Trade Secrets and Cloud Services: Is the Sky the Limit?

Germany is not only known as one of the best countries for enjoying beer and bratwurst, but it is also known as a country with some of the strictest data privacy laws on the planet. Within this environment, should companies doing business in Germany even consider using cloud services for trade secrets? They should!

Because of the increased risks of hacking, ensuring IT security is becoming more and more challenging. Small to medium-sized companies in particular are finding it increasingly difficult to keep their IT security up-to-date. However, if companies do choose to use cloud services, they should carefully review the service provider contracts and technical and organizational security offered to avoid losing legal protection for their trade secrets.

What are trade secrets and how are they protected?

Trade secrets in Germany aren’t protected by a specific law; in fact, trade secrets in Germany do not necessarily enjoy protection as intellectual property. Instead, they enjoy protection through a variety of different civil and criminal laws against misuse.

Facts, circumstances, and processes qualify as trade secrets

  • if they are related to a particular business;
  • if they are known only to a limited group of people (and are therefore not public or easily accessible by the public); and
  • if the business has an apparent will and legitimate interest in keeping the information secret.

What are the major risks when storing/processing trade secrets in the cloud?

The above definition of trade secrets makes it challenging to store or process trade secrets in a cloud. A company risks losing trade secret protection when making such secrets accessible to an unknown number of people, for example when access to the trade secrets in the cloud isn’t sufficiently limited.

How can those risks be averted?

A few rules of thumb make it more likely that a company using cloud technology can maintain its trade secrets. For example,

  • Companies must ensure they know who they are giving their data to and that the data is secure.
  • They need to thoroughly check the provider’s IT security (e.g., ask for third-party audit certifications on current state of the art IT security and emergency management procedures). In particular, access management must be carefully reviewed.
  • The service provider must make clear contractual commitments that no customer data will be comingled with other customer data.
  • Companies should try to limit the jurisdictions in which the servers are located and the number of sub-processors. Doing so enhances oversight and potential legal redress in case of breach of contract.
  • They should use sufficient contractual and technical measures, including by clearly outlining confidentiality obligations, substantial liabilities for comingling data, encryption at the time of transit and at rest, and an effective and irreversible data deletion mechanism used by the cloud service provider.

To sum it up: Storing and processing trade secrets in a cloud in Germany is certainly a tricky undertaking since it always entails the risk that cyber-attacks or data theft lead to the disclosure of trade secrets. To prevent this, it is crucial to that a company choose its cloud provider wisely, implement appropriate contractual and technical measures, and encrypt its trade secrets to ensure their confidentiality.