Cloud computing provides a challenge and an opportunity for e-discovery teams. As I mentioned in my last column, the challenge is collecting data from cloud-based servers and storage. The opportunity is using the scalability, computing power and secure accessibility of the cloud to facilitate the e-discovery process.
Increasingly, companies are taking advantage of cloud services for e-discovery. According to a Nov. 2011 survey from analysts at eDiscovery Journal, 35 percent of in-house legal teams surveyed were moving to a cloud or hybrid cloud/on-premise solution for e-discovery.
But moving in this direction requires a good understanding of what the cloud can and can’t do. The first step is to understand which e-discovery processes lend themselves to cloud solutions. This typically involves the processes on the “right side” of the Electronic Discovery Reference Model, which include processing, analysis, review, production and presentation. A key reason for this is that these processes usually involve multiple resources in multiple locations both inside and outside of a company and its network security.
A cloud-based application is the best way to provide a centralized legal repository with secure access to documents for the geographically dispersed parties that are typical in e-discovery proceedings. This approach delivers several benefits: Only one copy of confidential data is stored in the centralized legal repository, which also enables e-discovery managers to centrally oversee e-discovery processes. In addition, outside counsel and other geographically distributed participants are easily able to access the centrally stored case documents and workflow, instead of petitioning the IT department to give outside parties direct access to the corporate network through the firewall.
With that foundation as a start, here are five other considerations for choosing the right cloud-based e-discovery application:
1. Does the cloud give legal as much control as an on-premise app?
There has been a lot of misinformation equating “bringing e-discovery in-house” with the purchase, installation and ongoing management of on-premise software for various e-discovery tasks. The true nature of bringing e-discovery in-house is that corporate legal teams retain oversight and control of e-discovery decision-making and have the technology tools to facilitate that decision-making.
Cloud-based e-discovery applications meet the in-house test without a host of other IT-related decisions and purchases (including the hardware, systems, data centers and human capital necessary to deliver the application). This often results in less risk, greater efficiency and lower, more predictable costs than purchasing, installing and maintaining on-premise software.
2. Choose a private cloud network over a public cloud network
The difference between public and private clouds is very important for those performing e-discovery. A public cloud uses shared hardware, software and applications that are available to a wide range of service providers and consumers. The recent news about Megaupload and its founder Kim Dotcom is an example—when the police closed that public cloud site, some 50 million people lost access to their data. Other, more legitimate examples include Amazon EC2, AWS and Google Apps.
Public clouds do not have the same security and access control requirements or the level of legal and regulatory scrutiny that must be in place for defensible e-discovery. A private cloud, whether deployed by a company behind the firewall (aka an “internal cloud”) or deployed by a provider, has specific advantages over public clouds when it comes to e-discovery. With a public cloud it is not always possible to know where the files are stored (including what country, state or server) or if it is possible to control document retention and destruction. With private clouds, subscribers understand where their data resides, so their information aligns with proper jurisdiction, security and applicable document retention policies.
3. Ask for disaster recovery and business continuity technology
System crashes or natural disasters can impact not only cloud computing providers, but also any corporate enterprise or law firm. To provide maximum benefit, ensure that a cloud e-discovery provider offers enterprise-class disaster recovery, with an SAS-70 Type II certified and replicated data center in the event a service gap or power outage occurs. Providers also should offer business continuity planning protocols to ensure that core business processes are preserved and service to clients is maintained, avoiding a “ghost ship” scenario in which systems may be up, but core business processes fail.
Each service provider should clearly outline its service level agreements, including recovery point objectives and recovery time objectives. These policies define the maximum outages contractually allowed and ensure that users are in control of their data stored in the cloud.
4. Ask for security and compliance certifications
The notion of security for cloud-based e-discovery apps is manifold and must include data security, physical security and network security. Massachusetts provides a good example of this balanced security with 201.CMR.17, a data protection law that requires third-party service providers that are capable of properly safeguarding personal information to do so[SBM1] . The third-party service provider provision in 201 CMR 17.00 is modeled after the third-party vendor provision in the Federal Trade Commission’s Safeguards Rule. 201.CMR.17 requires each and every service provider to have and provide a written information security program and to encrypt data in transit. Other states are writing, planning to adopt or have already adopted similar legislation.
The ideal solution is a private cloud-based e-discovery software application that stores only a single copy of a document, despite the fact that it may be used in multiple cases with different workflows and designations in each. With such an application, the data can be centrally managed, controlled and secured regardless of the number of firms or users who need access. And the corporation can audit security once, thereby ensuring compliance and privacy requirements, as opposed to auditing any number of outside counsel and vendors that receive the data.
5. Multi-matter, multi-party and business intelligence capabilities are important
While the notion of multi-party and multi-matter support may seem extraneous to that of cloud-based e-discovery, it is not. With a single-case tool, when multiple cases are created, each requires a separate database and separate copy of data. Duplicate effort occurs across all phases of e-discovery with such applications. Data is collected multiple times, stored multiple times and reviewed multiple times. This duplication increases costs and also impacts information security, data retention and destruction.
The ideal scenario is to use a cloud-based provider with a centralized legal repository that supports multi-matter, multi-party e-discovery. Such providers eliminate duplicate data collections, de-duplicate across cases and provide single-instance storage so each file exists only once, regardless of the number of matters in which it is included. This design also allows fewer inside resources to manage more service providers with better control. Standards such as chain of custody and production authorization are universally applied. And work product, searches and templates from one case can be reused in another, if needed.
In summary, leveraging cloud-based e-discovery tools, especially for review and production, can boost the security and accessibility of data. When integrated with on-premise tools for collection, processing, analysis and early case assessment, this hybrid combination appears to deliver a best-of-breed solution that could be called “e-discovery done right.”