What a Farming Bankruptcy Can Teach Us About Privacy in the Cloud
Today's post about the cloud is brought to you from above the clouds, via wi-fi on a plane, using a cloud service (our blog service provider). First I pause to note how awesome that is. I could not have been doing this five years ago. Now, back to the point. Privacy in the cloud. Specifically, the potential impact of "segregation" of data in the cloud, whatever that means. Does "segregation" that prevents "intermingling" preserve an organization's reasonable expectation of privacy vis-a-vis the government under the Fourth Amendment? One recent case, although not about a cloud of any shape or form, suggests that it might.
I love finding cloud law where you least expect it. Recently reported in BNA's Privacy & Security Law Report, In re SK Foods Inc., No. 2:09-cv-02938, is a bankruptcy matter involving a debtor that processes tomato products. In SK Foods, the United States District Court for the Eastern District of California stayed the Bankruptcy Court's order that would have allowed the Trustee to continue to possess and review information relating to third party non-debtors pending appeal. Why? There was evidence suggesting that, despite residing on shared computer servers, the data of the third parties had not been "intermingled" with the debtor's data, the servers belonged to a third party, the debtor could not access the third party records without authorization, and the third parties demanded return of their records once the Trustee intervened. Read on after the jump for a detailed review of the District Court's order, available here, and consideration of its implications for the cloud.
Procedural and Factual Background
In SK Foods, non-debtor third parties SSC Farms, LLC, SSC Farming LLC, SSC Farming 1, LLC, SSC Farming 2, LLC, and Scott Salyer (I will refer to them collectively herein as the "SSC Third Parties") sought a stay of the Bankruptcy Court's order giving the Trustee authorization to continue to possess and review information relating to the SSC Third Parties pending their appeal of that order. Third party Salyer is the founder of the debtor SK Foods and owner thereof via a separate company and his trust. The other SSC Third Parties are entities owned by Salyer's children that grow vegetable and tomato products processed by the debtor. The Trustee had taken possession and control of all records located at the debtor SK Foods following his appointment, including electronic records stored on the company's computer servers. The SSC Third Parties maintained their own records on the debtor SK Foods' premises, but did so pursuant to a joint cost sharing arrangement to maximize operational efficiency. Hmmm, sounds a little like a multi-tenancy cloud.
The Bankruptcy Court found, as a matter of law based on a determination that the facts were undisputed, that the SSC Third Parties had waived any privacy rights associated with their records by failing to remove them from the debtor SK Foods' premises before involuntary bankruptcy proceedings were commenced. However, the Bankruptcy Court explicitly noted that, in the absence of undisputed facts, the question of whether a reasonable expectation of privacy exists is a mixed one of law and fact (citing Hill v. Nat'l Collegiate Athletic Ass'n, 7 Cal.4th 1, 39-40 (1994)).
The Trustee's Argument re Shared Servers and Intermingling
The Trustee argued that debtor SK Foods had custody and control over the records because all the entities functioned as a single operational and economic enterprise, because the records were intermingled, because SK Foods' employees had access to the SSC Third Party records, and because all of the entities shared servers and an email system owned by debtor SK Foods.
The District Court's Ruling: Facts in Dispute-Evidence Suggests No Intermingling on Servers, so Privacy Rights May be Preserved
The District Court stayed the Bankruptcy Court's order pending appeal, noting that there remains a reasonable expectation of privacy in financial personal, and other related documents even if such documents are stored or left on a third party's premises (citing U.S. v. Fultz, 146 F.3d 1102, 1105 (9th Cir. 1998)). The court further held that intermingling of documents, alone, does not waive a third party's constitutional rights (citing U.S. v. Comprehensive Drug Testing, 579 F.3d 989, 1004-1005 (9th Cir. 2009)).
Significantly, the court noted that the Trustee had cited no authority for the proposition that privacy interests are waived merely because companies may have shared storage and access capabilities, and may not have immediately segregated and taken their own materials once the debtor's bankruptcy filing took place.
Most importantly, the District Court noted that the facts were in dispute because the SSC Third Parties had identified (via declaration) evidence "suggesting that electronic data for each non-debtor entity was maintained in separate folders and was not intermingled with data belonging to other entities"; that the servers used to store the data were not owned by the debtor SK Foods; that debtor SK Foods' access to documents and information pertaining to the SSC Third Parties required authorization; and that the SSC Third Parties immediately demanded the return of their own private and confidential information once the Trustee intervened.
Implications for the Cloud?
In many ways, SK Foods raises more questions than it answers for purposes of the cloud. Is the court's analysis too simplistic? What exactly is "intermingling" on a third party server or in a cloud? Is there any such thing as data that is not intermingled in a public cloud? Is there an equivalent to "separate folders" in a multi-tenancy cloud?
Then again, SK Foods is perhaps merely an acknowledgment, in a very different context, of the following sentiment expressed by Chief Judge Kozinski in the Ninth Circuit's en banc opinion in Comprehensive Drug Testing, supra:
The advent of fast, cheap networking has made it possible to store information at remote third-party locations, where it is intermingled with that of other users. For example, many people no longer keep their email primarily on their personal computer, and instead use a web-based email provider, which stores their messages along with billions of messages from and to millions of other people. Similar services exist for photographs, slide shows, computer code, and many other types of data. As a result, people now have personal data that are stored with that of innumerable strangers. Seizure of, for example, Google’s email servers to look for a few incriminating messages could jeopardize the privacy of millions.
Some might suggest that sharing a computer server and email systems (or a cloud, for that matter) by numerous businesses presents a closer case. The court in SK Foods thought, at a minimum, it was worth an evidentiary hearing, and suggested that a finding of "segregation" of some sort might preserve Fourth Amendment rights.
All of this raises important questions for all companies, but especially companies doing or considering doing business in the cloud:
- Do you know where your records reside?
- Are they hanging out with other companies' records?
- Who owns the servers?
- Where are those servers located?
- Are your files "segregated" in some fashion from other organizations' files?
- Could you prove "segregation" in court?
As you can see, "cloud" jurisprudence is evolving without the word "cloud" ever being uttered in a court order or opinion. We will continue to keep an eye on it. Signing off from the clouds, for today.