5 tips for navigating the e-discovery challenges of cloud data storage

Avoiding the legal and security risks of cloud storage

Many organizations are considering moving their data storage to the cloud. However, confusion about the cloud persists, along with uncertainty about the nature of legal risks associated with cloud data storage and its impact on a defensible e-discovery process.  

The allure of the cloud is great, with lower computing costs and instant scalability. But often times the decision to move data to the cloud is based primarily on technical and business requirements without adequate consideration of potential legal issues. Recently, my colleague Patrick Burke teamed with Scott Carlson, a partner at Seyfarth Shaw LLP, to discuss some of these issues.

The trend in cloud computing adoption is growing rapidly, with the market expected to grow from $37.8 billion in 2010 to $121.1 billion in 2015. Cloud computing is being adopted by organizations ranging from small businesses up to the largest in the Fortune rankings.

From a digital investigation and an information security standpoint, the cloud can be both a friend and foe. With massive concentrations of resources and data stored in the cloud, it can become a “honey pot” for potential attackers—on par with the information assets of very large companies.

Because these servers can be shared, and may have automatic deletion functionality, demonstrating that you’ve preserved the data in a volatile environment is a challenge. Collection technology must be able to scan cloud servers and report on responsive data so that you can demonstrate to the court that a reasonable search was conducted.

As for authentication, you must consider whether cloud storage affects metadata. In setting up a contract with a provider, ask for a contractual commitment to support your investigation needs, as well as information on data collection technology that the cloud vendor may have already used in such activities.   

2. Understand shared responsibility. As a part of your contract, make sure you define who owns various parts of the cloud for security and e-discovery (the cloud provider, your company, customers, etc.) and define clear demarcation between systems and parties responsible. Also, verify your capabilities to extract ESI from the cloud in a targeted and legally defensible manner and what the service-level agreements (SLAs) are for collecting data.

3. Expect attacks. Cloud-based data storage is subject to internal and external attacks similar to on-premise data storage, no different than traditional on-premises security. Ask about your provider’s security measures. Look for those providers that use a layered security approach, including authentication, encryption, firewalls, intrusion detection/prevention, cyber forensics and other security measures. No single barrier alone will magically secure you. The more layers, the harder it will be for an attacker to infiltrate and abscond with confidential or proprietary business information.

author image

Daniel Lim

Daniel Lim is Vice President and Deputy General Counsel of Guidance Software. He consults with corporate and government clients on e-discovery, privacy, and digital investigations....

Bio and more articles

Join the Conversation

Advertisement. Closing in 15 seconds.