As businesses move more applications and data to cloud services (e.g., Google Apps for Business, Salesforce.com, Amazon S3, etc.), they inevitably are going to find themselves in litigation with the need to retrieve electronically stored information (ESI) from the cloud to comply with their e-discovery obligations. While the risks of e-discovery likely will not keep any businesses away from public cloud services altogether, businesses at least should plan for how they are going to meet the demands of e-discovery in the cloud when litigation arises.
Following are some tips on how businesses can manage their e-discovery risks if they are considering a move to a cloud or if they have already made the move.
E-discovery obligations cannot be avoided simply by contracting with a third-party provider to store business data or host a business application. See, e.g., Arteria Property Pty Ltd. v. Universal Funding V.T.O., Inc., No. 05-cv-4896, 2008 U.S. Dist. LEXIS 77199 (D.N.J. Oct. 1, 2008) (stating that party had control over content posted on website even if website was maintained on a third-party server); Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008) (holding that party had control over text messages held by third-party service provider); Tomlinson v. El Paso Corp., 245 F.R.D. 474 (D. Colo. 2007) (holding that party had control over electronic data maintained by third party human resources firm and that party could not delegate its recordkeeping duties under ERISA). Indeed, a business can face a bigger challenge meeting its obligations within a cloud environment because it does not have complete control over what happens to data stored with a cloud provider.
Standard cloud computing service level agreements (SLAs) often do not directly address e-discovery or have terms and conditions that favor the provider. Ideally, a business will proactively evaluate what e-discovery risks could arise from its data being entrusted to the cloud provider and then seek to address these risks with the provider before entering into the SLA. Many of the risks will overlap with or relate to other key business and legal considerations (such as performance, data security, privacy, compliance and cost), so e-discovery does not need to be addressed with the provider as a stand-alone topic.
Key e-discovery considerations include:
- Information Governance — Will the provider delete data pursuant to the business’s records retention policies? Does the provider have its own policies for deleting data?
- Preservation — How will a litigation hold be implemented? Can auto-deletion settings and records retention policies be suspended in a timely and targeted manner when litigation is reasonably anticipated?
- Accessibility — How quickly can data be accessed and retrieved for the purpose of e-discovery? Can outside counsel and third-party e-discovery vendors access the data?
- Format — In what format will data be stored and in what format will it be retrieved? What corresponding metadata will be stored and can it be retrieved?
- Collection — Can targeted collections and searches of data be done based on specific custodians, date ranges, keywords, metadata, etc.? Will retrieving data change the corresponding metadata? Does the provider have a built-in e-discovery tool? How robust is the tool?
- Review — How will data be accessed, searched and retrieved so that it can be reviewed for relevance and privilege? Will there be any potentially relevant data or metadata that cannot be accessed, searched, and retrieved for review and production? Where will data be stored for review?
- Production — What file options are there for exporting data out of the cloud?
- Location — Where will the hardware storing the data be physically located in the world? Will the data be stored in multiple locations? Will any foreign privacy laws or blocking statutes be a concern when data must be accessed, searched, and retrieved for review and production?
- Security — What security measures will be in place to protect against the unauthorized disclosure of data to third-parties? Will subcontractors be used by the provider?
- Risk of Loss — What happens if potentially relevant data or metadata is deleted or altered? Does the SLA limit the provider’s liability even if a court issues sanctions for spoliation?
- Admissibility — Will data be stored and retrieved in a way so that it can be admitted into evidence during litigation?
- Cost — Will the provider charge any additional costs for any measures that need to be taken to comply with e-discovery?
If the proposed SLA does not answer these questions satisfactorily, a business should try to discuss these e-discovery issues with the provider and include contractual provisions that address them.
If possible, here are the types of clauses a business should try to include in an SLA to mitigate its e-discovery risks:
- Ownership of data
- Right to export data and method of doing so
- Storage and export of data (including corresponding metadata) in specified form
- Accessibility of data “on-demand” and by counsel and e-discovery vendors as designated by the business
- Establishment of time periods the provider will keep data before deleting it pursuant to the business’s and/or provider’s retention schedules
- Suspension of auto-delete settings and retention schedules when litigation is reasonably anticipated
- Limitation (or at least identification) of physical locations where data may be stored
- Implementation of specified security measures to protect against unauthorized third-party access
- Notification of any data breaches
- Notification of any requests for data by third-parties in advance of any production so that the business can oppose or take action to limit the disclosure of data
- Itemization of costs that the provider will charge for services connected to e-discovery
- Indemnification for losses incurred as the result of the unauthorized deletion or alteration of data (and corresponding metadata)
As a practical matter, many businesses may not be able to negotiate some or all of these clauses. A business may not have sufficient bargaining power because of the provider’s size or unique position in the market or because the terms of usage are non-negotiable and governed by a click-through agreement.
In these cases, a business can still mitigate its e-discovery risks through pre-litigation planning such as:
- Data Maps — Assess and document what cloud computing providers and services the business is using and what types of data are being stored in the cloud and by whom
- Litigation Hold Procedure — Prepare a legal hold process that accounts for the use of public clouds by the business and its employees
- Cross-Functional Team — Form an integrated team of personnel from legal, IT, compliance, information security, HR and records that is familiar with what cloud computing services the business is using and can address the business’s e-discovery obligations
- Outside E-Discovery Counsel — Consider having designated outside e-discovery counsel who has experience collecting data from the cloud and can familiarize themselves with the nature and extent of the business’s public cloud computing
- Preferred Vendors — Consider maintaining a list of proven e-discovery vendors who have experience successfully collecting data from the cloud
- Cloud Computing Usage Policy — Implement a usage policy stating what types of public cloud applications employees can use for business purposes and what types of business data employees can store in the cloud
- Data Repository — Provide a site controlled by the business that employees can access remotely to help protect against employees using third-party sites to store data on their own
- Employee Training — Educate employees about the business’s usage policy and litigation hold procedure, and explain why they are important
If these e-discovery issues have not been addressed beforehand, they will need to be confronted under the pressure and time constraints of litigation.
An important part of addressing these issues during litigation will be to conduct thorough custodian interviews of the key players in the case and to involve IT early in the process so that litigation counsel can identify the public clouds which may have ESI that is relevant to the claims and defenses in the case. Once this information has been gathered, counsel can determine how the functionality of those clouds and the terms of the SLAs with the cloud providers may impact the business’s ability to satisfy its e-discovery obligations. Counsel can then analyze how to preserve, collect, process, review and produce relevant ESI from those clouds in a way that will comply with the discovery and evidentiary requirements of the court in which the case is pending.
In conclusion, while businesses are taking advantage of the benefits of cloud computing, they also should consider and plan for the e-discovery risks involved in entrusting their data to third-party cloud providers. Although the tips discussed above are not exhaustive of what may need to be done, they can help in addressing these risks.