The possibility of storing data in the cloud signals a fundamental change in the way businesses manage and store their electronic information. What has not changed, however, is a company’s responsibility with respect to document retention and electronic discovery in litigation.
In-house counsel should keep discovery obligations in mind when developing a comprehensive information management plan that incorporates cloud services. Here are four key issues to consider.
• Location. The location of a company’s data is a key concern. Cloud providers often store data on networks located overseas, or they contract with third parties that do so. Data stored in a foreign jurisdiction may be subject to foreign privacy laws that restrict a company’s ability to move information outside the jurisdiction. Moving the information also will be much more costly than if it were located in the United States. These restrictions and added costs can be troublesome during discovery, when time is of the essence.
Even if a cloud provider hosts a company’s data domestically, complications may arise if the company chooses to store only a portion of its data in the cloud. For example, a company may choose to store only email or only a particular business unit’s data in the cloud. This approach initially may seem reasonable or cost effective, but it can quickly become inefficient and costly during discovery.
That’s because a company with data stored in two locations must, in essence, engage in dual-track discovery — collecting, culling, reviewing and producing data from two different sources — all the while doubling the efforts and resources required of company personnel, outside counsel and e-discovery providers.
• Data security and control. These are several key considerations in-house counsel should address before litigation or discovery. Cloud providers’ business interests do not always align with those of their clients.
For example, providers often favor standard service-level agreements (SLA) with little customization. As a result, these agreements may not account for a company’s particular security and confidentiality needs, and they may limit a company’s control over how its data is managed.
To protect company data, in-house counsel should ensure that her company’s data is segregated from other companies’ and should require the cloud provider to employ mechanisms to avoid comingling. The cloud provider regularly should back-up the data and employ industry-standard security safeguards to prevent unauthorized, third-party access to data.
In-house counsel likely will have to negotiate a customization of the SLA to ensure that the company — not the cloud provider — controls the retention, preservation, and disposal of the data. The normal business and legal considerations that underlie a company’s document-retention policy apply to data stored in the cloud, just like they do to data stored on local networks. Cloud providers are not always eager to accommodate these policies.
Finally, in-house counsel should ensure that the cloud provider does not hamper the company’s ability to archive, index and organize data in a manner that makes sense for e-discovery. The company also should have the power to identify metadata that it wants the cloud provider to preserve. If a cloud provider’s services and capabilities preclude defensible e-discovery efforts, any cost savings and ease-of-use associated with cloud storage will vanish.
• Litigation response.When litigation arises, a company must have a response plan in place with its cloud provider, and the provider must be able to mobilize quickly. For example, the SLA should provide for immediate deployment of a document hold and suspension of normal retention policies. A company may be subject to spoliation or obstruction-of-justice allegations if its cloud provider destroys relevant data after a duty to preserve the data arises.
A company also should allocate responsibility in the SLA for access, identification, collection, review and production of data. Many cloud providers provide e-discovery services. However, because e-discovery support is not their primary service, their tools and resources may be limited. In-house counsel should consider whether it’s best to have company personnel, outside legal counsel or an e-discovery vendor manage the company’s e-discovery efforts and then customize the SLA to outline these parties’ involvement.
Finally, the SLA should include provisions regarding data disposal after litigation, in a manner consistent with the company’s data-retention policy. Retaining data that is no longer needed for legal or business purposes increases a company’s exposure to data breach and increases the likelihood that the data will be the subject of discovery requests in future litigation.
• Subpoenas.As cloud-storage use becomes more common, opposing counsel and government agencies increasingly are requesting a company’s data directly from its cloud provider. At a minimum the SLA should require the provider to notify the company immediately upon receipt of a subpoena, incorporate protections for privileged or highly sensitive information, and preserve the company’s right to help manage the production of data in response to the subpoena.
Cloud storage creates many possibilities and can provide cost savings and mobility to a company. However, it is not a plug-and-play proposition, and the business objectives of cloud providers are not always aligned with the business and legal considerations behind a company’s normal data management policies. In-house counsel would be wise to remember this reality and employ cloud services only after careful consideration and planning.