This article was published originally at InsideCounsel.com. The article is the fifth in a six-part series focusing on evidence spoliation. Read more here and here. Technology Law Source will notify readers when InsideCounsel.com publishes the final article in this series.
We previously addressed the scope of the duty to preserve. Once you determine when the duty to preserve commenced, you need to identify what needs to be preserved. While the scope of this duty has not changed dramatically over the years, the location, type and amount of information included within that duty has exploded in the past decade due to the advancement of technology and growth of social media outlets. This expansion of available outlets and the ease of creating information has substantially increased the complexity of issues associated with complying with the duty to preserve.
One of the most significant developments involves the use of third party data storage providers or “cloud providers.” Storage of information in the cloud affords companies numerous advantages, most significantly, the cost savings associated with data storage. Placing data in the cloud allows companies to replace portions of their existing technology infrastructure with third party data storage providers. But the convenience and related cost savings are not without risks. The most serious risks include preservation of confidentiality and security of the data as well as the ability to comply fully with preservation obligations on a timely basis.
Rule 34(a)(1) requires the preservation and production of documents within a party’s possession, custody or control. Information in the cloud typically is not within a party’s possession or custody. Yet, courts generally hold that information stored in the cloud falls within a party’s control. Extending the duty to preserve to third parties is not new. Indeed, prior to electronically stored information becoming predominant, companies often stored paper files in warehouses operated by third parties. Now the cloud presents a new type of third party and a new location that companies must consider in complying with their duty to preserve. Given that this type of obligation is not new, courts generally are not sympathetic to parties who fail to appropriately preserve information stored in the cloud.
If you have not yet entered into an agreement to store information with a cloud service provider, there are several key issues to consider before selecting a vendor. A summary of all the legal issues associated with selecting a provider is beyond the scope of this piece, however certain key considerations must be made with regard to preservation of data. After ensuring that confidentiality and data security issues will be adequately addressed, companies should consider whether a legal hold can be properly effectuated and whether it can be established for specific types of information to be stored. For example, can information pertaining to a single custodian for a three-year period be located and made subject to a hold. To the extent that this is not possible or easy to implement, a company may determine that certain information should not be stored with a cloud service provider. While software applications exist that enable cloud users to implement their own litigation hold for information stored in the cloud, not all cloud service providers use these applications. After confirming this ability, the process for effectuating a legal hold (i.e., type of notice, who receives notice, method of confirmation of compliance) should also be confirmed.
A second consideration is how the cloud service provider will respond to third-party subpoenas and/or requests for information. A company should confirm that it will be immediately notified of any such request and that information will not be produced without affording the company an opportunity to respond to the request.
Another consideration is whether the cloud service provider will comply with your existing data retention policies, which may include different retention periods for different types of information. This issue involves your ability to delete portions of the stored data in compliance with your existing record retention policies.
If you are already engaged in a contractual relationship with a cloud service provider, you should prepare now for future litigation. First, you should confirm which cloud service providers currently store data for your company and what data they possess. Then determine where and how this information is stored. The location of your data can become significant depending on the jurisdiction’s privacy laws. Further, understanding how your information is stored (i.e., is it separate from other users and in what format is it stored) will enable you to know the requirements of any future e-discovery collection and production. Finally, you should know whether the cloud service provider will allow self-collection of any information that needs to be produced in litigation. To the extent self-collection is not permitted, you should learn the costs associated with any potential collection efforts.
Overall, use of cloud service providers is generally beneficial in terms of cost savings and related technological logistics. As with any benefit, there are certain risks — knowing and assessing these risks before data is stored in the cloud or needs to be produced in litigation can avoid the imposition of costly sanctions. Our last topic in this series will address the various sanctions courts impose when data and information is not properly preserved and the issue of spoliation of evidence arises.