Today, many companies are knowingly or unknowingly storing discoverable information assets in the cloud. While cloud storage provides numerous conveniences, it also leaves companies vulnerable to significant discovery-related court fines and incapable of making informed legal decisions quickly when faced with litigation.
A decade ago, companies experienced similar challenges when they began storing information in diverse repositories such as email systems and network file shares, as well as desktops, laptops, and other locations. When e-discovery emerged as a major issue in the early 2000s, companies found themselves unable to efficiently collect information from these distributed sources due to their failure to enact holistic e-discovery plans for each source of information.
A similar evolution is currently underway in the cloud. In eDiscovery Journal’s recent “The Cloud and e-discovery” survey, of respondents using cloud-based solutions, such as Salesforce.com, Twitter and LinkedIn, only 15.9percent indicated that an e-discovery plan was established before shifting data to the cloud. Just over 25 percent reported that an e-discovery plan was definitely established, and a whopping 57.6percent did not even know whether a plan was in place.
Creating a proactive e-discovery plan for cloud-based storage solutions is a crucial step that can allow companies to reap the benefits of the cloud while minimizing the risk of a discovery nightmare down the road. Such nightmares can cost millions of dollars – enough to put some small companies out of business and leave a major dent in the profits of large enterprises.
Litigation is a fact of life. Whether a large enterprise or a small business, every company is responsible for finding and producing its digital information in the event of a legal investigation or regulatory requests. Amendments to the Federal Rules of Civil Procedure (FRCP), brought into effect in 2006, place the burden of e-discovery accountability squarely on companies’ shoulders. The result has been higher e-discovery costs and tighter timeframes for producing potentially responsive information. For most companies, e-discovery is a reactive and expensive firefight.
One of the reasons that companies look to cloud-based storage solutions, such as hosted email archiving, is to minimize the reactive nature of e-discovery. However, without a strategic and clearly articulated plan, companies may be surprised to learn that access to information may be limited. In the early days of hosted email archiving, companies were often caught off guard by discovery searches that took weeks to return results because service levels had not been pre-negotiated with the vendor. By proactively managing information and defining what needs to happen in the event of e-discovery, companies can reduce downstream costs associated with processing and legal review.
Because it promises reduced costs and other conveniences, adoption of cloud-based storage solutions is on the rise. But as companies make the mass exodus to the cloud, too many organizations are turning a blind eye to how e-discovery will be executed against cloud-based information repositories. Leaving e-discovery on the back burner puts companies in dangerous waters, as case law (re NTL Inc. Sec. Litig., 244 F.R.D. 179 (S.D.N.Y. 2007)) says that if a company has “access to documents to conduct business, it has possession, custody or control of documents for the purposes of discovery.”
To reduce risk, organizations that wish to store data in the cloud should develop an e-discovery plan before making the move to a cloud-based solution. That plan should address how information in the cloud can be placed on legal hold, how it can be accessed by various constituents, and how review and analysis will be executed (e.g. value-add functions for early case assessment).
More specifically, companies should request that cloud vendors provide documentation of systems, data and backup procedures to ensure information is protected and redundant. Before choosing a cloud vendor, companies should determine the physical location of information and the applicable legal/regulatory rules that apply to where information can be stored. It is also important to ascertain exactly how information is stored (e.g. dedicated storage versus shared storage.)
Companies should address information preservation and collection obligations, including costs, and define any vendor liability that could exist for failure to preserve and collect. They should also identify a vendor employee who is appointed to testify regarding preservation and collection issues; doing so goes a long way toward successfully managing the chain of custody of information.
Don’t forget about privacy and security issues. Companies should work with vendors to address encryption of data to manage privacy considerations and develop a process to address security breaches or unauthorized access to data. Make sure the vendor can execute any data destruction policies to the required specifications. Finally, be sure to identify specific software that will collect information if the vendor goes out of business.
The old saying goes that those who don’t learn from history are doomed to repeat it. Companies that want to avoid the e-discovery nightmares that plagued the last decade—along with all the time wasted and dollars spent corralling information from distributed and hard-to-access information sources – should take proactive steps to ensure the same fate does not await them in the cloud. Turning a blind eye to e-discovery hurdles in the cloud will not make them go away.
Legal teams continue to get smarter about conducting discovery; it is a good bet that lawyers are already honing strategies for targeting cloud-based sources of information in the hopes of catching their opponents off guard and unprepared. With some strategic preparation, your company can be in fighting shape to leap those cloud discovery hurdles before they appear.