Trade Secrets in the Cloud
Dr. Victoria Longshaw and Dr. Elizabeth Houlihan
The recent hacking scandal in which dozens of celebrity photos were leaked from iCloud, Apple’s cloud storage facility, is a stark reminder of how difficult it is to protect Confidential Information in the age of the Internet.
However, cloud services are not limited to photograph depositories, but include Web-based e-mail and any decentralised IT infrastructure technologies making use of the Internet, many of which are used by commercial entities. As such, cloud computing has become the norm for many businesses, and owners of Confidential Information rely heavily on the security measures put in place to protect their trade secrets. While Cloud providers generally have standard terms and conditions that apply to all of their customers, these may or may not include a contractual undertaking to keep information confidential and to ensure that their staff do so too.
The growing storage of Confidential Information in the cloud, and the complex relationships and contractual obligations surrounding such activity, is fast outstripping the laws that are intended to regulate it in many countries. Moreover, in Australia, the courts have had little opportunity to consider how a damages claim may be approached for the breach of Confidential Information relating to an invention for which an Applicant has not yet obtained enforceable Patent rights.
Protecting Confidential Information in Australia
- Equitable Action for Breach of Confidence
Australian law provides an action under the equitable Doctrine of Confidence. However, for a person or business entity to be able to apply for an injunction, or to support a claim of damages for disclosure of Confidential Information, they must first meet onerous evidence requirements.
In an action seeking damages for breach of confidence, the relevant Confidential Information must have been specifically identified as confidential; the information must have the necessary quality of confidence; it must have been given or received to import an obligation of confidence; and there must have been unauthorised use or disclosure of the information.
- The Privacy Act 1988 and Australian Privacy Principles (“APPs”)
Recent privacy law reform has resulted in the amendment of the Privacy Act 1988, which now includes a set of 13 new harmonised privacy principles regulating the handling of personal information by Australian and Norfolk Island government agencies and private sector organisations with an annual turnover of less than $3 million dollars.
These principles, effective from 12 March 2014 and called the Australian Privacy Principles (“APPs”), cover the collection, use, disclosure and storage of personal information. Personal information is defined as “information or an opinion about an identified individual, or an individual who is reasonably identifiable, whether the information or opinion is true or not and whether recorded in a material form or not.”
The Privacy Act 1988, and APPs, which regulate the inter alia collection and storage of personal information, may not immediately appear to be relevant to the protection of Confidential Information in the course of business. However, many companies regard the identity of their credit providers, suppliers and customers as Confidential Information, the secrecy of which is crucial to their bottom line.
The recent privacy law reforms provide recourse to the Office of the Australian Information Commissioner (“OAIC”), which investigates privacy complaints. Furthermore, civil penalties apply to credit reporting bodies inappropriately using or disclosing Confidential Information and reporting bodies must take reasonable steps to protect information from misuse, interference, loss, unauthorised access, modification or disclosure. The OAIC has issued extensive guidance as to what these “reasonable steps” include, many of which are more than what many businesses, and cloud storage providers, are currently doing to protect Confidential Information.
Some Practical Measures
- In circumstances where Confidential Information relating to an invention, for which a Patent Application has not yet been filed, is disclosed without the consent of the inventor or owner, Patent protection may still be obtained in Australia. Australia, fortunately, has a grace period in which to file a Patent Application should there be any unauthorised public disclosure of the invention. However, such a Patent Application must be filed within twelve (12) months of the unauthorised disclosure.
- In the event that a Patent Application is filed by a third party for an invention relating to the Confidential Information, entitlement Proceedings under section 36 of the Australian Patents Act 1990 may be filed. Under this section, a person who believes that they are entitled to any Patent rights resulting from the Patent Application filed by another person is entitled to change that Patent Application and claim ownership of it. If the Commissioner is satisfied that the invention has indeed been invented by the Applicant in section 36 Proceedings, the Patent Application may be assigned to that person. However, the Australian Patent Office has not yet had the opportunity to consider entitlement Proceedings in circumstances where disclosure of Confidential Information has occurred due to a cloud storage security breach, and the evidence required to satisfy the Commissioner may be difficult to obtain.
- A business can take precautionary steps by clearly dating and leaving documents as confidential, for instance by including the word “confidential” on top of each document, electronically password protecting the documents, and splitting any Confidential Information into separate documents, stored in different locations. This is to assist in establishing evidence for any equitable action for breach of confidence, should it be required in the future.
- If a cloud computing service provider must be used, it is a good idea to carry out due diligence on what security the cloud provider has in place, as well as assess the terms and conditions of any cloud provider before signing up for it, and entrusting Confidential Information to its care. While it is not always possible to negotiate contractual measures, it is worth assessing the risks of proceeding without certain privacy protections and liability undertakings being put in place. It goes without saying that any electronic files should be encrypted before being uploaded to any cloud storage service, and it is important to ensure that the cloud storage service encrypts files during transmission using an HTTPS connection, or secure link.
- Where the Confidential Information to be stored relates to personal information, it is worth bearing in mind that the collection of personal information is governed by the Privacy Act 1988, information collecting and reporting bodies must take substantial steps to protect the information given to them, and a complaint may be filed with the OAIC for any breach of APP obligations under this legislation.