Cloud Computing

It would be hard to find an IT department of a large business that was not undertaking a “cloud computing” project or at least considering the idea. Cloud computing is a phrase that encompasses many different types of Internet-based computing solutions, including online data repositories, outsourced IT infrastructure, and software as a service, to name a few. A defining characteristic of these technologies is that a service is provided by a third party, the use of which involves a consumer entrusting its data to that third party. Accordingly, this technological revolution means new e-discovery challenges are on the horizon for lawyers as clients move discoverable electronically stored information (“ESI”) from their own networks to networks controlled by someone else.

Introduction

Companies can use cloud services in a variety of different fashions, each presenting discovery issues that lawyers will face, some of which are addressed by present e-discovery law, and others that will be the concern of future cases. At its most basic level, cloud services such as Amazon's Simple Storage Service (“S3″) store a consumer's ESI on the cloud, rather than the consumer's own networks. Beyond mere information storage, the use of hardware and software can also be provided over the Internet as a service. For example, a cloud can provide a consumer with temporary access to an IT infrastructure when the consumer's need for computing power spikes, without the need to maintain or pay for that power when it is no longer needed. For example, The New York Times used Amazon.com's Elastic Compute Cloud (“EC2″) service to convert 11 million articles (every New York Times article from 1851-1980) to PDF format in under 24 hours. The EC2 service allocated sufficient computing power to The New York Times during the course of its project, and then subsequently reallocated those resources to other users after the project was complete. See Derek Gottfrid, Self-Service, Prorated Super Computing Fun, NY Times, Nov. 1, 2007, http://open.blogs.nytimes.com/2007/11/01/self-service-prorated-super-computing-fun (last visited March 26, 2009).

Cloud computing can also permanently replace parts of an organization's IT infrastructure, thereby reducing a company's need to hire its own IT support staff, and purchase, maintain and operate its own hardware. An organization can run its own applications on the cloud, or use applications provided by the service provider, such as with the Google Apps service.

This article explores the potential e-discovery impact of cloud computing, and concludes that while some of its e-discovery aspects fall within the scope of existing precedent, cloud computing raises several new discovery questions that are not fully addressed by existing law.

Cloud Computing Under Current e-Discovery
Precedent

The placement of an organization's ESI into the custody of another organization under a contractual arrangement (“the Service Agreement”) is a fundamental characteristic of cloud computing. Putting other characteristics of this model aside (some of which are discussed below) existing case law already provides some guidance as to the discovery responsibilities of a litigant, when a non-party possesses its potentially discoverable ESI.

A recent opinion, Flagg v. Detroit, 252 F.R.D. 346 (E.D. Mich. 2008), considered whether a plaintiff is entitled to discover a defendant's text messages stored by a non-party cellular service provider. Using the contractual relationship between the party and the service provider as the starting point for its analysis of discovery obligations, the Flagg court held that these text messages were under the defendant's control. Accordingly, the plaintiff could request these messages directly from the defendants, without the need to serve a third-party subpoena on the service provider. In summary, the court noted that the obligation to produce ESI cannot be avoided “through the simple expedient of storing it with a third party.”

Similarly, the analysis of a party's obligations to preserve or produce ESI on the cloud should start with an analysis of the Service Agreement. As noted in Flagg, an organization should not be permitted to shirk its discovery obligations merely by moving its data into the hands of a third party if it maintains the contractual ability to retrieve that data. Thus an organization should consider whether the Service Agreement provides sufficient mechanisms to comply with potential discovery obligations if there is a chance that the ESI on the cloud will be discoverable.

An additional point of note is that because a litigant can demand ESI located on the cloud directly from the service provider, cloud consumers should address the rights and responsibilities of each party with regard to meeting e-discovery obligations when negotiating the Service Agreement. Some of the issues that may be addressed include:

• Any steps the service provider should to take to preserve the consumer's rights in its ESI in the face of a subpoena or other requests for that information;
• Whether the service provider is obligated to provide the consumer with notice of such a request; and
• Who bears any costs incurred during required collection or preservation effort, or any other e-discovery related obligation provided for by the Service Agreement.

The consumer and service provider should also consider the advantages and disadvantages of available tools to preserve and collect information on the cloud if discovery ever became necessary.

The Future Impact of Cloud Computing on e-Discovery

Though dynamically allocated computing services are eminently useful from a technical point of view, the cloud computing environment poses unique technical twists that will likely create new e-discovery challenges. For instance, a potential lack of control over the physical locations of storage and processing can inadvertently create data protection/privacy concerns. If data placed on the cloud end up physically residing within countries that have adopted the European Union Data Protection Directive, or other similar laws, it may become unintentionally entangled in legal restrictions on the processing and retention of personal data, thus preventing a party from satisfying its e-discovery obligations.

Data already subject to such privacy obligations should only be placed on the cloud after ensuring compliance with any applicable processing restrictions. See http://privacylaw.proskauer.com/2008/11/articles/international/privacy-issues-when-computing-in-the-cloud/. Further, parties must anticipate the impact the conditions specified in the Service Agreement could have on any protections to which the information placed on the cloud is normally entitled, such as attorney-client privilege or trade secret status.

Finally, as mentioned above, dynamic allocation of cloud computing resources can result in loss of certain ESI, such as metadata, because by the time an e-discovery investigation commences, the resource that was previously allocated to a client may be subsequently allocated to another user and no longer available for examination. Prevention of such loss may be difficult as the imposition of a litigation hold on such a network could conceivably interfere with the service's normal operations.

There is inherent risk in relying on the expertise, manpower, and collection and preservation tools of a third party to achieve a task, where the consequences of failure may be significant, particularly when the third party is not under the same litigation-driven pressures. Cloud computing represents a departure from traditional IT models with an as yet unclear e-discovery impact. Understanding the issues raised by this emerging trend, even in the absence of all of the answers, allows us as lawyers to advise our clients how to best manage the risks inherent in these projects.

Nolan M. Goldberg is a senior associate in the patent group of New York-based Proskauer Rose LLP and a member of the Litigation Department's e-Discovery Task Force. Sharada Devarasetty is an associate in the firm's patent group.

It would be hard to find an IT department of a large business that was not undertaking a “cloud computing” project or at least considering the idea. Cloud computing is a phrase that encompasses many different types of Internet-based computing solutions, including online data repositories, outsourced IT infrastructure, and software as a service, to name a few. A defining characteristic of these technologies is that a service is provided by a third party, the use of which involves a consumer entrusting its data to that third party. Accordingly, this technological revolution means new e-discovery challenges are on the horizon for lawyers as clients move discoverable electronically stored information (“ESI”) from their own networks to networks controlled by someone else.

Introduction

Companies can use cloud services in a variety of different fashions, each presenting discovery issues that lawyers will face, some of which are addressed by present e-discovery law, and others that will be the concern of future cases. At its most basic level, cloud services such as Amazon's Simple Storage Service (“S3″) store a consumer's ESI on the cloud, rather than the consumer's own networks. Beyond mere information storage, the use of hardware and software can also be provided over the Internet as a service. For example, a cloud can provide a consumer with temporary access to an IT infrastructure when the consumer's need for computing power spikes, without the need to maintain or pay for that power when it is no longer needed. For example, The New York Times used Amazon.com's Elastic Compute Cloud (“EC2″) service to convert 11 million articles (every New York Times article from 1851-1980) to PDF format in under 24 hours. The EC2 service allocated sufficient computing power to The New York Times during the course of its project, and then subsequently reallocated those resources to other users after the project was complete. See Derek Gottfrid, Self-Service, Prorated Super Computing Fun, NY Times, Nov. 1, 2007, http://open.blogs.nytimes.com/2007/11/01/self-service-prorated-super-computing-fun (last visited March 26, 2009).

Cloud computing can also permanently replace parts of an organization's IT infrastructure, thereby reducing a company's need to hire its own IT support staff, and purchase, maintain and operate its own hardware. An organization can run its own applications on the cloud, or use applications provided by the service provider, such as with the Google Apps service.

This article explores the potential e-discovery impact of cloud computing, and concludes that while some of its e-discovery aspects fall within the scope of existing precedent, cloud computing raises several new discovery questions that are not fully addressed by existing law.

Cloud Computing Under Current e-Discovery
Precedent

The placement of an organization's ESI into the custody of another organization under a contractual arrangement (“the Service Agreement”) is a fundamental characteristic of cloud computing. Putting other characteristics of this model aside (some of which are discussed below) existing case law already provides some guidance as to the discovery responsibilities of a litigant, when a non-party possesses its potentially discoverable ESI.

A recent opinion, Flagg v. Detroit , 252 F.R.D. 346 (E.D. Mich. 2008), considered whether a plaintiff is entitled to discover a defendant's text messages stored by a non-party cellular service provider. Using the contractual relationship between the party and the service provider as the starting point for its analysis of discovery obligations, the Flagg court held that these text messages were under the defendant's control. Accordingly, the plaintiff could request these messages directly from the defendants, without the need to serve a third-party subpoena on the service provider. In summary, the court noted that the obligation to produce ESI cannot be avoided “through the simple expedient of storing it with a third party.”

Similarly, the analysis of a party's obligations to preserve or produce ESI on the cloud should start with an analysis of the Service Agreement. As noted in Flagg, an organization should not be permitted to shirk its discovery obligations merely by moving its data into the hands of a third party if it maintains the contractual ability to retrieve that data. Thus an organization should consider whether the Service Agreement provides sufficient mechanisms to comply with potential discovery obligations if there is a chance that the ESI on the cloud will be discoverable.

An additional point of note is that because a litigant can demand ESI located on the cloud directly from the service provider, cloud consumers should address the rights and responsibilities of each party with regard to meeting e-discovery obligations when negotiating the Service Agreement. Some of the issues that may be addressed include:

• Any steps the service provider should to take to preserve the consumer's rights in its ESI in the face of a subpoena or other requests for that information;
• Whether the service provider is obligated to provide the consumer with notice of such a request; and
• Who bears any costs incurred during required collection or preservation effort, or any other e-discovery related obligation provided for by the Service Agreement.

The consumer and service provider should also consider the advantages and disadvantages of available tools to preserve and collect information on the cloud if discovery ever became necessary.

The Future Impact of Cloud Computing on e-Discovery

Though dynamically allocated computing services are eminently useful from a technical point of view, the cloud computing environment poses unique technical twists that will likely create new e-discovery challenges. For instance, a potential lack of control over the physical locations of storage and processing can inadvertently create data protection/privacy concerns. If data placed on the cloud end up physically residing within countries that have adopted the European Union Data Protection Directive, or other similar laws, it may become unintentionally entangled in legal restrictions on the processing and retention of personal data, thus preventing a party from satisfying its e-discovery obligations.

Data already subject to such privacy obligations should only be placed on the cloud after ensuring compliance with any applicable processing restrictions. See http://privacylaw.proskauer.com/2008/11/articles/international/privacy-issues-when-computing-in-the-cloud/. Further, parties must anticipate the impact the conditions specified in the Service Agreement could have on any protections to which the information placed on the cloud is normally entitled, such as attorney-client privilege or trade secret status.

Finally, as mentioned above, dynamic allocation of cloud computing resources can result in loss of certain ESI, such as metadata, because by the time an e-discovery investigation commences, the resource that was previously allocated to a client may be subsequently allocated to another user and no longer available for examination. Prevention of such loss may be difficult as the imposition of a litigation hold on such a network could conceivably interfere with the service's normal operations.

There is inherent risk in relying on the expertise, manpower, and collection and preservation tools of a third party to achieve a task, where the consequences of failure may be significant, particularly when the third party is not under the same litigation-driven pressures. Cloud computing represents a departure from traditional IT models with an as yet unclear e-discovery impact. Understanding the issues raised by this emerging trend, even in the absence of all of the answers, allows us as lawyers to advise our clients how to best manage the risks inherent in these projects.

Nolan M. Goldberg is a senior associate in the patent group of New York-based Proskauer Rose LLP and a member of the Litigation Department's e-Discovery Task Force. Sharada Devarasetty is an associate in the firm's patent group.