Legal question regarding storing legally obtained copyrighted material in the cloud

I want to store legally obtained copyrighted files - digital books, notes from online courses, etc. - in the cloud. In my case, I want to use private GitHub repositories (so that I can download them for offline use on my iOS devices), but the same logic should apply to more common cloud storage or backup providers such as Dropbox, Google Drive, iCloud Drive and Backblaze.

However, if the cloud provider is hacked and the hacker obtains access to the copyrighted files, would I be legally liable in any way for losses suffered by the author of the copyrighted files as a result of the hack?

For example, would the liability depend on factors such as whether the cloud provider encrypts the data at rest, and/or whether they have access to an encryption key?

What I’ve read is that, excepting HIPAA, data owners (you) are responsible, not data holders.

1 Like

Unless you are doing this on a massive Enterprise-level scale or are storing nuclear codes or the keys to the entire universe, I cannot imagine how this could result in an issue. Would it really be worthwhile for those entities to go after you?

It seems to me that it is far more likely for you to be liable for inadvertent release of non-copyrighted personal materials, i.e. trade secrets, medical or legal files, private photographs, etc.

There are two distinct issues at play here, copyright and confidentality. The answers will depend upon the jurisdiction in which you live, so if you are genuinely concerned you should consult a local lawyer.

On the copyright front, the first question you should be asking yourself is, does my licence (likely implied) allow me to save digital copies of the material? Owning a book, for example, does not grant you the right to scan or otherwise reproduce it in its entirety. On the otherhand, if the course materials were provided to you in digital form with the intention (express or implied) that you could keep them indefinitely, then saving a backup copy to the web is likely acceptable.

In general, there will be contractual obligations arising out of your licence to use copyright information with which you should abide and for which you can be held liable. Given the nature of the material you list, it is unlikely that the terms of your licence to use it envisage its redistribution. If you deliberately copy and distribute the material you could well be held liable by the copyright holder for that act, particularly if you do it for profit. If you save information to a web service from which it then leaks, the position is slightly less certain but I would work from the premise that liability rests with you and try to work out why it shouldn’t. You, afterall, choose where and how the copyright material you licenced was stored – which provider and whether it is encrypted – and you have the contractual nexus with the copyright holder.

Depending upon your contract with the storage provider, you may be able to bring them into (enjoin them in) any action against brought by the copyright holder or to recover the loss you suffer (i.e. any damages awarded to the copyright holder). “May”, however, is the operative word. Your provider’s contract will undoubtedly seek to limit their liability and to restrict your ability to enjoin them or sue for damages. Whether such a clause is actually enforceable in a consumer (i.e. personal rather than business) contract is very much a matter of local law. It will likely take a long time and cost a lot to find out for sure.

Equally, the issue as to whether the storage provider owes you any implied duty of care in terms of maintaining the security and privacy of data that you entrust to his care. Here you are treading in relatively unexplored territory, but rest assured your service provider will have heavyweight legal support; you won’t. As a lawyer it could be a fun case to run. On the one hand the implication that, because they encrypt the data they hold – and particularly if that encryption is a selling point or they otherwise brag about it – they understand that security is important, which could be interpreted as implying a duty to keep the encryption keys secure. On the other, contractual limitations of liability. Ding, ding, round one …

Legal liability to a copyright holder for unauthorised use of licenced material is under the terms of the licence granted to you, meaning that liability is contractual in nature. That means the copyright holder must quanitify and prove the loses suffered; those losses must have occurred as a direct result of the leak; and the fact that the losses might arise must have been known to you or reasonably foreseeable by you at the time the contract was formed. In reality that could be hard to prove unless it’s something really valuable like the manuscript of JK Rowling’s next novel. The value of a set of lecture notes is probably not all that great; you may have paid a lot for the course, but the value arguably comes not from the notes but the qualification you again as a result of participating in (and passing) the course.

The second issue is confidentiality; I doubt it applies. In most jurisdictions to pursue a breach of confidence requires that the material disclosed is not public knowledge; course notes don’t generally contain proprietary information like the recipe for Coke or some other “secret sauce”. Even if they did, it is necessary for the information to be disclosed to you in circumstances that dictate or imply confidentiality. A course your employer runs on the design of its super secret gizmo certainly falls within that scope; an open access course in calculus, no chance.

This is all first year law school stuff, in reality it gets much more complex very quickly so, if you’re truly worried (as opposed to merely inquisitive), do two things. First, consult a local lawyer with the details of exactly what the information is and exactly what you want to do with it. Second, above all else encrypt the files you are storing with a strong encryption key; don’t leave it to the service provider to do so.