It appears that Chicken Little is alive and well when it comes to moving your data to the cloud. In an article titled, “The Promise of the Cloud Meets the Obligations of E-Discovery“, published on the Law.com website on October 12, 2011, authors Brendan M. Schulman and Samantha V. Ettari state that, “cloud computing also poses a serious threat to an organization’s ability to prepare for and respond to document preservation and discovery obligations, and erodes protections against discovery of the data by government authorities and third parties.”
Putting this into perspective, ancient scholars thought that the world was flat and some even thought that Columbus would fall off the edge. Many adults during the 1960’s believed that Rock and Roll music would destroy Western culture and there are still some that believe that the world is going to end in 2012.
Closer to home with Chicken Little arguments that we have heard regarding advances in Information Technology (IT), some thought that putting computers (PCs) in the hands of common people was a crazy idea, decentralizing IT with departmental client/server computing would be the end of the corporation as we know it and all of these mobile computing devices and associated social media communication options are destroying our ability to communicate in person.
And, even closer to home, it wasn’t that many months ago that some litigators were contending that all of this eDiscovery technology was going to destroy the basic fabric of the legal process.
Obviously none of this is true and likewise there is very little real danger in moving your data to the cloud. So, let’s examine Ms. Schulman’s and Ms. Ettari’s concerns in more detail.
First of all, they do admit that, “The cloud computing revolution sweeping through corporate IT departments does, indeed, promise substantial cost savings and organizational efficiencies.” But then the go on to state that placing data in the cloud will compromise the legal hold and associated collection process and can compromise rights to privacy. Let’s examine these claims in more detail:
The Legal Hold Process
Many corporations are already dropping the ball on fulfilling their legal hold obligations. They don’t really know where their data it located, don’t have well defined data retention policies in place and as a result treat most legal requests for data as a very costly and highly inefficient one-off fire drill that in most cases doesn’t meet even the minimum legal requirements. I contend that consolidating data in the cloud will at least ensure that most of the data is in one place and will enable a much more effective data retention and associated legal hold process.
eDiscovery Collections in the Cloud
As with legal hold, many corporations are already dropping the ball on fulfilling their legal obligations in regards to collecting ESI in a forensically sound manner. Therefore, as with legal hold, consolidating ESI under a common CSP and utilizing state-of-the-art Early Case Assessment (ECA) technology that has been designed to run in the cloud (its a very short list but it does exist), should and will make eDiscovery collection in the cloud much more efficient and cost effective. Please note that I am not oblivious to the fact that tyring to perform ECA with no technology or with the wrong technology and in partnership with some CSPs can in fact be difficult. However, there is technology and best practices available today and the CSPs that embrace eDiscovery as a standard component of their technology (yes technology) stack will in fact find it (eDiscovery in the cloud) to be a “key competitive advantage” that will accelerate the move to the cloud.
Rights to Privacy
With the accelerating proliferation of ESI, mobile computing devices and associated mobile communications, privacy and rights to privacy has become a difficult issue to get our collective arms around. In regards to corporate data or law firm data, I am going to contend that they already have multiple holes in their security dikes and that for all practical purposes the security that we all knew in the era of the bricks and mortar corporation with paper is long gone. Further, with the proliferation of email, texting, blogging and now social media such as Facebook, Twitter and LinkedIn, the core concepts of rights to privacy need to be adjusted. And, as with legal hold and collections, moving your data to the cloud is not going to make rights to privacy issues any worse as this data is already in the cloud.
I appreciate the concerns of these authors. However, these concerns do in fact rise to the level of Chicken Little. As I have said many time in the past 24 months, “the cloud train has left the station.” And therefore, to shout that riders had better not get on or that if they do get on they had better hang on to their hand bags because some dark stranger is going to grab it. Or to say that there is a dark cloud on the horizon that is going to swallow all of your crazy cloud people is not much different than the people that said Columbus would never return. Columbus made it and so will cloud computing. It fact, cloud computing has already made it and most of us are just fine, eDiscovery in the cloud and all!!
The full text of the article by Brendan M. Schulman and Samantha V. Ettari is as follows:
Cloud computing” refers to the revolution sweeping through corporate information technology departments of using remote computing providers connected via the Internet, rather than internal servers and network drives, to store and access a corporation’s electronically stored information. The cost savings and efficiency gains offered by cloud computing make it an irresistible lure to companies looking for cheap data storage and technical support.
However, cloud computing also poses a serious threat to an organization’s ability to prepare for and respond to document preservation and discovery obligations, and erodes protections against discovery of the data by government authorities and third parties. When the negotiation of a terms-of-service agreement with a cloud service provider takes place without the input of legal departments or outside counsel who are familiar with these issues, corporations and their counsel lose a valuable opportunity to include favorable provisions that could help mitigate substantial e-discovery risks and costs in the future.
The cloud computing revolution sweeping through corporate IT departments does, indeed, promise substantial cost savings and organizational efficiencies. A large part of that efficiency is attributable to the dynamic scalability of cloud-based systems. For decades, whenever a company purchased an enterprise-level computer system, such as an e-mail server, it purchased excess capacity in anticipation of its future needs, and employed a full support staff to implement and maintain it. Cloud services eliminate these and other inefficiencies by pooling the vast centralized storage and computing capacity made available by a CSP, allocating storage space and computing resources to the customers who need them, when they need them. Customers pay only for their use of actual computing services in time units or storage space, allowing them to eliminate IT positions. For small companies, some CSPs provide the added benefit of 24-hour technical support and may afford greater data security as well as backup redundancy and faster crash recovery.
However, aspects of cloud computing that may not be immediately obvious threaten to make compliance with various e-discovery obligations more difficult and more expensive, in some cases potentially negating some of the long-term promised benefits of moving to the cloud.
A MORE COMPLICATED PROCESS
Alternative methods of preservation, such as the making of a “forensic image,” may be rendered infeasible because the relevant data exists in fragments across various locations around the world. It also may be difficult to locate a CSP representative who will assist counsel in understanding the cloud system and implementing the necessary preservation steps. Additionally, cloud providers that contractually cap a customer’s storage limit or that delete data after a certain time period could unintentionally cause spoliation of evidence. For these reasons, it is prudent for companies to negotiate a terms-of-service agreement that requires automatic deletion routines to be suspended when necessary, and that sets out a litigation hold protocol, or to find a CSP who offers these options.
A move to the cloud also impacts the ability of the corporation to respond in a timely manner to initial disclosures and document requests. No longer can the general counsel call the company’s IT director and ensure an appropriate response to an urgent litigation need. Instead, the CSP might be expected to respond in accordance with the terms-of-service agreement, which may fail to address litigation response at all. Thus a party’s ability to respond to document requests within the timeframe provided in the applicable rules, or as ordered by a court, may be jeopardized by the selection of a CSP who is leanly staffed. Care should be taken in selecting a suitable CSP, and a prudently negotiated services agreement would include specific provisions for response time to litigation-related requests.
Court rules increasingly anticipate that counsel will quickly learn the facts concerning a client’s data system. For example, the August 2010 amendments to New York Uniform Rules 202.12(b) and (g) require that:
counsel for all parties who appear at the preliminary conference must be sufficiently versed in matters relating to their clients’ technological systems to discuss competently all issues relating to electronic discovery; counsel may bring a client representative or outside expert to assist in such e-discovery discussions.
When a client’s ESI is in the cloud, it is difficult to imagine effective compliance with this rule in the absence of cooperation from the CSP.
Additionally, it is conceivable that a court might construe broad language in a terms-of-service agreement or lax controls over a CSP’s access to customer data as indicative of prior consent to production pursuant to a subpoena. For these reasons, it is a best practice, where possible, to negotiate into the terms-of-service a provision requiring that the CSP provide notice to the customer upon receipt of a civil subpoena, and express language indicating that no ESI may be produced to a civil party without the customer first having had an opportunity to be heard.
Alternatively, Fed. R. Civ. P. 26(b)(2)(B) might be invoked to argue that the data is no longer “reasonably accessible,” although that rule is typically concerned with “undue cost or burden.” It is conceivable that a party may become caught between a court order in a far-off jurisdiction compelling production, and a bankruptcy proceeding that prohibits the debtor from committing resources to a customer’s response. Even if a cloud customer caught in this situation is afforded relief from certain discovery obligations, there is always the risk that documents that are helpful to the company’s case will remain inaccessible, posing a threat to the substantive outcome of the case. A terms-of-service agreement that specifically contemplates this scenario could be of assistance in asking a Bankruptcy Court to require cooperation, although the outcome is likely to turn on the practical ability of the debtor to undertake the effort. These risks may be mitigated, in part, by implementing an appropriate backup regime allowing ESI to remain accessible by the company.
CAUTION FOR LAW FIRMS
would reach the opposite conclusion if the e-mails were reviewed by human beings or if the service provider reserved the right to disclose the e-mails or the substance of the communications to third parties without the sender’s permission.[FOOTNOTE 18]
Caution is therefore warranted when cloud service agreements appear to provide outsiders with broad access to law firm data.
THE STORM AHEAD
- How to Engage Enterprise Buyers in Meaningful Conversations in 2016 February 28, 2016
- nVIDIA Driving Deep Learning to the Forefront – Literally February 22, 2016
- New Technologies Disrupting the Legal Business in the UK February 17, 2016
- Shares of Tableau plunge 36% after company posts $41M loss in Q4 February 5, 2016
- LexisNexis Unveils Lexis® DiscoveryIQ eDiscovery Platform Enhanced by Brainspace February 2, 2016