Personal Clouds Can Cause a Storm of Security Problems

    Feb 24, 2016

    In an age where employees can “bring their own cloud” (BYOC) to the workplace, efforts to protect an organization’s proprietary information can be challenging.

    In a recent decision, PrimePay v. Barnes, the plaintiff filed a trade secret misappropriation suit against one of its former executives (Barnes) who had established a competing business. The plaintiff sought a preliminary injunction against the operation of Barnes’ business, arguing that he had taken confidential company information and stored it in Dropbox.

    The plaintiff argued that Barnes used the Dropbox-stored data to help start his new company and then destroyed the materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”

    However, the court rejected plaintiff’s argument because Barnes’ Dropbox account fell under the company-approved BYOC policy:

    “Barnes created the Dropbox [account] … so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation, or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin."

    Dropbox was a company-approved BYOC provider. Considering factors that suggested Barnes did not access the Dropbox files after leaving his employment with PrimePay, the court found no evidence of trade secret misappropriation and did not issue a preliminary injunction against the operation of Barnes’ competing company. The court did, however, order the destruction of the plaintiff’s remaining confidential information that was stored on the Dropbox account.

    The decision highlights the importance of developing solid BYOC policies to secure proprietary information and protect other corporate interests. Policies that allow for the use of personal clouds should:

    • Clearly describe and define what data can or cannot be transferred to the cloud.
    • Include audit and enforcement mechanisms to gauge policy observance and disciplinary measures for noncompliance
    • Define the nature and extent of the company’s right to access, retain, and/or destroy data on a personal cloud for information governance purposes
    • Delineate the organization’s right to disable a BYOC account either during or after employment
    • Outline any employee privacy rights in the data stored in the cloud

    Based on this trend, ARMA International recommends that all companies take another look at their privacy and RIM policies to ensure they keep pace with the changing trends in technology. Resources from ARMA that would help in the review and update process include the following:

    • Social Media/Mobile Device Policy Checklist - Job Aid
    • Mobile Communications and Records and Information Management (ARMA TR 20-2012)
    • Social Media Job Aid Bundle (includes: Business Processes for the Facebook Generation; Steps for Establishing Wiki & Blog Governance; Checklist - Internal Social Media Policy Development)
    • Policy Design for Managing Electronic Messages (ANSI/ARMA 19-2012)

    All of these resources are available for purchase through the ARMA International online store at


    © 2017, ARMA International