applications using a pay as you go model;
- CRM apps; and
- development platform services.
Doing so allows businesses to take advantages of the benefits usually associated with public cloud services like pay as you scale packages.
Now let’s take a look at using private cloud servers in conjunction with public ones. Because private clouds can provide a higher level of security, control and oversight, they should hold sensitive corporate data or information. In addition to storing trade secrets and confidential communications, private cloud servers housed on-premises or in a secure colocation facilities (managed over a private Ethernet connection) also can store:
- employee data;
- unreleased financial data; and
- data related to compliance regimes (like the European GDPR privacy regime).
There are additional costs associated with the hybrid model because enterprises would need to pay for public cloud service providers’ fees and capital expenditures and operating expenses to build and maintain a private cloud system. But enterprises do not seem to mind paying extra for peace of mind. According to a survey, about 32% of small or medium-sized businesses prefer to maintain a hybrid cloud arrangement.
No one can deny the many practical benefits and conveniences of cloud server and computing technology. But enterprise data risk management is more than just about using the latest technology. Businesses need to take a measured look at how they conduct data management and storage especially if they work with or develop proprietary information. Storing everything in the public cloud may lower capital expenditure and operation fees but increases the risk of losing the confidential nature of their trade secrets and privileged communications. This is why adopting a hybrid cloud computing model may keep the clouds shiny and your sensitive information secret.
#cloud computing #data management #trade secrets