Enter to open, tab to navigate, enter to select
Hey, You, Get Off of My Cloud: S.D. Ind. Seals Court Documents to Prevent Hacking
Practical Law Legal Update w-001-7687 (Approx. 4 pages)
Hey, You, Get Off of My Cloud: S.D. Ind. Seals Court Documents to Prevent Hacking
by Practical Law Intellectual Property & Technology
| Published on 23 Mar 2016 • USA (National/Federal) |
In OneAmerica Financial Partners, Inc. v. T-Systems North America, Inc., the US District Court for the Southern District of Indiana ruled that a seal on court documents was justified to prevent hackers from breaching a party's information technology (IT) systems.
In OneAmerica Financial Partners, Inc. v. T-Systems North America, Inc., the US District Court for the Southern District of Indiana ruled that a seal on certain pleadings and other court documents was justified to prevent hackers from breaching the plaintiff's information technology (IT) systems ( (S.D. Ind. March 9, 2016)).
OneAmerica Financial Partners, Inc. sued T-Systems North America, Inc. (TSNA), its former cloud Infrastructure as a Service (IaaS) provider, for breach of contract based on alleged nonperformance and defects in TSNA's service.
OneAmerica requested that the court seal parts of its request for proposal for IT services, the parties' service agreement, and other court documents, to prevent hackers from breaching its IT systems. Specifically, OneAmerica requested that the court seal the contents of documents that identified details about its:
- Software, applications, and hardware.
- Vendors.
- Regional locations.
- IT policies and procedures.
The court cited a line of district court decisions in which concerns about hackers and cyber-attacks justified granting motions to seal information about the movants' IT systems. The court also distinguished Zahran v. Trans Union Corp., a case relied on by TSNA in opposing OneAmerica's motion, noting that:
- In Zahran, the court denied the defendant's motion to enter a protective order and to seal certain exhibits and pleadings because the defendant cited only the remote risk of what a hacker could possibly do after it gained access to the defendant's database ( (N.D. Ill. Sept. 9, 2002)).
- In the present case, OneAmerica sought a sealing to prevent a hacker from gaining access to its system in the first place, an occurrence that would put at risk the confidential personal and financial information of hundreds of thousands of OneAmerica's customers.
The court granted the seal in part, ruling, among other things:
- There was little public interest in sealing the information in the parties' request for proposal and service agreement that OneAmerica sought to place under seal.
- A seal on some information already in the public domain was justified, because the information was provided to the court in a single source that a hacker would otherwise have to spend time and effort to obtain.
- A seal on all information in the Counter-Complaint and Answer to the Counter-Complaint was not justified, because it appeared that OneAmerica's redaction of certain information from these pleadings was not necessary to maintain data privacy or security, but rather, to shield OneAmerica from allegations of wrongful conduct.
While OneAmerica involved a company's attempt to preserve the confidentiality of information the customer affirmatively introduced in an action against its cloud service provider, the case illustrates the importance of a cloud service customer's:
- Anticipating the possibility of being compelled to produce similarly sensitive information concerning its data systems and practices in litigation.
- Insisting on strict nondisclosure provisions shielding this information in its service agreements with cloud service providers.
Specifically, the customer should include provisions in its cloud service agreements that require the service provider to:
- Take all lawful steps to contest and mitigate any compelled disclosure by seeking an appropriate protective order and other appropriate confidentiality safeguards.
- Promptly notify the customer of the provider's receipt of a court order, legal process, or other demand for compulsory production of information that could compromise trade secrets or data privacy or security.
- Bear the burden of showing that it fulfilled these requirements before disclosing any personal, commercially sensitive, or data- or system-security-related information.