The Editor presents the following summary of a whitepaper prepared by Guidance Software. This whitepaper is entitled “The E-Discovery Implications of the Cloud,” and it is co-authored by Chris Dale, Founder, E-Disclosure Information Project, and Patrick J. Burke, Senior Director and Assistant General Counsel, Guidance Software. The whitepaper provides a practical discussion of cloud computing, related issues specific to e-discovery and technical issues with respect to data management. Please download the complete whitepaper here.
What Is “The Cloud?”
In the most basic sense, the cloud is an infrastructure belonging to a third-party provider that stores and manages an organization’s data on the provider’s own servers located outside that organization. The definition of the cloud published by the National Institute of Standards and Technology (NIST) is frequently cited. “Cloud computing is a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”
NIST identifies five essential characteristics of cloud computing: on-demand self-service, broad network access, resource pooling, rapid elasticity or “scaling,” and measured service. These characteristics are what make cloud computing such a powerful resource in information governance.
The Benefits Of Cloud Computing
Cost reduction: Data volumes and IT demands have grown considerably, and maintaining in-house solutions requires capital investment; software licensing and support; premises costs; security; and proper staffing.
Flexibility: Centralized availability of data and applications allows employees to work from almost anywhere via the Internet.
Elasticity: As cited in the NIST definition, above, this benefit involves the ability to grow and shrink computing resources as required.
Efficiency: This “green” element involves the sharing of hardware by multiple businesses simultaneously and the better match of individual server capacity to actual needs.
A reported 43 percent of information officers expect to use cloud services in 2012.
E-Discovery Issues In Cloud Computing
Regardless of data-management method, an organization’s e-discovery obligations remain unchanged. Because cloud computing involves accessing information from third-party providers in off-site locations, satisfying these obligations in the cloud presents challenges on top of those that exist anyway.
Leading judicial commentators, including United States Magistrate Judge John Facciola, have warned of these challenges. While there are no significant decisions as yet, future decisions will almost certainly relate to the same factors as arise in more traditional e-discovery, such as identification, preservation and legal holds, and collection.
Identification: It’s difficult enough for an organization to identify its data sources, even conventional sources that are entirely under its own control. Once data is placed with a cloud provider, then, in the absence of clear agreement and definition, the organization may have no means of knowing precisely where its data is being kept, how many copies exist and how it’s organized. Possible consequences include higher costs and inefficient processing of discovery requests. At worst, identification (and everything that follows) may become impossible. Courts are unlikely to sympathize with parties who claim in such circumstances that their data is not reasonably accessible. Critical contract negotiations with cloud providers that address these issues should include participation from IT departments and those responsible for e-discovery.
Preservation and litigation holds: Organizational policies must be established that cover the lifecycle of data, regardless of its location or of the circumstances – whether ordinary or discovery-related – that may require access to it. IT departments have specific technical concerns, and cloud providers may have their own policies for the periodic deletion of data. It is critical to settle these matters in a negotiated contract, stipulating records management and retention protocols, as well as the format in which the data is kept.
Collection: Over and above technical issues, there is a growing legal concern about the collection of information from cloud providers that store data outside the home jurisdiction. As examples, cloud providers that elect to store information in the EU may trigger data-protection laws that otherwise would not apply, and some providers store data across multiple jurisdictions for cost, security or other reasons that take no account of U.S. e-discovery obligations. Organizations must address these issues in the contract, taking care to ensure that the question, “Where’s my data?” can always be answered, and in an acceptable fashion.
General Technical Issues
A cloud provider may have its own method of storing data – one that may not meet the reasonable expectations of the demanding party – which may affect searching capabilities and create compatibility issues with conventional search tools. At best, this can cause considerable unexpected expense; at worst, it may be seen as a breach of e-discovery obligations.
Data Remediation
Data that is kept for longer than necessary poses an often overlooked risk: that data that could properly have been destroyed at some earlier stage (perhaps when a case is over) remains in existence and therefore susceptible to discovery demands in subsequent litigation. Cloud providers should be equally capable of destroying data as of preserving it. This may require case-by-case decision-making rather than merely the operation of a protocol. It is important to ensure, at contract stage, that such input will be acted on.
Authentication And Production
A party’s obligation to authenticate evidence does not change when the data is obtained from the cloud. Authentication may require forensic analysis, which, in turn, requires a heightened level of access. In the absence of a contractual entitlement, such access may not be forthcoming. Finally, the production process must comply with any applicable rules, agreements or court orders. Potential difficulties must be identified, limited by contract and included in the initial risk assessment when considering use of cloud services in the first place.
Compliance With Subpoenas Or E-Discovery Requests
When a cloud customer is served with a Rule 34 discovery request, a Rule 45 subpoena or a governmental subpoena, that user must respond to the demands for ESI as though the data were located on in-house servers. Thus, the contract must stipulate that the customer’s legal ownership of the data must not be qualified or limited by the cloud provider’s de facto control of it.
Because dealing with subpoenas is not a core activity for cloud providers, complex e-discovery issues arise when a provider is served directly. The ultimate responsibility for compliance falls on the cloud customer. While there may be restrictions such as when criminal allegations or the Stored Communications Act are involved, the contract should otherwise ensure that the provider is obliged to notify the user upon receipt of the subpoena. Further, the contract should discuss the provider’s specific responsibilities when responding to the subpoena as well as the allocation of costs.
Practical Risk And Security Considerations
Security is a critical component of information governance, and sending data outside a company’s infrastructure may increase security risks, with implications for e-discovery and business in general.
There are some obvious technical steps to take, such as data encryption, and risk assessments should consider the number of attacks and the tools and skills available to would-be attackers. Organizations must identify who is responsible for what aspects of security, and they must understand the difference between compliance and security. Achieving a minimum level of compliance does not necessarily imply an adequate level of security.
Lastly, it is possible to obtain insurance coverage for:
- Obvious eventualities – business disruption, intellectual property (IP) theft, the triggering of reporting obligations – that are all possible consequence of security breaches
- The potentially reduced ability to comply with e-discovery obligations
- The possibility of costs and sanctions consequences
Summary
Cloud services can offer cost and efficiency benefits, but they also can heighten commercial risks with respect to satisfying e-discovery obligations because some of the responsibility is delegated to an outside party. Formalizing the necessary precautions in agreements with cloud providers is essential, and this process represents an additional opportunity to re-examine precautions in all organizational contexts.
Published November 16, 2012.