I won't waste precious words citing the legion of statistics and analysts' reports showing how rapidly IT departments are moving data to the "cloud." And, far be it from me to try and throw myself in front of the cloud computing train that is barreling ahead at breakneck speeds. What I will point out is that the prevalent "ready, fire, aim" strategy is bound to get companies in trouble from a compliance and electronic discovery perspective.
Instead of making enemies of your IT comrades by simply erecting roadblocks in the path to cloud nirvana, let's discuss how you can arm yourselves with some ammo to avoid downstream calamities, while utilizing a "measure twice, cut once" approach. This extra measure of caution applied before electronically stored information (ESI) is migrated to the cloud is well deserved since the legal and regulatory playing field isn't as fully developed as is the IT solutions landscape.
The goal of this piece won't be to delve into cloud characteristics (i.e., on-demand, self-service, broad network access, resource pooling, rapid elasticity, etc.) or delivery models (i.e., software as a service, development as a service, platform as a service or infrastructure as a service). We will, however, discuss the various deployment models (private, public, hybrid, etc.), with a particular focus on public clouds, since private cloud deployments tend to look very similar to on-premise IT environments. As a first step in trying to mitigate attendant cloud risks, hone in on the cloud environment that's germane to your enterprise and use the following as a guide to avoid obvious risks.
Control is the Name of the Game
As a starting place, there is very little case law that defines electronic discovery or compliance obligations for cloud data. For good or for ill, courts do not currently make material distinctions between data that resides behind an enterprise firewall and that which may be in a shared (public or private) cloud. Nevertheless, the basic starting point is generally the analysis of discovery rules, particularly Rule 34 of the Federal Rules of Civil Procedure (FRCP), which provides that a party may serve on any other party a request to produce data in the responding party's "possession, custody, or control."
And, while there aren't any on-point decisions yet regarding cloud nuances, it's pretty clear from analogous circumstances that the "custody" or "possession" of data won't be a determining factor if the entity has the legal rights to "control" the information. The closest analogy under existing case law is seen in other circumstances where a third party holds data that the responding entity needs to preserve and produce. For example, in Tomlinson v. El Paso Corp., the court found that the defendants could not delegate their obligations to preserve and maintain data where a third party vendor had possession of their electronic information.
Similarly, in the very recent decision of Rosenthal Collins Group, LLC v. Trading Techs. Int'l the court addressed whether a responding party could legally distance itself from the actions of a third party consultant who had control of relevant data and altered it, despite being notified of his preservation duty. The Rosenthal court cited Cyntegra, Inc. v. Idexx Labs., Inc., when issuing terminating sanctions, noting that "courts have extended the affirmative duty to preserve evidence to instances when that evidence is not directly within the party's custody or control so long as the party has access to, or indirect control over, such evidence."
The challenge then posed by ESI in a cloud environment is that there's a control continuum, which starts with actual control on one end and continues to the far end of the spectrum where there's just the perception of the ability to control information. We will get into Service Level Agreements (SLAs) in a moment, but a danger zone exists pretty clearly where there's a gap between the actual control a party may have over their cloud provider (and the hosted ESI stored therein) and what a court may consider as a reasonable level of control that the party should have (i.e., does the producing party have the right, authority, or practical ability to obtain the documents from a non-party?).
SLAs Can Make or Break the Cloud Decision
This highly nuanced and fact-specific discussion then may hinge on the SLAs that are in place to govern the cloud provider's obligations once discovery ensues. Given the host of potential issues, it's likely that a party with legal (but not physical) control over their data is at the mercy of the underlying contractual rights. In some instances, the cloud provider may simply proffer a one-sided, adhesion contract. While this will certainly be the case in a standard consumer context (e.g., Google Docs), most enterprises should wield enough power to meaningfully negotiate the terms and conditions applicable to their cloud hosted ESI. To that end, there are a number of things to consider when negotiating a service level agreement for the provision of cloud services:
- Physical Location of Data. From an individual user's perspective, the on-demand nature of the cloud often renders the physical location of the actual data meaningless. But, given the complications of moving data across international borders, it's wise to specify where data will physically reside, particularly avoiding countries with more restrictive data privacy regimes. Here, it would be useful to either create an inclusive list (defining countries where data could be physically located) or an exclusive list (defining countries where data would definitively not be physically located). If there are premiums associated with certain jurisdictions, it would be wise to consult local counsel to understand the nuances of data migration (out of a specific country) to evaluate the risk/reward value proposition.
- Access Rights. There are a number of scenarios where the preservation , identification, search and extraction of ESI may be required from a cloud environment. In order to understand the cost implications of these tasks, turnaround times and available functionality, it will be helpful to prepare for these potential issues well ahead of time, ideally locking in service level commitments during the contractual process. Failure to do so proactively may mean that a party won't be able to comply with judicial deadlines, which could result in fines and sanctions.
- Ownership. While it seems self evident that the user of cloud services should axiomatically "own" their stored data, it's wise to call out any anticipated issues surrounding downstream rights. For example, what happens to the stored data if the customer doesn't pay its bills? What happens if the cloud provider goes bankrupt? There's certainly a scenario here where a cloud provider might have to auction off its assets (e.g., client data), which could both keep the stored ESI in limbo and conceivably threaten the release of proprietary and confidential information.
- Notification. Given that the cloud hosting provider can be subpoenaed directly (by a litigant or governmental agency), companies need to know what type of notification their providers will give regarding third party requests for ESI. It is prudent to define whether the movement, migration or co-mingling of data requires advanced notice or permission. The safest course would be to have the cloud provider give substantial notice before complying with a third party request so that the data owner could file an action to either prevent the disclosure generally or dictate terms for the provision of ESI.
- Security. It may seem like a no-brainer, but the encryption and general security of stored data needs to be clearly outlined in the applicable service level agreement. The export of data out of the cloud would surely be a scenario where encryption should be considered mandatory. Sensitive proprietary data may warrant additional protections beyond encryption, where it may be valuable to have role based access rights.
In sum, the cloud's numerous economic benefits need to be tempered by the range of often unanticipated compliance and electronic discovery issues. A wise enterprise will delve into issues surrounding the preservation, collection, processing and review of ESI before simply jettisoning their data off into the cloud. No organization wants to be a test case for emerging case law, so additional proactive steps here are increasingly prudent.