In the early days of personal computing, users depended on “local” drives and stored their data on floppy disks kept in containers on desktops or in drawers. Applications from software manufacturers permitted users to create, manage and manipulate their business and personal information.

But in short order, software became more and more sophisticated and floppy disks were replaced by hard drives. Operating systems became faster, hard drives were developed with even more capacity and programs grew in size and scope.

Eventually the advent of networks allowed ever bigger programs to be shared among multiple users accessing ever-growing data banks. Nevertheless, networks remained largely tethered to the location of the users, who, at least theoretically, maintained both physical possession and control over the data.

The trend today is toward something different: Whereas companies may still prefer their employees to be in geographic proximity to urban centers of business and government, the cost of prime real estate, and the availability of fast online interconnectedness in many locations that would otherwise be considered remote, make cloud computing a viable and cost effective alternative. Accordingly, data and data applications that are kept in a cloud may be physically located in one or more remote servers but are nevertheless transparently available to company users.[FOOTNOTE 1]

Data kept in a cloud often is, or may be, shared among, or usable by, multiple parties. It can include information ranging from word processing documents and business presentations to employee or patient health information and tax or accounting records, to schedules, calendars and contacts. The key to cloud computing is the speed with which the data and applications can be accessed, rather than the capacity and speed of a personal computer’s hard drive, as was crucially important in the past.

Even individual users are becoming more and more likely to be participants in the cloud computing phenomenon. For example, e-mail programs such as Google’s Gmail, which stores users’ e-mail on its own servers, is a perfect example of this growing development.

Given the explosive growth of cloud computing, it should be no surprise that it presents numerous legal issues for businesses. Two of the most significant are privacy concerns and the implications of cloud computing for pretrial discovery.

As with other forms of “outsourcing,” businesses’ duties to protect private or confidential data do not end with their transfer of the data to third-party vendors for storage or processing. A recent report from the World Privacy Forum, “Cloud Computing and Privacy,” highlights a number of important privacy issues raised by cloud computing that corporate users of cloud computing should keep in mind.[FOOTNOTE 2]

For example, although the Gramm-Leach-Bliley Act[FOOTNOTE 3] permits financial institutions to disclose confidential consumer information to a third party such as a cloud computing service provider, the terms of any agreement between the financial institution and the provider must be carefully considered.

In addition, the Privacy Rule enacted by the U.S. Department of Health and Human Services under the Health Insurance Portability and Accountability Act[FOOTNOTE 4] requires that covered health plans, health care clearinghouses and health care providers enter into “business associate agreements” with cloud providers (and, of course, other third parties) before turning over so-called protected health information.

There may be risks associated with using cloud computing providers to store confidential corporate information such as trade secrets without appropriate and specially negotiated agreements, as well.

What undoubtedly can complicate the privacy issues in these and other situations is that the governing law might change depending on the cloud provider’s physical location. Different rules can apply if storage is in a European Union country, arguably subject to the EU’s Data Protection Directive,[FOOTNOTE 5] in multiple states within the United States, or in multiple locations around the world. Accordingly, it is essential that the terms of contracts for cloud computing services must be negotiated keeping in mind the type of data to be stored, the location of the servers and the particular legal obligations of the business whose data it is.

While a business might be able to make a claim against a cloud server for escape of private data, the business may not be insulated by its claim that a privacy breach was the result of the acts by the cloud server.


An issue raised by cloud computing that may be even more difficult to parse than privacy concerns is the implications of cloud computing on pretrial discovery in general and on electronic discovery in particular.

Generally speaking, pretrial discovery may be had of relevant documents that are in the “possession, custody or control” of a party.[FOOTNOTE 6] That means that a party is obliged to produce documents in its control, even if those documents are not literally in the party’s possession when the demand is made.[FOOTNOTE 7]

Documents are under a party’s control when it has the right, authority or practical ability to obtain them from a non-party.[FOOTNOTE 8] When a corporation relies on a cloud computing provider (or multiple providers), are those documents under its control? Even if they are, how can those documents be authenticated and proven to be reliable?

In Shcherbakovskiy v. Da Capo Al Fine, Ltd.,[FOOTNOTE 9] the 2nd Circuit U.S. Court of Appeals adopted the view that a party may be required to produce documents that it has the practical ability to obtain.

The circuit stated as follows:

Turning to the legal issues first, a party is not obliged to produce, at the risk of sanctions, documents that it does not possess or cannot obtain. See FED. R. Civ. P. 34(a) (“Any may serve on any other party a request … to produce … documents … which are in the possession, custody or control of the party upon whom the request is served …” E.E.O.C. v. Carrols Corp., 215 F.R.D. 46, 52 (N.D.N.Y. 2003); see also Societe Internationale Pour Participations Industrielles Et Commerciales, S.A. v. Rogers, 357 U.S. 197, 204, 78 S.Ct. 1087, 2 L.Ed.2d 1255 (1958) (acknowledging that Rule 34 requires inquiry into whether party has control over documents), Fisher v. U.S. Fidelity & Guar. Co., 246 F.2d 344, 350 (7th Cir. 1957). We also think it fairly obvious that a party also need not seek such documents from third parties if compulsory process against the third parties is available to the party seeking the documents. However, if a party has access and the practical ability to possess documents not available to the party seeking them, production may be required. In Re NASDAQ Market-Makers Antitrust Litig., 169 F.R.D. 493, 530 (S.D.N.Y. 1996).

This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.

To view this content, please continue to their sites.

Not a Lexis Subscriber?
Subscribe Now

Not a Bloomberg Law Subscriber?
Subscribe Now

Why am I seeing this?

LexisNexis® and Bloomberg Law are third party online distributors of the broad collection of current and archived versions of ALM's legal news publications. LexisNexis® and Bloomberg Law customers are able to access and use ALM's content, including content from the National Law Journal, The American Lawyer, Legaltech News, The New York Law Journal, and Corporate Counsel, as well as other sources of legal information.

For questions call 1-877-256-2472 or contact us at [email protected]