Many organizations are considering moving their data storage to the cloud. However, confusion about the cloud persists, along with uncertainty about the nature of legal risks associated with cloud data storage and its impact on a defensible e-discovery process.
The allure of the cloud is great, with lower computing costs and instant scalability. But often times the decision to move data to the cloud is based primarily on technical and business requirements without adequate consideration of potential legal issues. Recently, my colleague Patrick Burke teamed with Scott Carlson, a partner at Seyfarth Shaw LLP, to discuss some of these issues.
The “cloud” is often an overused and undefined term. It’s not thin client computers, it’s not in your data center and it’s not traditional hosting. The National Institute of Standards and Technology (NIST) defines the cloud as having five characteristics: on-demand self-service, broad network access, resource pooling, rapid elasticity or expansion and measured service.
Simply put, cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.
NIST also lists three service models of cloud computing, including Infrastructure-as-a-Service (IaaS), which provides basic storage and hosting; Platform-as-a-Service (PaaS), which provides operating systems to build apps to run in the cloud; and Software-as-a-Service (SaaS), which includes cloud enabled apps, email, document and file sharing, as well as social media sites. Whether you know it or not, you probably already are using one or more cloud-based applications. The trend in cloud computing adoption is growing rapidly, with the market expected to grow from $37.8 billion in 2010 to $121.1 billion in 2015. Cloud computing is being adopted by organizations ranging from small businesses up to the largest in the Fortune rankings.
From a digital investigation and an information security standpoint, the cloud can be both a friend and foe. With massive concentrations of resources and data stored in the cloud, it can become a “honey pot” for potential attackers—on par with the information assets of very large companies.
Because of the vulnerability of sensitive data, you might assume that the legal department would be involved in any cloud-related decisions. However, often the legal department may not be aware until the changeover to a cloud solution is already complete. The legal department is then left to navigate the issues associated with the preservation of data stored online, authentication problems and hurdles related to searching for electronically stored information (ESI) in the cloud.
A number of issues arise with cloud e-discovery, beginning with identifying the physical location of the server, and then determining the ownership or control of those servers, which brings third-party data discovery issues. The issue of server location was raised in Suzlon Energy Ltd v. Microsoft Corporation (2011 WL 4537843 (C.A.9 (Wash. Oct. 3, 2011))) where, in October 2011, the U.S. 9th Circuit ruled that U.S. discovery rules are in effect for data on U.S. servers, even if a case involves non-U.S. nationals.
Issuing legal holds presents similar challenges, as the owner of the server becomes an additional party that may be responsible for preserving the data (notwithstanding contractual clauses with cloud providers that attempt to state the contrary). Because these servers can be shared, and may have automatic deletion functionality, demonstrating that you’ve preserved the data in a volatile environment is a challenge. Collection technology must be able to scan cloud servers and report on responsive data so that you can demonstrate to the court that a reasonable search was conducted.
As for authentication, you must consider whether cloud storage affects metadata. In setting up a contract with a provider, ask for a contractual commitment to support your investigation needs, as well as information on data collection technology that the cloud vendor may have already used in such activities.
Also, determine whether your own internal collection capabilities are able to preserve data from your cloud sources. Without these, actually responding to discovery requests in some cases will be impossible.
And finally, in terms of production specifications, ensure that you can conduct targeted collections so that data you extract does not create more issues in the case, e.g., is not extraneous, but rather is data normally kept in the ordinary course of business.
In order to deal with these issues, consider these five practical steps:
1. Encryption. Your data, while partitioned by the provider, may be on shared hardware, so consider asking if it is encrypted or if you can encrypt it. Note that varying degrees of shared hardware exist. For example, clients could be using the same communications infrastructure, but operate in a multi-tenant SaaS cloud or on mechanically separated LUNs (logical units). Additionally, encryption comes into play both during transit and at rest. Many providers encrypt data at rest, but not in transit. Also, the client may not be able to select the encryption mechanism or key. 2. Understand shared responsibility. As a part of your contract, make sure you define who owns various parts of the cloud for security and e-discovery (the cloud provider, your company, customers, etc.) and define clear demarcation between systems and parties responsible. Also, verify your capabilities to extract ESI from the cloud in a targeted and legally defensible manner and what the service-level agreements (SLAs) are for collecting data.
3. Expect attacks. Cloud-based data storage is subject to internal and external attacks similar to on-premise data storage, no different than traditional on-premises security. Ask about your provider’s security measures. Look for those providers that use a layered security approach, including authentication, encryption, firewalls, intrusion detection/prevention, cyber forensics and other security measures. No single barrier alone will magically secure you. The more layers, the harder it will be for an attacker to infiltrate and abscond with confidential or proprietary business information.
4. Don’t assume compliance equals security. Compliance guidelines usually establish minimum standards and generally make good recommendations on how to use these technologies, but are not a complete security strategy.
5. Cloud Contracts. There are a number of basic concerns to keep in mind when negotiating cloud contracts. These include: the right to use data and metadata, ownership of data and copyrights, physical location of stored data, changing of terms or assignments without consent, notification of subpoenas, who bears e-discovery costs, destruction and auto-delete procedures, compliance and audit rights, data portability, and security, business continuity and disaster recovery (including SLAs). You may want to read, “Security Guidance for Critical Areas of Focus in Cloud Computing” authored by the Cloud Security Alliance (CSA).
At the end of the day, e-discovery in the cloud is still based on the same fundamentals legal personnel know well. While there are tremendous benefits to cloud computing, you will want to ensure that you are adequately prepared with an effective business and legal process that achieves your objectives.
Steven d’Alencon, chief marketing officer of CaseCentral, also contributed to this article.