Cloud computing technology has been recently touted to have a number of benefits from a management and productivity standpoint.  Cloud systems can provide businesses with improved capabilities to access, share and manage electronic data and can further enable employees to work and collaborate from remote locations.  Such technology can additionally reduce operational expenses by outsourcing certain IT costs to third-party service providers.  In light of such benefits, cloud technology has become increasingly popular among all types of businesses, from newly founded start-ups to established Fortune 500 companies.

Handling business-critical information over to a third party, however, can pose serious data security issues.  Unfortunately, instances of data theft, misappropriation and inadvertent disclosure/transmission of confidential corporate information occur with some regularity.  Such disclosure can be caused by internal forces, such as from an employee or former employee with authorized access, or external forces via hacking, data mining or even corporate espionage.   The ubiquitous nature of cloud systems and their associated data access points make cloud systems particularly vulnerable.  Companies utilizing cloud computing technology should be aware of such risks and should consider taking additional precautions to maintain the secrecy of such information.

Such measures are not only important from a preventative standpoint, but can also be necessary from a legal/remedial perspective.  Generally, information is only protectable as a trade secret if reasonable security measures are used to protect the secrecy or confidentiality of the information.  Thus, where a company has proprietary electronic information taken by an unauthorized third party, the availability of legal recourse may depend on whether the company took reasonable steps to protect the secrecy of the information.

The question for company administrators often boils down to what specific type of security measures are needed in order to be considered “reasonable?”  While there is no universal list of requirements which must be followed, this question can generally be answered by considering the nature of the proprietary information and the circumstances in which it is stored and used.  Where the information is particularly sensitive to a business, more sophisticated data security solutions (or a combination of such solutions) may be needed over traditional measures that may have been adequate when electronic information was only accessible through onsite office desktops linked via an internal network.

Thus, depending on the circumstances, such reasonable security precautions for cloud systems may require:

  • Private/internal management and control over the cloud server by the user (as opposed to a public third party provider)
  • Maintaining the cloud server on the user’s premises in a secure location that can only be physically accessed by authorized technical personnel
  • Electronic designation or tagging of confidential or proprietary electronic data coupled with a data segregation application such as a firewall between confidential and non-confidential information in order to prohibit confidential information to be uploaded to the cloud server
  • Using regularly variable secure passwords or sign-ins to limit technical access of the cloud platform to only high level personnel or designated employees whose work requires access
  • An electronic monitoring system to monitor and record access to files stored on the cloud server and provides alerts where files are electronically transmitted via email or stored to alternate locations or media
  • Electronic encryption of files uploaded on the cloud server with public/private key pairs and secure algorithms requiring an confidential private key to decode the contents

While most of these measures have long been in use in connection with electronic data systems, the heightened vulnerability of cloud systems to security breaches warrants considering a plurality of security options in order to reasonably secure proprietary data.

Certainly, not every system can be made 100% secure from hostile security threats.  Thus, it is generally recommended that the security measures discussed above be implemented together with other basic technical, physical, legal and educational precautions as part of a broader security protocol.  In addition, regular security audits to identify potential vulnerabilities in light of new types of security threats are further advisable to any business attempting to maintain proprietary electronic information.  Such a comprehensive approach with multiple levels of security will likely provide the most effective means for protecting cloud technology systems from both a security standpoint as well as from a legal perspective.

For additional information, please contact George Pavlik or Joe Orlet.