Remember the day when someone could mention a cloud and lawyers would wonder if he meant a cumulus or cirrus cloud? Today, the legal profession no longer needs meteorologists to teach us about clouds; we need information technology professionals. More businesses are using clouds for data storage. However, is the cloud the best option for attorneys and/or their clients?
Simply put, when referring to electronic data, the cloud is data storage maintained by a third-party and accessed through an Internet connection. This data storage can include servers, networks, applications and support services. Common examples of cloud storage include Dropbox, iCloud and Amazon Cloud, plus those offered by Microsoft and Google.
There are many reasons individuals and businesses, including attorneys and their clients, use a cloud for their data needs. Cost savings can result, because the user does not have to pay for infrastructure or staff to maintain that infrastructure. Cloud providers allow for more scalability of data storage, and those providers that include software as part of cloud services typically have programming specialists to assist clients. Using the cloud also permits greater flexibility, because an individual can work from any location with an Internet connection.
If using the cloud can result in a higher level of service and flexibility while saving costs, is there any reason not to do so? Lawyers should consider two key issues before storing data in a cloud: confidentiality and discovery.
1. Confidentiality is key. Before using a cloud solution, an attorney must evaluate the cloud provider’s data ownership and privacy policies. There is usually more flexibility and control over data when using a paid/contracted solution as opposed to a “free” cloud solution. Here are three questions to ask.
First, what are the cloud provider’s policies for complying with a subpoena? For example, some privacy policies assure users that the cloud provider will keep data private. However, they also state they will comply with compulsory legal requests and don’t say they will notify the user of the receipt of such a request. Paid cloud services, which often include a service-level agreement (SLA), often provide a higher level of notification for third-party requests than unpaid cloud services.
Second, how sensitive is the data? Attorneys and their clients should be conservative about storing critical data in the cloud. Encrypting data first can help. Additionally, if an SLA is not in place covering data access and privacy, lawyers need to think carefully before placing on the cloud highly confidential data, such as information protected by the Health Insurance Portability and Accountability Act of 1996, Social Security numbers, credit card information and intellectual property.
Third, is insurance available? Most SLAs include indemnity provisions, but insurance coverage could become an issue in using a cloud. A Nov. 13, 2012, Law360 article, “Insurers Grow Tentative About Coverage For Cloud Users,” suggested that some insurers are looking more critically at companies that use third-party data services because large providers are more susceptible to hackers.
2. Discovery can become complicated. Texas Rule of Civil Procedure 196.4 requires parties to produce electronic or magnetic data that is responsive and “is reasonably available to the responding party in its ordinary course of business.” The Texas Supreme Court’s 2009 decision In Re Weekley Homes LP established guidelines for when a requesting party can obtain data that is not reasonably available.
The court, however, has not addressed what happens when a company decides to place data in a cloud for use in the ordinary course of business and later finds the data is not reasonably available to retrieve. Courts may hold that keeping data in a third-party cloud does not excuse a company from needing to preserve, and potentially produce, that data. When considering whether the cloud is appropriate, lawyers should think about control, preservation and protection of data.
Parties are required to preserve and produce data that is in their possession, custody and/or control. To satisfy this obligation, a lawyer should insist that SLAs with third-party cloud providers contain provisions for preservation of data subject to a legal hold and provisions for obtaining data from the cloud.
When using a cloud solution, not all data related to a document is stored in traditional means. Often, the only way to maintain a system-level creation date with cloud storage is to collect for the source location (where the document was originally created). When contracting with a cloud provider, lawyers should consider how that provider treats metadata — often a key piece of evidence in litigation. Also, attorneys should be aware that some cloud solutions de-duplicate content across users. So, if multiple people put the same document in the cloud, the provider removes all copies except one. As a result, the copy later collected could have originated from another user’s account, which could reflect inaccurately who wrote a key piece of evidence.
Performing a search for “data breach” or “data hackers” on any major Internet search engine will reveal how data held by third-parties is at risk of disclosure to unwanted and/or unintended persons. As part of due diligence in determining whether to use a cloud provider, a lawyer should review the provider’s data security, data privacy and backup policies.
Cloud solutions are becoming viable business options for many lawyers and companies for a number of reasons, including greater flexibility and cost savings in accessing data. But attorneys must evaluate data security and access before placing data in the cloud. Negotiating an SLA with a cloud provider can allow for more options than relying on an unpaid cloud service. The next time you hear someone mention cloud computing, remember it is not cirrus, but it is serious.