While use of cloud computing continues to grow, the Federal Rules of Civil Procedure and most state civil rules have not caught up with this technology. Current rules do not provide any specific guidelines for preserving and producing electronically stored information (ESI) in a shared environment. And not surprisingly, there are few court rulings interpreting how the civil rules should operate in the cloud. This leaves in-house counsel and its outside counsel litigation team with little guidance when formulating a plan for managing company data stored in a cloud in the face of a large and complex piece of litigation.
If you find yourself in these shoes, here are some essential steps to take in order to fulfill your e-discovery obligations for preserving and producing data stored in a cloud.
1. Serve a litigation hold on your cloud vendor
It is safe to assume that moving ESI to a third-party provider’s cloud does not remove a company’s document retention requirements or obligations to review and produce ESI in response to discovery requests. Treat the ESI in the cloud the same way you would if it was stored on your company’s own hard drives. As a result, immediately serve your cloud provider with a litigation hold when notified of a claim or that litigation is anticipated. Your cloud computing service level agreement (SLA) will likely have procedures for litigation holds. If your provider has no protocol for this procedure, still proceed with the written hold and communicate with your cloud provider to ensure it is taking steps to preserve relevant ESI.
2. Formulate a plan for complying with discovery requests
Do not wait until the discovery requests are served to come up with a plan for responding to them. Given the unique features of cloud computing, it is critical to understand very early in a case the entire process you will need to take in order to respond to discovery requests. An early understanding of all the relevant information in a cloud is required by Rule 26 initial disclosures anyway. Immediately after serving the litigation hold, map out how you will identify, collect, and review relevant ESI. Some cloud providers will have this procedure spelled out in the SLA. If not, engage personnel from your IT department and relevant business units to help put together a plan with the cloud provider. There are a host of important issues to consider during this mapping process. Does the provider have a built-in e-discovery tool to conduct searches or will it be more efficient to export the data out of the cloud to be searched with another application? What is the format of the data stored in the cloud and can all of it be searched and produced, including metadata? What are the additional costs the cloud provider will charge for complying with e-discovery requests? And finally, how quickly can all of this be done? Once you have this process mapped out, this knowledge will empower you in making objections and negotiating stipulations with the other party on ESI technical issues and cost production sharing. Keep in mind that Rule 26 grants some protection against producing ESI that is not reasonably accessible because of undue burden and cost.
3. Secure the data and maintain the privilege
In the past few years, the American Bar Association and many state bars have issued ethics opinions that bless the use of a cloud in e-discovery provided that certain safeguards exist for protecting client data. This means you need to exercise due diligence and cannot blindly rely on the provider’s word. Because the data is being maintained by a third-party host, steps must be taken to make sure the data is not being accessed by non-essential third parties to the relationship and that reasonable precautions are made to maintain confidentiality. Understand who else is storing data in the cloud. Many cloud providers use the same processors and storage devices to service multiple clients. Learn how the system works and is designed so that there is no risk of commingling or unauthorized access to the data. Confirm that the provider’s written policies state that all company data will be kept confidential and secure.
4. Properly retain the data post-lawsuit
After the litigation is resolved, make sure the cloud provider is appropriately retaining the ESI. If the ESI must be retained for some reason (e.g., a subsequent insurance coverage case), put steps into place to ensure the provider is maintaining the ESI. Otherwise, important evidence could be destroyed due to a provider’s scheduled deletion of data. If there is no reason to retain the ESI from the case, instruct the provider to treat data in accordance with company’s standard document and data retention policies.
As the use of cloud computing becomes more prevalent due to the benefits of reducing infrastructure and power costs, the courts will provide more guidance for lawyers on how to operate in this new environment. In the meantime, taking an approach that treats ESI in cloud as if it were stored on your company’s hard drives is the safest way to proceed.