Presentation on theme: "Protecting Your IP in the Cloud Violet A. French 416 777 5437 LEXPERT Cloud Computing Conference 2013 November 28, 2013."— Presentation transcript:
Protecting Your IP in the Cloud Violet A. French LEXPERT Cloud Computing Conference 2013 November 28, 2013
Topics Patent and copyright issues for service providers Intellectual property issues for users of cloud services: Trade Secrets How to minimize the risk of losing Trade Secret rights, including selectivity in information upload, what to do when leaving the Cloud. Dangers associated with uploading confidential information to the Cloud (security risks, inadvertent disclosures, loss of control) International jurisdiction issues: Where is the information? What rules apply?
Cloud Computing: What does it look like? Source: D Young & Co Intellectual Property, UK.
1. Patents and Copyright In the Cloud The legal landscape is still evolving – little guidance beyond commentaries as to how the courts or the legislatures will deal with some of these unique legal issues presented by Cloud computing. Unique new patents for cloud services are on the rise, they include: Apples Cloud-based Media Playback Technology Patent – cloud-syncing technology allows users to pause music or video on one device and then continue playing it on another. Application has been filed in the U.S.in Amazon 1-Click Patent – the ability to purchase an item with only one click has been patented in the U.S. as a business method patent. Business method patent affirmed by the Canadian Federal Court of Appeal in Amazon.com, Inc. v. Canada (Commissioner of Patents) for the Amazon 1-click: a novel business method can be an essential element of a valid patent claim 1-click patent denied in Europe, signaling sharp divide over different jurisdictions approaches to the business method patent – national patent laws will be stress tested in this process because of the multinational nature of Cloud computing. Practically speaking, Amazon can license its patent to other entities in some jurisdictions (i.e. to Apple, in the U.S.) and cant in other jurisdictions.
Copyright in the Cloud As of November 7, 2012, pursuant to an Order in Council, many provisions of the Copyright Modernization Act, SC 2012, c 20, came into force. There is an overarching emphasis on technological neutrality. Often the law is playing catch-up – technological neutrality is a way of emphasizing the function of new technology, over its ever-changing form. In the summer of 2012, five copyright decisions were issued by the Supreme Court of Canada. They are referred to as the Copyright Pentalogy, or sometimes The Fivefecta. Photo source: UOttawa
ESAC v. SOCAN Source: IPOsgoode Entertainment Software Association of Canada v. SOCAN, one of the Pentalogy decisions, applies technological neutrality principles. SOCAN attempted to enforce additional tariff on download of a video game, versus in-store purchase – claimed it was communication to the public for purposes of the Copyright Act. SCC rejected this argument, saying that it makes little sense to distinguish between two ways of selling the same work – what does it matter which technological taxi brings it to the user.
Oracle v. Google June, 2012 decision of U.S. District Judge William Alsup of the Northern District of California dismissed Oracles/Javas claim for copyright infringement against Google. The claim related to Googles alleged copying of 37 application programming interface (API) packages. Interestingly Judge Alsup is himself a coder and programmer: copyright law does not confer ownership over any and all ways to implement a function or specification of any and all methods used in the Java API.
Copyright Questions – The Forecast Cloud computing raises some law school exam type questions as it relates to copyright: Is the Cloud itself capable of being the subject matter of copyright? Is there copyright in the software applications, data and other works that might be created in the Cloud context? If yes, then who owns those copyrights? What about the contents or components of the Cloud? Is a virtual application even capable of copyright protection because it is (or is not) fixed in a material form, which is one of the requirements under the Copyright Act? What if an application is stored in many pieces across the cloud, can that be fixed for the purposes of copyright?
The Cost of Copyright Uncertainty A study released in June, 2012 by Harvard Business School Professor Josh Lerner looked at the impact of European copyright law decisions on venture capital investment. And we see the evidence in Professor Lerners analysis – where there were uncertain or adverse copyright rulings that impacted Cloud Providers, there was a commensurate drop in venture capital investment in cloud computing firms. Professor Lerner found that copyright rulings in Germany and France that impacted Cloud Providers led to an average reduction in venture capital investment in French and German Cloud computing firms of $4.6 and $2.8 million per quarter, respectively. Uncertainty and lack of uniformity in copyright law means risk for providers, investors and companies using Cloud computing. Conversely, in an earlier study conducted in 2011, Professor Lerner studied the impact of the Cablevision decision, which was seen as clearing up cloud computing and copyright-related ambiguities. Professor Lerner concluded that the decision itself led to additional incremental investment in U.S. Cloud Computing firms – a total of $1.3 billion up from $728 million in a two and a half year period.
Copyright in the Cloud – Storm Clouds or Fluffy Nothings? No Canadian cases involving Cloud computing and IP rights to-date. If third party software code is delivered to a user through a Cloud Provider, it is likely that a copy has been made which means a license from the third party is required to mitigate against a claim of infringement under Section 3(1)(a) of the Copyright Act. However, if the user is simply accessing the software functionality and processing capability through the Cloud, it is more like an outsourced service and a third party software license may not be required. A number of commentators see similarities in analysis between IT virtualization and Cloud computing – both involve copying to a varying degree and the concept of fixation. If the data relating to a work is split up and stored in multiple locations in the Cloud, is the work fixed in a material form such that the creators can claim Copyright Act protection? And keep in mind jurisdictional issues – if the work exists in pieces in multiple jurisdictions, where ought the claim for infringement to be brought? Are the laws around infringement the same in each jurisdiction? As we have seen in varying international treatment of patent applications, new technology sharply divides law as it relates to IP across different jurisdictions.
Patents in the Cloud The Cloud may pose problems for claims of infringement. If a competitor is using a Cloud service, it may not be perfectly clear where the infringement of a patent is taking place. The patent holder may hold a patent in Canada and the US, but if the competitors allegedly infringing acts take place in the Cloud located in Europe, will the patent owner be able to show infringement? Use of the Cloud can pose evidentiary hurdles for patent owners looking to make claims of infringement. The patent owner may not be able to access the technical information needed to make out a claim for infringement. The very nature of the Cloud – abstracted and dynamic – is at odds with the requirement for concrete and objective evidence needed to sustain an infringement claim.
Patents in the Cloud The scattered nature of the Cloud makes it possible that infringement may be divided amongst many jurisdictions and across different Cloud Providers such that there isnt one clear infringer. Different parties are responsible for different aspects of a system that may infringe. The result is that there may not be a single party that can be shown to have infringed all of the elements of a patented invention. Instead, there is Divided Infringement which poses enforcement problems for the patent owner.
Patents for the Cloud Weve just passed the second year anniversary of Canadian Federal Court of Appeals decision in Amazon.com, Inc. v. Canada (Commissioner of Patents) where the Court held that a a novel business method can be an essential element of a valid patent claim Are we at the start of a patent frenzy for Cloud computing patents? National patent laws will be stress tested in this process because of the multinational nature of Cloud computing. Example of patents in Cloud computing - in 2011, Apple filed for a patent that uses Cloud syncing to let Apple users pause a song or video on one device and then resume it from that same place on another device. The Canadian Patent Office has issued two practice notes directed at computer- implemented inventions. There have been six decisions of the Canadian Patent Appeal Board in 2013 relating to computer-implemented inventions and the PAB held that in 4 of the 6 cases, the claimed inventions were patentable.
Trade Secrets – What Are They? A trade secret is any information - agnostic as to what it is - formula, pattern, compilation, program, device, process, code, data, method or technique) that: Is valuable as a result of not being generally known to either the public or those who can profit from its disclosure or use; and has been kept secret or confidential by the holder – i.e. holder has made reasonable efforts to maintain the alleged trade secret as secret or confidential. In a battle to enforce a trade secret, the courts will invariably focus on whether the measures the company implemented to protect its information are reasonable and sufficient under the circumstances to warrant the courts intervention to protect the trade secret.
Trade Secrets – The Legal Basis for Protection A good framework to analyze trade secrets is to think about trade secrets not as property but as a thing that the law permits the Holder to control. At common law, there are five main grounds for the holder of a trade secret holder to seek relief: 1.breach of contract (express or implied provision); 2.breach of confidence; 3.breach of fiduciary duty; 4.unjust enrichment; and 5.wrongful interference with contractual relations of others. The Supreme Court of Canada has affirmed that all these types of actions coexist and can be the subject of court protection. (See Cadbury Schweppes Inc. v. FBI Foods Ltd.,  1 S.C.R. 142 [Cadbury Schweppes])
What Qualifies – Must It Be New, Inventive, Novel? In Cadbury Schweppes, the Supreme Court of Canada held that there is a fairly low threshold of proof required to qualify as a trade secret. The case involved the recipe for Clamato Juice: In the present case, the trial judge found, and the Court of Appeal agreed, that the Clamato formula and related processes, insofar as they had been disclosed to the appellants, constituted a unique combination of elements, notwithstanding that some or all of the constituent elements were themselves widely known within the juice industry. [emphasis added] A unique combination of elements may be protectable even if the individual elements themselves are widely known. In Seager v. Copydex Ltd.,  1 W.L.R. 923 (C.A.) at 936, the Court held that a germ of an idea as opposed to the actual embodiment may be protectable as a trade secret where the recipient uses it as a springboard for the recipients own use.
Examples of Trade Secrets Data compilations - customer lists, supplier lists, client relationship databases. Instructional manuals – training manuals, operational manuals, system manuals. Formula and recipes for producing a product – secret recipes Clamato Coca-Cola Barberians Steak Spices Specific process or technique. Business Plans; marketing plans; financial plans and forecasts. Systems/instructions for manufacturing. Personnel and employment records. Research and development plans and engineering notebooks. Source code and computer programs. Pricing and costing information.
Protecting Trade Secrets; Preserving Confidentiality Many US jurisdictions have statutory protection for trade secrets. Ontario protects trade secrets as part of the common law. Canadian trade secret law arises from the English law concept that trade secrets are protectable due to the confidential nature of the information in question. An advantage of a trade secret is that it can remain protected indefinitely. Since it is protected by common law, the protection is not reliant on a statute. Risk with trade secrets is that public or inadvertent disclosure of the trade secret may mean that the owner loses the protection given by law. Trade secrets are a significant source of competitive advantage to most companies. Owner protects its trade secrets by marking Confidential on documents; limiting access; locking cabinets; using locked or encrypted files. Key is that the trade secret must be kept out of the hands of competitors (i.e. out of the public domain) to maintain its competitive value and advantage.
The Cloud and Trade Secrets The main risk that strikes fear in the hearts of the holder of a trade secret is that the trade secret is made public either deliberately or accidentally. In the olden days, the secret receipt was physically kept in the vault and only shared with a few key people who worked in the same company for life. Today, with global operations, mobility of employees and mobility of electronic information, many company trade secrets cannot be kept in the vault - access is needed to maintain and enhance productivity and competitive advantage. In a Cloud computing environment, the trade secret is physically available outside the companys business. Holder forced to rely on the third party Cloud Provider to maintain the key element of confidentiality.
Private Versus Public Cloud – Is There a Difference? Question – are trade secrets stored in the Cloud still protectable as trade secrets or have they lost the essential element of secrecy or confidentiality? A trade secret stored in a Community Cloud with no password protection is problematic – the fact that anyone can access the trade secret shows that the holder doesnt care about confidentiality and therefore why should the courts. Where a Public Cloud (i.e. Google Drive, Dropbox) is protected by a password, this may constitute reasonable steps taken to protect information, provided the password is kept secret. Private Cloud – may imply more protection for a trade secret. However, there are safeguards that need to be put in place and the Holder has to act reasonably to be able to avail itself of the protection of the courts to enforce the confidentiality of a trade secret stored with a Private Cloud Provider.
How to Safeguard Trade Secrets in the Cloud As the real estate agent says, location, location, location or in this case diligence, diligence, diligence. Take the time to question and consider every aspect of the Cloud Providers process: Who is going to hold your trade secrets? (find out if there are sub-Cloud Providers) When will third parties have access to your data - is there any public access? Where will your trade secrets be held – location of servers; sub-contractors (if any); and What measures or safeguards are in place to protect against inadvertent or intentional disclosure? How will your employees be accessing the cloud, with which devices and using which applications?
3. International jurisdiction Where is the information? What rules apply? Cloud Providers are not always clear on exactly which of their data centres will be hosting a companys data. It is often the case that data will be hosted in multiple centres, in different locations. In terms of due diligence, it is critical that companies considering Cloud Providers ask and receive clear information about where the servers are located. The distributed method of Cloud computing poses challenges for companies. To be competitive and offer the types of services demanded of users, Cloud Providers will store data in multiple locations – leads to the important questions of who has jurisdiction over data? What countrys laws will apply to the data? Ever-present worry that using Cloud Providers located in the US puts Canadian data under the purview of the US Patriot Act as discussed earlier. Recent focus on the Five Eyes suggest a common approach to access issues.
% of respondents stating barrier is restricting (very/completely) Cloud adoption Source IDC IDC Final Report, 13 July 2012
International Jurisdiction – contd Do not make the mistake of thinking that a choice of law clause in the Cloud Provider agreement will address all the jurisdictional issues that might arise. Such clauses are limited in effect to the parties to the agreement itself – and even then, courts may not uphold the parties express choice of law clause. Remember, that local laws will still apply for tort claims, intellectual property matters, consumer protection laws and other matters that the local country may regulate including privacy. Your choice of law clause will not exempt you from the application of these local laws. There are no easy answers – the location of the server is not dispositive of the issue of jurisdiction. The rules for determining jurisdiction vary from country to country and even within a country, there will be different local state or provincial jurisdictional approaches. There is not one body of law that determines jurisdiction for all purposes – it varies based on the substantive involved and the territory/nationality of the dispute.
International Jurisdiction – contd If there is alleged infringement and the infringing content is stored on a server in another country, can it be accessed for the purposes of discovery? Again, the law is being developed in this area and there are no copyright cases directly on point, however the accessibility of information comes up in relation to tax law. In eBay Canada Ltd. v. Canada, information stored on international servers was found to be available for the purpose of assessments. This could be applied to infringement jurisdictions issues – something to consider both for the protection of intellectual property but also in assessing any exposure to liability for data stored abroad.
International Jurisdiction – contd In general, the courts will take jurisdiction over a dispute if there is a real and substantial connection between the jurisdiction and the matters at issue or the parties involved. As it relates to the Cloud, what this means is that even if the information is stored in the Cloud in one country, to the extent that a consumer accesses the services in another country, the courts in that country could well claim jurisdiction based on where the services are consumed. Large Cloud Providers have data centres all over the world and it may be difficult to ensure that your data is being kept in a centre within your home jurisdiction. Clearly, jurisdiction is important and will continue to be important.
Key Questions To Ask Prior to Using a Cloud Provider What certifications and security measures are in place – document these. You will want to be able to show you took adequate steps to secure and maintain the confidentiality of all information if there is a leak or disclosure. Ask about past history and past performance. Have there been inadvertent or deliberate disclosures with other customers? Previous law suits for theft, breaches or improper use? How has the potential Cloud Provider dealt with past breaches – speak to their customers! Has the potential Cloud Providers services ever been hacked? Is the potential Cloud Provider also a competitor – perhaps consider another Provider. Is the potential Cloud Provider a supplier to your competitors – risk of commingling. Will there be sub-contracts with other Cloud Providers – such as peak demand or back-up sites? Conduct the same due diligence on all potential sub-contractors that the Cloud Provider may use. If there could be future sub-contractors, insist on due diligence and pre-approval rights for any potential new sub-contractor.
Key Contractual Provisions to Safeguard Trade Secrets Expansive confidentiality language – one or two sentences is not enough. This is not boilerplate. Be thoughtful and use fulsome language both to adequately address the legal obligation of the Cloud Provider and to evidence the companys intention to maintain the confidentiality of its trade secrets. Indemnity - beware of overall caps on liability. A low cap may show that the Company doesnt value its own trade secrets if it is willing to accept a low dollar cap on breaches of trade secrets. Indemnity – investigate the credit-worthiness of your Cloud Provider. The best drafted indemnity is worthless if the Cloud Provider is not financially viable. Try and negotiate for a substantially higher cap or no cap for improper disclosure of trade secrets. Insurance – is there any insurance available to increase the protection – at what cost? Minimum Service/Security Standards Be specific – cover off security, disaster recovery, access, encryption. Take the time up front to map out what is needed to protect trade secrets.
Key Contractual Terms…contd Include some type of planning and co-operation/reporting obligations if there is an unauthorized disclosure. Incentives for compliance – financial/credits. Negative incentives for breaches – perhaps reason to avoid private arbitration of disputes. Incentive for Cloud Provider to work with the company rather than face a public court dispute. Rights to audit and inspect in favour of the company. Obligation on Cloud Provider to upgrade security and safeguards as new technologies emerge.
Key Contractual Terms…contd Ensure the Cloud Provider shares any audits or inspections done by Cloud Provider or its auditors or consultants. Explicit Duty of Confidentiality – ensure that the Cloud Provider has to give the company plenty of notice if there is a court order of disclosure. Gives the company time to seek a protective order. Cloud Provider should not be able to withhold performance or restrict access to companys information if there is a dispute – decouple a contractual dispute from the underlying information being stored or processed – it cant be used as a pawn or bargaining chip. Deal with ownership if IP explicitly in the Cloud Agreement. Confirmation as to who owns what and how work product/data is to be owned.
Key Contractual Terms…contd Pay attention to transition provisions on expiration or termination of the relationship (planned and unplanned). What happens to data – no copies; maintain security during any transition. Be careful about archived copies of trade secrets. Ensure the confidentiality obligation survives the termination or expiration of the agreement. Certification to verify that all information has been wiped from Cloud.
Key Contractual Terms…contd Pre-approval rights if there could be future subcontractors. Understand the technical details of how the cloud vendor processes, transmits, stores, and destroys customer data. Customer data should be segregated. Data should be encrypted using NIST-approved encryption methods. Physical location of the data storage should be disclosed. Robust data destruction policies should be in place How the courts will address whether information stored in the cloud loses its trade secret status has yet to be determined. However, by addressing the issues above, a company will at least be in a better position, should it find itself trying to convince a judge that it took reasonable steps to maintain the secrecy of its trade secret stored in the cloud.
Dangers associated with uploading confidential information to the Cloud (security risks, inadvertent disclosures, loss of control) Remember that in February, 2012 the Office of the Superintendent of Financial Institutions (OSFI) issued a memorandum to remind federally regulated financial institutions that OSFIs March 2009 Guideline B-10 – Outsourcing of Business Activities, Functions and Processes applies to Cloud Providers. Guideline B-10 focuses on the following concerns: (i) confidentiality, security and separation of property: (ii) contingency planning; (iii) location of records; (iv) access and audit rights; (v) subcontracting; and (vi) Monitoring the material outsourcing arrangements. This is a useful check-list for any company considering using Cloud Computing services.
Torkin Manes LLP 151 Yonge Street, Suite 1500 Toronto, ON M5C 2W7 Violet A. French Questions? Thank you!