Register to receive a printed copy(For Lexis Practice Advisor® Subscribers Only)
Lexis Practice Advisor®Free Trial
Learn More AboutLexis Practice Advisor®
By: Eric M. Dobrusin, Kristen L. Pursley, and Daniel P. Aleksynas, The Dobrusin Law Firm.
A broad range of attorneys represent technology companies in some capacity, and therefore, potentially handle and store sensitive information related to patents or trade secrets.
FOR EXAMPLE, YOU MAY BE A PRODUCT LIABILITY attorney engaged in discovery about product redesign by a client. You may be a mergers and acquisition attorney conducting due diligence concerning assets of a technology company. You may be a corporate counsel engaged in drafting warranties for a product or a technology offered for sale by a client. You may be an environmental attorney seeking permits for a manufacturing plant. You may be a banking attorney negotiating a security agreement in technology of a client. For all of the above, and for attorneys in other disciplines as well, the likelihood that you will encounter issues involving confidential technical information affecting trade secrets or patent rights of a client continues to increase. Additionally, it is likely that you will be faced with handling sensitive privileged information affecting the enforcement of patent or trade secret rights. This article provides insights for counsel, such as those listed above, who represent technology companies and whose firms plan to migrate to the cloud.1
The list of ethical considerations you and your firm will face as you transition your practice to cloud computing continues to grow. The manner in which you handle client technical information and privileged information in the cloud may affect your clients’ patent and trade secret rights. In this era of cloud computing infancy, various ethics governing bodies have stepped in to urge caution in the handling of sensitive client information.
Cloud computing, often referred to as simply the cloud, is Internetbased computing in which large groups of remote servers are networked to allow sharing of data-processing tasks, centralized data storage, and online access to computer services or resources.2 Traditional data storage means involved the use of on-site servers. In using traditional storage methods, the location of data is always certain. Use of the cloud, however, means that the exact location of data is never certain.
This article looks at the trend toward cloud computing from the eyes of attorneys who represent technology clients in patent and trade secret matters. This article further hopes to provide guidance to those involved in commercial litigation and corporate practice by identifying where cloud-based data storage could present risks to sensitive trade secret and patent-related information that may be encountered during litigation or corporate work. Attorneys practicing in all disciplines are likely to encounter and be expected to handle various aspects of client confidential technical information in the course of rendering legal advice. It therefore may be prudent for any attorney representing clients in the technology sector to be aware of the issues that could arise when dealing with client technical information involving trade secret, patent, or attorney-client privilege considerations.
As a practical matter, precautions taken to protect against a data breach generally will likely not impact the patent and trade secret rights of your clients, especially if steps are taken to make clients aware of how and where their data is being stored. Plus, there are a number of provisions in the law to help mitigate consequences of a data breach. However, in the intellectual property field of practice, it can be argued that a sea change has occurred in the law, with the America Invents Act and a patent-active Supreme Court.3 As a result, there may be some uncertainty for technology companies based upon the new “first to file” provisions of the America Invents Act, among others. Thus, as attorneys move to the cloud, it may be worth keeping these patent and trade secret considerations in mind.4
Cloud computing has some potential pitfalls, but the pitfalls are analogous to those historically faced by counsel before the advent of the cloud. This article addresses:
Legions of articles have been written about the ethical obligations of attorneys who utilize cloud-based data storage. In general, the focal point of the analysis has centered on American Bar Association (ABA) Model Rule 1.1 which states: “A lawyer shall provide competent representation to a client. Competent representation requires the legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.” Particular attention has been paid to Comment 8, which requires attorneys “[t]o maintain the requisite knowledge and skill, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.”
Even more prevalent of late has been Model Rule 1.6 (c), stating that “[a] lawyer shall make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to the representation of a client.”
Since the advent of the computer age, the ethics governing bodies have been relatively liberal in conforming ethical obligations with changing technologies. For example, the ABA in 1999 (Formal Opinion No. 99-413) paved the way for attorneys to utilize e-mail correspondence while still maintaining compliance with ethical obligations. As with e-mail, the initial response of the ethics governing bodies is that there should be no bar forbidding cloud computing.5 Rather, opinions so far have been permissive, while expressing an expectation that attorneys approach the issue with a certain amount of prudence, by using “reasonable precautions”. Additional discussion on these reasonable precautions can be found in the Survey of Ethical Considerations set forth below.
As with the representation of any client, a data breach resulting from storage of privileged subject matter in the cloud may invite possible consequences affecting the attorney client privilege for technology clients.6 For such technology clients, at least in the patent area, the attorney-client privilege has historically served a unique role.
Section 284 of the Patent Act7 authorizes a U.S. District Court to award up to treble damages for certain patent infringement undertaken willfully. From the advent of the Court of Appeals for the Federal Circuit, it has been a common practice for an accused infringer to rely upon an advice of counsel defense to avoid the increased damages.8 This practice has evolved and moderated over the years, to a point where a party need not have secured an opinion of counsel to obviate the risk of increased damages.9
However, if a party relies upon advice of counsel, then the party must waive the privilege as to all communications surrounding the advice.10 In some instances, the risk of such waiver may be unpalatable to a party. For instance, the waiver may be sufficiently broad that it would disclose positions against the interest of a party or the proverbial smoking gun. Thus, a party may rely upon other factors to defend against a claim of increased damages.
It has become the law that no adverse inference can be drawn if a party is unwilling to waive the privilege and rely upon an advice of counsel defense.11 Though it is not mandated that clients obtain advice of counsel to avoid a risk of increased damages,12 many clients still observe this as a preferred practice and may depend upon preservation of confidentiality of counsel’s communications regarding his or her opinion. That is, though a client may invariably waive privilege in any event, many clients likely have a desire to choose if and when they will invoke the waiver.13
In addition to the above, the behavior of a party to patent litigation (patent owner or accused infringer) has become and will continue to grow as a focal point based upon recent Supreme Court decisions.14 In these cases, the Court liberalized the standards for fee shifting. Litigation conduct of a party is a relevant factor. Proofs regarding that conduct might require discovery of litigation strategies and other privileged communications stored by litigation counsel in the cloud.
From the above, some of the primary concerns that law firms may have pertain to the security of the privileged matter in the cloud and the potential for breaches. Additionally, law firms may want to consider the long term viability of its cloud service provider. The need for access to privileged matter and the full scope of potentially waived privileged information may not arise for many years after the communications are created and transmitted to the cloud (many patent risks may last for the duration of a patent—in many instances, 20 or more years). It may be important to ensure that the service provider will remain in business or that future access to the information is otherwise assured.
Another consideration that may arise when representing technology clients is the relative frequency with which confidential technical information is shared between client and attorney. Such information may be contained in any of a number of electronic documents (whether in draft form or final form) that clients share with counsel, and the relative sensitivity of the documents may not be immediately apparent to client or counsel. It is quite possible that the legal advice sought may not even be related to patenting. Indeed, as mentioned in the introduction, these documents may enter the cloud files of counsel in the course of drafting routine non-patent business filings. However, they may also be relate to shareholder reports, documents produced during discovery of a non-patent commercial litigation, environmental permits, land use considerations in real estate transactions, employee safety, product liability, regulatory approvals, securities, or other matters. The confidential technical information may be embodied in strategic plans, competitive analyses, test reports, intellectual property committee meeting minutes, formula sheets, process control sheets, and even more ordinary documents like invoices, shippers, and the like.
A relatively well-known consideration affecting protection of intellectual property of technology clients depends upon the transition of technical information from a confidential state to a publicly available state. Under the Uniform Trade Secrets Act, adopted in most states, a trade secret is defined as:
(4) “Trade secret” means information, including a formula, pattern, compilation, program, device, method, technique, or process, that:
(i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and
(ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.15
Similar language is employed in the newly adopted Defend Trade Secrets Act.16 As is apparent, upon losing its secrecy, a trade secret may cease to exist.17
Under patent law, in the United States and elsewhere around the world, a party may lose the right to patent upon public disclosure of technical information. Section 102(a) of the United States Patent Act states:
(a) Novelty; Prior Art.—A person shall be entitled to a patent unless—
(1) the claimed invention was patented, described in a printed publication, or in public use, on sale, or otherwise available to the public before the effective filing date of the claimed invention.18
As can be appreciated, a breach of security that results in public accessibility to confidential technical information can thus be seen as a risk with potential to jeopardize both trade secret and patent rights.19 Note that “public” is arguably broad enough to encompass any third party.20
Yet another consideration that might arise when representing a technology client relates to a law firm receiving data that is the subject of restrictions against export without an export license. Perhaps the two most prominent sources of restrictions of concern for U.S. firms arise from the International Traffic in Arms Regulations (ITAR)21 and the Export Administration Regulations (EAR).22 Also of potential relevance may be the restriction against filing abroad certain patent applications for U.S. inventions before obtaining a foreign filing license.23 To illustrate, the definition of technical data under ITAR is broad:
§120.10 Technical data.
(a) Technical data means, for purposes of this subchapter:
(1) Information, other than software as defined in §120.10(a)(4), which is required for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance or modification of defense articles. This includes information in the form of blueprints, drawings, photographs, plans, instructions or documentation.
(4) Software (see §120.45(f)) directly related to defense articles.
In the most general sense, the U.S. technology and data export restrictions are structured to prevent dissemination of the restricted subject matter to foreign countries, as well as to foreign citizens, even those within the United States.24 In recognition of the growing trend of cloud computing,25 on June 3, 2016, updated rules for the EAR were published (effective September 1, 2016) with an eye towards “update[ing] and clarify[ing] application of controls to electronically transmitted and stored technology and software, including by way of cloud computing.” That same date, amended ITAR rules were also published.26 Among amendments in those rules was an amendment to 22 C.F.R. § 125.4(b)(9)(ii), in which security precautions are mandated to prevent unauthorized release of exported, re-exported, or retransferred technical data. The amended provision states:
Such security precautions may include encryption of the technical data; the use of secure network connections, such as virtual private networks; the use of passwords or other access restrictions on the electronic device or media on which the technical data is stored; and the use of firewalls and other network security measures to prevent unauthorized access.
As can be seen, law firms that represent technology clients may encounter technology or technical data subject to export restrictions. To the extent such firms engage in cloud computing, they may have obligations to assure that any cloud computing servers employed are located within the United States, are secure from access by foreign persons, and employ one or more access restrictions (e.g., encryption, passwords, firewalls, etc.).
As discussed above, as more and more law firms move from storing data on servers that are located within the law firm to storing data in the cloud, ethics committees around the country have rendered opinions and have provided attorneys with recommendations. Provided below are a few such illustrative recommendations. While there are a plethora of differing suggestions, as will be seen, the general themes and requirements so far tend to be fairly consistent. The following table provides some of the factors attorneys may want to consider when choosing a vendor and implementing their cloud computing. As will be seen, so much of whether counsel is in compliance will depend upon reasonableness.27
Given the potential pitfalls identified above and the guidelines that have been enumerated by ethics governing bodies, there are a few steps that an attorney or law firm may take in an effort to more safely navigate the storage options for client information:
1. As seen from the discussion on attorney-client privilege, at least in the context of patent situations, the consequences of an unintended disclosure potentially may be obviated, or there may be no consequence at all if the privilege is to be waived. However, to preserve the choice of if or when to waive for the client, opinions of counsel can be stored in a segregated location within the cloud or even in a local storage location that is not shared with other client information and possibly in a location not accessible via the Internet. For some situations, such opinions may also be the subject of additional precautions (e.g., password protection of a file, encrypted email communication, or otherwise).
2. It may prove valuable to investigate the ability to retrieve documents from the cloud at a subsequent date. As attorneys of technology clients are no doubt aware, many years may pass before a client document must be accessed. In the patent and trade secret context, needs for accessing data may not arise until many years after an opinion is rendered. It is therefore important to know where your data will be if your service provider ceases to exist.
3. It may be worth exploring with a provider the identity of the provider’s employees to which your data may be exposed. It may be important to ensure they are U.S. citizens for technology export purposes. It may also help assure you that the provider is sensitive about its customers’ security concerns and that the provider will take measures to prevent a rogue employee from accessing and disseminating data.
4. It may prove helpful to communicate with technology clients about the sensitivity of the client’s data and remind the client to be proactive to inform you when sensitive technical information is to be provided. Affording the client an active role to participate in the decisions regarding the destiny of the data may allow you to identify opportunities for clients to select alternative storage if they have concerns.
5. It is possible that your data storage service provider contracts with additional facilities for space. It may be useful to understand what obligations (if any) these facilities have for maintaining the security of your client data.
6. It may be worth exploring if data storage providers include any contract language that claims ownership of some or all data stored on its servers or access to such data (such as for analytics use).
7. It may be worth exploring the possible ongoing maintenance of on premises data storage, which may have only limited or no access to the Internet, or the possibility of local storage of a backup of your cloud-based files. The move to cloud computing does not necessarily mean that attorneys must immediately abandon local storage media.
As the article describes, in the course of migrating to cloud computing, attorneys who represent technology clients may encounter conventional concerns for data security, as well as some potential concerns unique to patents and trade secrets of the technology clients. Notwithstanding the concerns, the way is being paved for these attorneys to employ cloud computing. After all, many such concerns also existed before the computer age, but were deemed acceptable risks (e.g., it was a standard practice to use conventional postal services for many communications and store documents in third party off-site facilities). Ethics opinions of various governing bodies have supported cloud computing for attorney use when reasonable precautions are employed. In the context of representing technology clients, additional sensitivity to issues of attorney-client privilege and the consequences of public dissemination of confidential technical information may encourage these attorneys to adopt appropriate safeguards for that information. Though a data breach remains a relatively low frequency occurrence (e.g., as compared with instances of conventional viruses and malware), exercise of at least some of the reasonable precautions identified in this article will hopefully mitigate the potential severity of a breach.
Eric M. Dobrusin , Kristen L. Pursley, and Daniel P. Aleksynas are shareholders in The Dobrusin Law Firm, PC, Pontiac, Michigan, where they concentrate their practice in Intellectual Property Law. They are coauthors of Intellectual Property Culture: Strategy and Compliance (Matthew Bender 2015 Ed.). Bryan Lemanski provided research and support for this article.
RESEARCH PATH: Intellectual Property & Technology> Software Information Technology > Cloud Computing >Articles > Cloud Computing in General
For an examination of cloud computing arrangements, see
> INITIAL CONSIDERATIONS IN CLOUD COMPUTING AGREEMENTS
RESEARCH PATH: Intellectual Property & Technology > Software & Information Technology > Cloud Computing > Practice Notes > Cloud Computing
For information on securely protecting data when working with cloud computing vendors, see
> DRAFTING AND NEGOTIATING EFFECTIVE CLOUDCOMPUTING AGREEMENTS
For an explanation on the fundamentals of patent law, see
> PATENT FUNDAMENTALS
RESEARCH PATH: Intellectual Property & Technology > Types of IP Protection > Patent Basics > Practice Notes > Patent Basics
For an overview on trade secrets, see
> TRADE SECRET FUNDAMENTALS
RESEARCH PATH: Intellectual Property & Technology > Types of IP Protection > Trade Secret Basics > Practice Notes > Trade Secret Basics
1. For purposes of this article, technology clients include any client that engages in manufacturing, research and development, new product development, or any other technology related practice. 2. http://www.dictionary.com/browse/cloud--computing (accessed August 3, 2016). 3. Further, with Inter Partes Reviews and Post Grant Reviews on the rise, it is possible that a Petitioner may argue “public use” or “publication” on the basis of a data breach. 4. In July 2016, Consero Group published an article entitled “Global IP Management Data Survey Facts & Analysis” in which in-house Chief IP counsel from fortune 1000 corporations were polled. On page 8, the article discusses cybersecurity and threats to intellectual property where “two-thirds of respondents do not believe their company is protected from cybersecurity threats to its intellectual property.” 5. Technology is a constantly evolving ball of clay such that the standards of yesterday may have changed today and the standards of today may change tomorrow, but periodically lawyers should look at their systems and the standards to keep up with the changes in technology. 6. Generally, technology clients are sophisticated and may have confidentiality requirements imposed on them (e.g., a defense contractor), and these clients may independently request a level of security on their data. However, lawyers may consider consulting these clients with regards to their data so that the client retains some responsibility for the storage of their information. 7. 35 U.S.C. § 284. 8. Underwater Devices Inc. v. Morrison-Knudsen Co., Inc., 717 F.2d 1380 (Fed. Cir. 1983). 9. 35 U.S.C. § 298 (“The failure of an infringer to obtain the advice of counsel with respect to any allegedly infringed patent, or the failure of the infringer to present such advice to the court or jury, may not be used to prove that the accused infringer willfully infringed the patent or that the infringer intended to induce infringement of the patent.”). 10. In re Echo Star Commc’ns Corp., 448 F.3d 1294, 1299 (Fed. Cir. 2006). 11. See 35 U.S.C. § 298 and Knorr-Bremse Systeme Fuer Nutzfahrzeuge GMBH v. Dana Corp., 383 F.3d 1337, 1344–45 (Fed. Cir. 2004). 12. Most recently, the Supreme Court has sought to clarify the standards upon which a District Court may make a determination of increased damages. In the case of Halo Electronics v. Pulse Electronics, Inc., the Court held that “[district] courts should continue to take into account the particular circumstances of each case in deciding whether to award damages and, in what amount,” and that “such punishment should generally be reserved for egregious cases typified by willful misconduct.” Halo Elecs. v. Pulse Elecs., Inc., 136 S. Ct. 1923, 1933–43 (2016). 13. Depending upon the circumstances, ethical obligations may dictate mitigation of potential consequences when adverse counsel receives privileged information resulting from a data breach. American Bar Association Model Rule 4.4(b) states: “(b) A lawyer who receives a document or electronically stored information relating to the representation of the lawyer’s client and knows or reasonably should know that the document or electronically stored information was inadvertently sent shall promptly notify the sender.” 14. Highmark Inc. v. Allcare Health Mgmt. Sys., Inc., 134 S. Ct. 1744 (2014) and Octane Fitness, LLC v. ICON Health & Fitness, Inc., 134 S. Ct. 1749 (2014). 15. Uniform Trade Secrets Act with 1985 Amendments (emphasis added). 16. Under the Defend Trade Secrets Act of 2016, “the term ‘trade secret’ means all forms and types of financial business, scientific, technical, economic, or engineering information, including patterns, plans, compilations, program devices, formulas, designs, prototypes, methods, techniques, processes, procedures, programs, or codes, whether tangible or intangible, and whether or how stored, compiled, or memorialized physically, electronically, graphically, photographically, or in writing if the owner thereof has taken reasonable measured to keep such information secret”. 18 U.S.C. § 1839(3)(A). 17. Once a trade secret has been publicly disclosed, a quarantine that restricts its further dissemination and use may be possible, particularly with the aid of a court and injunctive relief. However, such a process can be difficult, require expensive resources, and take valuable time during which the risk of further dissemination may remain. 18. 35 U.S.C. § 102(a)(1). 19. The patent rights, in the event of a breach, may be salvageable under 35 U.S.C. § 102(B)(1). 20. It is possible that, even in the event of a breach causing an item to no longer be confidential, the item can be isolated and dissemination curtailed before it becomes a “public use” or “printed publication” that is sufficiently publicly accessible to jeopardize patent rights. See generally, SRI International Inc. v. Internet Security Systems Inc., 511 F.3d 1186 (Fed. Cir. 2008). 21. 22 C.F.R. § 120 et seq. 22. 15 C.F.R. § 730 et seq. Note: § 734.10 excludes certain patent information from EAR. 23. See generally, 35 U.S.C. § 181 et seq. 24. See United States v. Lachman, 387 F.3d 42, 44 (1st Cir. 2004). The EAA is designed ‘to restrict the export of goods and technology which would make a significant contribution to the military potential of any other country…[and] which would prove detrimental to the national security of the United States.” 25. 81 Fed. Reg. 107 at 35586. 26. 81 Fed. Reg. 107 at 35611. 27. Because the technology remains very new, and there are relatively few precedential scenarios to guide conduct, it is simply not possible at present to define a standard with any certainty. The accompanying summary, therefore, must be regarded as merely a compilation without expressing any opinion as to the applicability of the consideration to a particular fact scenario at hand.