Published on Jan 7, 2016 The consumerization of IT has brought tremendous opportunity to the business world. By empowering employees with the convenience of smart phones, tablet computers, and cloud computing, companies can transact business across the globe at any time and in any place.
Despite the obvious benefits, consumerization has also introduced a number of problems into the corporate environment. As I discussed recently on a podcast with ACEDs, this is especially the case with employee use of personal cloud computing providers such as Dropbox, Box, and iCloud.
“Bring your own cloud” (BYOC) environments in the workplace can complicate efforts to maintain the confidentiality of proprietary information. As described in a recent case, this is because they allow “a user to store and access files from virtually any computer, smart phone or similar device that has internet access.” Indeed, upstream information governance programs that fail to address employee use of personal clouds can result in downstream disasters for enterprises such as compromised trade secrets. The PrimePay v. Barnes case is particularly instructive on this issue.
PrimePay v. Barnes
In PrimePay, plaintiff filed a trade secret misappropriation suit against one of its former executives (Barnes) who had established a competing enterprise. Plaintiff sought a preliminary injunction against the operation of Barnes’ business, arguing that he had taken several categories of confidential company information and stored it with Dropbox. Plaintiff argued that Barnes used the Dropbox-stored data to help start a competing company and then destroyed the materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”
Nevertheless, the court rejected plaintiff’s argument because Barnes’ Dropbox account fell under the company-approved BYOC policy:
“Barnes created the Dropbox [account] . . . so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin.
Given that Barnes’ Dropbox account was a company-approved BYOC provider and in
light of other factors suggesting Barnes did not access the Dropbox files after leaving his employment with plaintiff, the court did not find evidence of trade secret misappropriation. While the court did order the destruction of plaintiff’s remaining confidential information that was stored on the Dropbox account, it refused to issue a preliminary injunction against the operation of Barnes’ competing company.”
Keeping the Corporate Environment Clean
PrimePay spotlights the importance of developing actionable BYOC policies to secure proprietary information and protect other corporate interests. If those policies permit the use of personal clouds, they will need to clearly describe what data can or cannot be transferred to the cloud. They must also include audit and enforcement mechanisms to gauge policy observance and disciplinary measures for noncompliance. Related procedures are also advisable for those organizations that forbid personal cloud use since many employees will likely circumvent such a policy if it lacks audit and enforcement measures.
BYOC policies should also define the nature and extent of the organization’s right to access, retain, and/or destroy data on a personal cloud for information governance purposes. In addition, they should delineate the organization’s right to disable a BYOC account either during or after employment to address the problems created in PrimePay. Furthermore, those policies should outline the extent of any employee privacy rights in the data stored in the cloud.
Following these suggestions can help enterprises prevent or ameliorate the pollution that personal clouds have introduced into the corporate ecosystem.
