The Cloud, Data Centers, and Your Trade Secrets

Consider a medical-device company that stores trade secrets — its source code, pricing data, and product development files — on a cloud platform. Employees, outside consultants, and AI-enabled tools may access that information remotely. To protect its proprietary information, the company uses passwords, user restrictions, NDAs, and vendor agreements to limit access. The company thinks it has everyone covered.

Except, not everyone. Behind the virtualization provided by the cloud, information is transmitted and stored on physical servers. But the company does not know where those servers are or who operates them. This poses a problem: Under the Federal Defend Trade Secrets Act (“DTSA”), information qualifies as a trade secret only if “reasonable measures” have been taken to ensure secrecy. As cloud storage and computing have become dominant, this raises two questions: When your trade secrets exist in someone else’s data center, what “reasonable measures” are needed to keep them secret — and whose measures count?

The answer is fact specific. But the data-center context presents unique considerations: It changes which measures an enterprise can actually deliver and whose conduct the law measures. Below, we discuss relevant factors. And, because data centers and cloud-based data transfer cross borders, we examine how data-center location matters.

Data Centers

Data centers are physical facilities that house computing infrastructure (e.g., servers, storage systems, and networking equipment) and the power, cooling, and security systems needed to run reliably. The current AI revolution depends on these centers.

Cloud providers may not own the facilities that hold a customer’s data; many lease space instead. Data centers are located domestically and internationally. So, for global enterprises, data can be spread across centers owned by different entities in different countries.

Reasonable Measures

What is a reasonable measure is fact-dependent and “depends on a balancing of costs and benefits that will vary from case to case.” Rockwell Graphic Sys., Inc. v. DEV Indus., Inc., 925 F.2d 174, 179 (7th Cir. 1991).

Non-Disclosure Agreements

NDAs are a well-known tool, but cloud virtualization can make it unclear where data sits and whom an NDA should bind.

In Tax Track, an allegedly “secret” memo was disclosed to hundreds, many of whom were neither subject to an NDA nor identifiable. See Tax Track Sys. Corp. v. New Inv. World, Inc., 478 F.3d 783, 788 (7th Cir. 2007). The court held that disclosure to unidentified recipients undermined any prior measures. Id. Such disclosure is a “sure path to waiver.” BDT Prods., Inc. v. Lexmark Int’l, Inc., 124 F. App’x 329, 333 (6th Cir. 2005).

Because the enterprises are in privity only with their cloud providers, not the operator that may hold the data, this is the Tax Track problem in physical form: The secret may sit on hardware operated by a sublessee the holder cannot name and with whom it never contracted.

A court could treat that as disclosure to unidentified parties that defeats secrecy, even if the holder did everything right at the cloud-provider layer. To close that gap, enterprises should understand where their data resides and contract to extend access and security restrictions to the data centers themselves, not just the visible cloud provider.

Internal Measures and Access Restrictions

Internal access controls also matter to demonstrate that a trade secret holder took reasonable measures. In DUSA Pharmaceuticals, regarding the misappropriation of “proprietary information and corporate secrets, including an extensive target customer list, sales analyses, training and marketing materials, operating procedures, technical information, and unpublished clinical data,” the court credited multiple IT controls, including stringent password requirements, need-to-know access, mobile device management software, VPN and 2-factor authentication, firewalls, and internal monitoring. DUSA Pharms., Inc. v. Biofrontera Inc., No. CV 18-10568-RGS, , *1-2 (D. Mass. Oct. 9, 2020) (treating the existence of a trade secret as a contested fact).

The court, while finding trade-secret existence as a contested fact, also credited DUSA’s physical controls: access PIN codes, 24-hour surveillance, an alarm system, and job-scoped entry to its facility. Id.

However, technological measures alone may be insufficient. In PPEX, the plaintiff stored its customer list behind application layer security, a multifactor authentication, and public-key, military-grade encryption. See PPEX, LLC v. Buttonwood, Inc, No. 21-CV-53-F, , *9 (D. Wyo. Sept. 7, 2021). But the plaintiff had not required NDAs, marked documents confidential, or otherwise taken “any step to inform its employees” that the information was protected. Id. at *10-12. Reasonable measures “require at least some communication to employees regarding what information is confidential,” which plaintiff had not done. Id. at *10.

PPEX‘s lesson is sharper in a data-center setting. Those who must be told of a secret’s protected status include the facility personnel with physical or root access. But these are exactly the people the enterprise neither employs nor, often, can identify. That is, access policy has to reach a workforce, including AI agents, that the holder does not control. In the cloud era, restrictions should not be limited to human employees, and enterprises should consider what access AI agents should have and to whom they can distribute information.

Digital Security

Encryption also looms large. In Phreesia, the court credited access limitations using “encryption and password protection.” Phreesia, Inc. v. Certify Glob., Inc., No. DLB-21-678, , *12 (D. Md. Mar. 29, 2022). Encryption carries disproportionate weight in the data-center context because the other measures are out of the holder’s hands. But encryption at rest travels with the data regardless of whose floor the server sits on. That makes it the one reasonable measure the holder can guarantee end-to-end and the first a court may look for when physical custody belongs to someone else.

Encryption is not foolproof. As ways to break encryption evolve, courts may have to evaluate whether imperfect encryption can nevertheless be a reasonable measure. After all, trade secret holders are not required to set up an “impenetrable fortress” around their trade secrets. See, e.g., E. I. duPont deNemours & Co. v. Christopher, 431 F.2d 1012 (5th Cir. 1970).

Whose Measures?

Here, the data-center problem becomes doctrinal, not just practical. The Federal Defend Trade Secrets Act (“DTSA”) requires the trade-secret “owner” to take “reasonable measures” to maintain secrecy. 18 U.S.C. § 1839(3)(A). But under this statute, “owner” is read more broadly than in property law. The DTSA defines it to reach whoever holds “rightful legal or equitable title to, or license in” the secret. 18 U.S.C. § 1839(4).

The Uniform Trade Secrets Act (“UTSA”) as adopted by some states (e.g., Texas, Colorado) embodies similar requirements. See Tex. Civ. Prac. & Rem. Code 134A.002(3-a)(2025), (6)(A), C.R.S. § 7-74-102(4).

But, in some jurisdictions, possession, not just ownership, matters. Domestically, for example, Maryland’s version of the UTSA does not require ownership to bring suit, and where two parties are in possession, courts examine whether both (not just the owner) have undertaken to maintain secrecy. DTM Rsch., L.L.C. v. AT & T Corp., 245 F.3d 327, 332-333 (4th Cir. 2001).

The 3rd U.S. Circuit Court of Appeals has since taken the same view with respect to Pennsylvania’s version of the UTSA, holding that lawful possession, without ownership, suffices to maintain a misappropriation claim. See Advanced Fluid Systems, Inc. v. Huber, 958 F.3d 168 (3d Cir. 2020).

Internationally, the Agreement on Trade-Related Aspects of Intellectual Property (“TRIPS”) treats information as secret only if it “has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret.” TRIPS, Sec. 7, Art. 39, 2(c) (emphasis added). The United Kingdom and the EU have adopted the same “lawfully in control” test. See Trade Secrets (Enforcement, etc.) Regulations 2018, 2018 No. 597, Reg. 2; Council Directive 2016/943, art. 2, (1)(a)(c), 2016 O.J. (L 157) 9. This is closer to “possession” than “ownership.”

In the data-center context, this distinction is significant: “ownership” focuses on how the enterprise contracts with and monitors data centers, while “possession” places the focus on the actual security mechanisms data centers use. Which test governs changes what an enterprise must prove. Where ownership controls, the measures on trial are the holder’s own — its contracts, its access policies, its monitoring.

Where lawful control governs, the operator’s actual practices are in play, and that cuts both ways. It can rescue a holder who lacks title but lawfully possesses the data, such as a licensee. But it also means the holder’s protection may turn on a third party’s conduct it does not direct: If the operator’s encryption or access controls fall short, the secret may be deemed inadequately protected.

Under a control regime, the enterprise must audit the operator’s security, not merely contract for it. Because a single secret may sit in several jurisdictions at once, it may also be judged under several tests at once. The prudent course is to map where data is stored against the law that would govern there, and to secure — by contract and by verification — the operator’s reasonable measures wherever title alone will not carry the day.

Conclusion

A data environment is not mere back-end infrastructure. Enterprises should extend contractual protections to third-party data centers (not just cloud providers); maintain appropriate technological access controls; and weigh how storage location impacts trade-secret protection.

Originally printed in Thomson Reuters Westlaw on June 1, 2026. Reprinted with permission.