Cloud computing has brought many benefits to today's modern hybrid work economy, such as allowing employees to work anytime, anywhere, seamlessly switch between home and office, and collaborate more efficiently with colleagues and partners. Enterprises, especially Silicon Valley technology companies, are increasingly choosing to utilize cloud solutions such as Google Workspace (Gmail, Drive, Sheets, etc.), Microsoft M365, or Apple iWork with iCloud for information management. These solutions enable employees to access and edit documents across devices, and save document copies locally for offline use. However, cloud document management also comes with a series of unique risks.

As a trade secret litigation lawyer and evidence expert, I have witnessed firsthand how the expansion of cloud computing brings new challenges to companies seeking trade secret protection, while also creating new opportunities for illegal employees attempting to steal trade secrets. In recent cases, confidential information has been widely disseminated through cloud systems (sometimes intentionally, sometimes unintentionally), leading to costly and often confusing lawsuits. How did this situation occur? What does this mean for dealing with today's trade secret disputes? What are the best practices that companies can adopt to reduce risks?

Flowing trade secrets

In the 1990s, trade secret theft typically manifested as carrying paper documents out or copying files onto floppy disks CD-ROM。 At the beginning of the 21st century, there were numerous cases of employees sending messages through private email or using USB drives. Although these patterns still exist, stealing information through the cloud has become a new battlefield.

Unlike twenty years ago, most companies today (especially those with technology at their core) have implemented at least a Bring Your Own Device (BYOD) policy for mobile devices. The BYOD policy allows employees to use privately owned devices such as mobile phones or computers for daily work. Combined with cloud computing, this means that employees can access sensitive company emails and documents stored in OneDrive, SharePoint, iCloud, or Google Drive through their private devices, making it exceptionally easy to save copies locally, further spread and share, or copy confidential information to individual controlled independent accounts.

The theft mechanism may be quite simple. For example, we repeatedly see a scenario where an employee logs into the company's Google Drive, extends sharing permissions to their personal Google account, downloads confidential documents to that personal account, and immediately revokes sharing permissions to cover up any traces. Cloud storage systems also allow local downloads, creating replicas on local devices. This type of sharing and downloading record may be captured by the company's logging system, but often it is too late to discover.

More complexly, BYOD practices make it difficult to trace clues of potential theft behavior. When an employee who uses a personal smartphone to work leaves, her device also leaves. Unless through litigation, former employers are usually unable to retrieve equipment or obtain evidence from it.

When companies allow employees to use their own laptops, or when company issued Mac computers are authenticated and bound to employees' personal Apple IDs and iCloud accounts, the problem becomes even more tricky. The latter scenario allows employees who engage in misconduct to easily transfer company confidential documents to their personal iCloud accounts, which are typically quickly synchronized to all other Apple devices associated with that Apple ID (such as home computers, home shared computers, tablets, and even Apple TV).