Cloudy Data: The Emergence of “Bring Your Own Cloud”

By now, most of you are aware of the risks of corporate Bring Your Own Device (BYOD) programs. But have you considered BYOC? Bring Your Own Cloud refers to employees’ use of cloud technologies for corporate data and materials. BYOC is less a cost-saving convenience for companies than a side effect of emerging technology.

On July 19, Barry Dop and I will lead a MN Chapter of the Association of Corporate Counsel panel discussion with subject matter experts on BYOC risks and mitigation possibilities. “Cocktail Briefing: Bring Your Own Cloud to Work” will take place at 3:30 at the Millennium Hotel on Nicollet Mall. An informal gathering featuring cocktails and appetizers will follow the CLE, allowing participants and attendees to continue the conversation.

The panel will specifically address the emerging law on personal cloud use. Social media outlets such as Facebook work on a cloud storage for a range of data, from photographs to personal commentary. Social media-related cases often focus on individual use and deletion of information. For instance, in Allied Concrete Co. v. Lester, a wrongful death plaintiff and his attorney were heavily sanctioned for “cleaning up” the plaintiff’s Facebook profile to exclude photographs that did not sympathetically portray the plaintiff as a loving husband. See Allied Concrete Co. Lester, 285 Va. 295, 736 S.E.2d 699 (2013). Deletion of personal data in the social media cloud is now well-established as grounds for spoliation sanctions. See, e.g., Painter v. Atwood, 2014 WL 3611636 (D. Nev. 2014) (sexual assault plaintiff’s deletion of Facebook posts that might have indicated the parties’ relationship was consensual was done with a “culpable state of mind” supporting finding of prejudice); Gatto v. United Airlines, 2013 WL 1285285 (D.N.J. 2013) (airline defending against workplace injury claim was entitled to adverse instruction against plaintiff who deleted his Facebook account, which may have contained exculpatory photographs or other evidence).

But these foundational cases all involve personal data in a personal cloud—social media storage. What about situations in which individuals co-mingle their employers’ data with their own?

A 2015 federal court decision reveals the complexities of BYOC scenarios. In Selectica, Inc. v. Novatus, Inc., 2015 WL 1125051 (M.D. Fla. 2015), Selectica claimed that its former salespeople gave proprietary information to Novatus upon gaining employment there. One salesperson, Holt (not a party to the action), used a company-owned laptop while working at Selectica. The laptop was configured to back up files to Holt’s personal cloud account at Box.com. After he started work at Novatus, Holt offered his new employer Selectica’s information from the Box.com account, which a Novatus employee received but did not open. Upon Selectica’s suit, Holt deleted all Selectica files from his Box.com account. Selectica sought sanctions against Novatus for Holt’s spoliation. The court held that Novatus was under a duty to preserve relevant information, and that the files Holt deleted were relevant; however, while Holt’s actions were found to be in bad faith, the court ruled against spoliation sanctions on Novatus. While Novatus should have communicated the need to hold evidence to Holt, the fact that the company did not do so was, at worst, gross negligence. For sanctions, the court said, Novatus would have to have “acted willfully, purposefully, or otherwise in bad faith” with regard to the information Holt had on Box.com.

In Selectica, interestingly, Holt’s computer was set up to automatically send files to his personal Box.com account on Selectica’s recommendation. In PrimePay LLC v. Barnes, 2015 WL 2405702 (E.D. Mich. 2015), however, Barnes was a PrimePay employee who established a personal cloud account on his own initiative, and transferred corporate information to that account in contravention of PrimePay data use policies. PrimePay contended that Barnes transferred trade secrets and other valuable information with the intent to start a new competing business. The court granted PrimePay an injunction preventing Barnes from using the information or “destroying, erasing, or otherwise making unavailable for further proceedings in this matter, any records, telephonic records, or documents (including data or information maintained or stored in computer media)[.]” The court also ordered that Barnes must submit the cloud data to a forensic examination.

These cases show how “BYO” law evolves into an even more complex stage as technology changes. Please JOIN US to learn more about BYOC issues.


About the Author Chris

Author Avatar Christine Chalstrom is the Founder, CEO, and President of Shepherd Data Services, Trustee, Mitchell Hamline Law School and Adviser, Center for Law and Business. She has spoken widely on the Amendments to the Federal Rules of Civil Procedures, Digital Forensics, and eDiscovery best practices. Her credits include presentations to the American Bar Association, Association of Certified e-Discovery Specialists (ACEDS), Corporate Counsel Institute, MN Association of Corporate Counsel, MN Association of Litigation Support Professionals, MN CLE, Mitchell Hamline School of Law, Upper Midwest Employment Law Institute. She is an attorney, programmer, and forensic examiner.