We all use the cloud; it is also known as the Internet. However, many of us would rather avoid the preservation and discovery headaches caused by electronically stored information (ESI) in the cloud. E-discovery is hard enough on the ground. A recent opinion from a federal district court in Ohio, Brown, et al. v. Tellermate Holdings Ltd., et al, illustrates how these cloud-based e-discovery headaches can arise, and how they can be avoided.
Like so many hallowed e-discovery opinions (e.g., Zubulake), the Brown opinion on cloud e-discovery arose in the context of an employment discrimination claim, in this case alleged age discrimination. Another feature of this case that has been a recurring theme in e-discovery is the tension between counsel’s representations about discovery and the client’s statements to counsel leading to those representations before the court. The Brown opinion casts an unequivocal vote in favor of transparency in e-discovery.
The court identified numerous serious problems with defendants’ conduct of e-discovery, but the most important of these in the eyes of the court was that they “… failed to uncover even the most basic information about an electronically stored database of information (the [cloud] database).” The cloud service in question is a Web application that facilitates tracking of sales activity. Tellermate licensed the application and encouraged its salespeople to use it, which plaintiffs did when they were Tellermate employees.
Given that the plaintiffs alleged age discrimination, and the defendants alleged that termination was based on performance, the plaintiffs requested the cloud-based ESI to show their performance in relation to other employees. Defendants claimed that they could not produce the data. The court cited statements by the defendants that they did “not maintain [the cloud] information in hard copy format …,” could not “print out accurate historical records from [the cloud] …,” and their assertions that discovery of such ESI should be directed to the cloud service provider. The court found that the first and third statements were not legitimate reasons for non-production, and the second was simply false. Unfortunately for defendants, the court went on to describe in detail numerous representations about the reasons for the non-production of the cloud data that the court found to be untrue. These statements included purported contractual restrictions as well as technical issues.
In finding “beyond a shadow of a doubt” that the ESI maintained by the cloud service provider “belonged” to Tellermate, the court analogized to other well-known cloud-based email applications:
… just because, for example, emails in a [cloud service provider] account might be kept on a server owned or maintained by the email provider, it does not mean that the information in those emails belongs to the provider—just the opposite.
Analysis of Tellermate’s agreement with the cloud service provider, which Tellermate contended prohibited it from providing the requested data, revealed that the ESI unequivocally “belonged” to Tellermate.
As if non-production was not bad enough, there was evidence demonstrating potential spoliation through alteration of the cloud ESI. Under Tellermate’s procedures for administering its accounts with the cloud service provider, multiple users continued to have access to the relevant data after it should have been preserved. Defense counsel told the court that their client told them that the plaintiffs’ accounts had been transferred to other employees, but “… there is no evidence that counsel asked who the new users were, made any attempt to speak to them about accessing or retrieving the information in the Browns’ accounts, or told anyone about the need not to alter that information …”
The court ordered Tellermate to produce the requested cloud ESI. Despite having previously argued that this ESI could not be produced, defense counsel found out that it was wrong. The parties arranged for the production to be made by providing user credentials to the plaintiffs’ attorney and computer forensics expert so that they could search the cloud service for the relevant ESI.
To compound matters, Tellermate did not make backup copies of the cloud ESI. Unfortunately, whatever backups had been made by the cloud service were by this time long gone. No one had inquired about the backup policies followed by the cloud service provider. When the question was finally asked, the provider replied that it kept backups for between 3 and 6 months, which meant that it was too late to obtain relevant information from existing backups.
In light of the findings described above, as well as other facts about the conduct of discovery unrelated to the cloud ESI, the court found that Tellermate and its counsel had engaged in “deliberate obfuscation” in direct violation of their legal duties. The court was painfully clear that counsel shared in the responsibility for the “sanctionable conduct.” Accordingly, it issued an award of legal fees for all of the motions practice relating to cloud ESI discovery. More significantly, it precluded Tellermate from “using any evidence that would tend to show that the Browns were terminated for performance-related issues.” Given the claims in the case, this sounds like something close to a death knell for the defendant, although it would be premature for the Browns to celebrate.
What can we learn from Brown about cloud e-discovery? This is not a simple question to answer, given the multitude of factual findings of deliberate obstruction of discovery and failure to preserve supporting the court’s award of sanctions. It would be easy to simply write off this opinion as the product of an extreme level of demonstrably egregious behavior. However, a closer look reveals some basic principles.
With respect to “custody and control,” the court considered the terms of Tellermate’s agreement with cloud service provider and determined that, based on those terms, there was no plausible way for Tellermate to argue that it did not have a legal right to access the cloud ESI. This suggests that, while an agreement with a service provider may be relevant to the question of rightful access, counsel cannot assume that it will be able to hide behind such agreements or the mere fact that the ESI is held on a third party’s computers. Careful analysis of agreements with cloud service providers is required before claiming that only the service provider can provide the requested ESI.
Apart from whether there is a right to access ESI in the hands of a cloud service provider, there is the question of ability. There are at least three important aspects of the opinion regarding this point. First, counsel should ascertain, as soon as possible after a preservation duty has been triggered, how the cloud ESI is maintained. In particular, counsel should ask the right questions of both client and provider so that it can determine what data is available for what time periods — including the details of backup policies and practices.
Second, counsel should talk to the client about access to cloud service user accounts containing potentially relevant ESI. As in Brown, if such access by users, including administrators, is not terminated, questions may arise as to potential alteration of data. The fact that the ESI is maintained on a cloud service provider’s servers does not mean that it is safe from potential spoliation, and affirmative steps should be taken to ensure preservation.
Third, as with any other source of ESI, counsel should thoroughly question the client about every aspect of the use of the relevant cloud service by the client and its employees. For example, the Brown opinion discusses various options Tellermate had when a user of the cloud service left the company. These included retaining the account as is, transferring it to another employee, terminating the account, altering the user credentials, and so on. As with other e-discovery, counsel should take care not to simply pass a discovery request to a client and accept the reply without any further factual investigation of the cloud source of ESI.
The sanctions meted out by the Brown court were serious, but they could have been worse. For example, the court could have issued a default judgment against Tellermate. Instead, it fashioned a preclusion sanction that preserved Tellermate’s ability to make certain arguments in its summary judgment motion. The Brown decision is an important beacon on the still-dark road of cloud e-discovery.
The views expressed are those of the author and do not necessarily represent the views of Ernst & Young LLP.