Law.com Subscribers SAVE 30%

Call 855-808-4530 or email [email protected] to receive your discount on a new subscription.

LJN NewslettersNewsSections

In-House Legal Departments and the Use of Cloud Computing

By Greg Freemyer and Hope Haslam
November 25, 2009

Cloud computing, the process of storing and processing data on remote, outsourced third-party-owned servers, is growing in popularity, largely because it provides users with access to state-of-the-art and constantly updated software and fast infrastructure ' without the overwhelming costs. As technology advances at exponential speeds, companies must find ways to remain competitive. Buying the latest and greatest, only to find it obsolete before it is paid for, is a progressively unsustainable option.

For international companies, however, there are tremendous legal hurdles to accomplishing an effective conversion. Two of the most troubling are:

  1. U.S. preservation requirements; and
  2. International privacy laws.

As companies begin to set up, or more likely expand, a cloud computing system, they must understand the legal issues that need to be addressed in order to avoid subjecting the company to sanctions, fines, penalties and enormous e-discovery costs when litigation arises.

Preservation

Preservation is the e-discovery response to the “litigation hold” designed by the company's attorneys. This is a legal requirement that arises at the moment a “threat” of lawsuit exists. It is rare that the preservation needs of litigation are built into software applications. Most companies also fail to proactively address how they will handle preservation until the need arises. This is acceptable in your typical data center environment where the technology team has a wide variety of tools it can bring to bear as well almost total control of the data.

Advancements in cloud systems will eventually eliminate the need for local hard drives. Standard computer interfaces may ultimately be through much cheaper “dumb” and highly mobile units with everything stored, processed and accessed from the cloud system. Because they do not have to store hardware, software or data, devices will be smaller, simpler and easier to use in global trade.

In the cloud, the company has far less control of its data. It is therefore critical that the issue be considered as part of the overall solution selection process. In general, preservation in cloud-based solutions means capturing data stored in the cloud at a particular point in time and putting it on an accessible hard drive for later processing for relevant evidence in a litigation matter.

When data is stored in the cloud, i.e., not held in the possession of the company, preserving it for litigation purposes can be extremely problematic, if not impossible. As this inevitable technology advances at very rapid rates, the issues will become exponentially more problematic.

For example, executives of companies embroiled in a piece of litigation often have cloud-based e-mail accounts such as Yahoo!, Gmail, Mail.com or a host of other carriers. In theory, the individuals with access to the accounts can “agree” to not delete any files as the litigation hold strategy. For some applications and some court situations this may be acceptable, but eventually the data has to be retrieved from the cloud if it is going to be searched or produced as evidence.

There is no generic way to preserve these e-mails. A unique system can be created for each vendor, but even those are often thwarted by internal systems and protections within the vendor software. As to the big players, such as Yahoo!, AOL and Gmail, relatively standard protocols have been designed that work reasonably well at preserving this data. As each new system is encountered, such as Mail.com, a unique plan has to be designed.

Mail.com, for example, poses significant problems. Like other such services, Mail.com is owned by a company located in Hong Kong. One method that has been attempted has been to forward all e-mails from a Mail.com account to a Gmail account for which well defined preservation techniques have been established. This large scale forwarding, however, can be perceived by the Mail.com system as a spamming attempt and it may block any further outgoing e-mails for the day. To counteract this, one may be able to preserve the account by breaking the effort up into small daily chunks.

Mail.com is just one example and only the tip of the iceberg. Each new vendor creates unique challenges to accessing and preserving the data it holds. Even when it does work, this is nearly always a manual process and it can take hours per account to preserve the data. The costs of preserving data in the cloud are greater than lawyers and litigants are used to encountering.

The problem is exacerbated as the data stored in the cloud spreads beyond e-mail. Contact Relationship Management (“CRM”) systems (e.g., salesforce.com and ContactEase) are often accessed through the Internet. All of the company's clients, prospects, activities, opportunities, proposals, pricing strategies and the like may be stored on a server located anywhere in the world, owned by a third party. The objective is to provide the entire global operation access to data critical to the development of business for the company.

Accounting and payroll systems, logistics, supply chain and many other systems are already located in the cloud somewhere. Backups of the entire system are routinely located out in the cloud. In fact, certain historical data from a particular time period may be located only in the cloud.

The movement toward e-commerce will increase, making cash, and even credit cards, increasingly uncommon. Only 3% of the world's money is in the form of cash today and that percentage is shrinking every year. Every transaction will soon be handled using handheld devices through the cloud.

Cloud Access

Amazon's S3 is a full-service cloud-based infrastructure accessible through the Internet. Google, Microsoft and all the major players are working on similar systems. They are essentially Oracle in the cloud. These are the huge, remote, random-access infrastructures upon which cloud systems involving all of the company's data and all of a company's software will be built. They are robust, powerful, flexible and accessible to a mobile business from anywhere in the world; systems on which all businesses will operate in the near future. Servers and data will be located throughout the world, no matter where originated, optimizing access and processing speeds. Data will be stored in bytes on a hard drive as it is now, but perhaps on many different interconnected servers in many different locations.

For many of these, protocols have not been developed for the clients to preserve their own data stored on servers located in the cloud. As to the more recent developments, the tools do not exist and there are no approved practices on how professionals should execute preservation from these systems. In fact, most of these services intentionally fail to provide the capability to retrieve client data in bulk as required for your typical relatively less expensive preservation effort. Efforts to subpoena such data are met with stiff resistance and even when finally honored, one can expect the process to take many months. There is a good business reason for this as cloud providers compete.

Allowing bulk retrieval would make it easy for clients to move to a competitor's solution. As systems are developed that intentionally disregard issues such as legally required preservation, companies and e-discovery vendors must proactively develop new ways to preserve the data. Ideally, companies should consider this when the solution is in the evaluation phase. If the potential cloud-based solution is incompatible with the needs of preservation and e-discovery, it should be rejected as a viable solution for the company.

If the cloud vendor or the server handling the data is located outside the U.S., the preservation process is even more difficult. Foreign entities may be completely immune from a U.S. court. They are not parties to the lawsuit and may have no traditional legal “nexus” to the U.S. permitting the court jurisdiction. This can be important when establishing business relationships. Does a company want to do business with a company whose business records are effectively subpoena proof?

A first reaction may be to claim “inaccessibility” or “undue burden” to try to avoid legal obligations as to this data. The problem is that these are ordinary current business records, not old fragile backup tapes stored off-site somewhere and which the company itself rarely, if ever, accesses. It is difficult for a judge to side with the company ordered to produce, for example, business e-mails generated by a relevant company executive that might be the “smoking gun” source of proof in a case because they are arguably “inaccessible” or too expensive to retrieve, even though that same executive has routine access to the information.

Privacy Laws

As mentioned, the fact that cloud companies are located all over the world creates significant preservation and access issues. Beyond these technical impediments are potentially greater legal hurdles that must be addressed. Every country in the world has its own privacy laws. These laws, among other things, protect the information owned by its citizens from intrusion. One of the biggest sources of intrusion tends to be litigation being pursued in the United States. U.S. discovery laws permit extensive invasion of individual information if it is stored on an infrastructure owned by the company involved in the lawsuit.

The privacy laws of many countries, however, prohibit the location of a citizen's data outside of the country without the citizen's express permission. If a company employs cloud computing strategies without regard for the specific privacy laws of each country in which it does business, it could find itself in violation of those laws.

Because it is stored in bytes throughout the system and is moved continually to maximize efficiency, data is really not located anywhere. As the world becomes more and more mobile, trade becomes global at the lowest levels, and technology reacts to that reality. How could any company assert that “protected” data is ever still completely within the borders of the relevant country?

For example, if data protected by French and EU privacy laws is stored in the cloud on servers located outside the EU in an unprotected area, the company could find itself required to produce that data for U.S. courts and face criminal penalties in France and the EU for violation of privacy laws. If data from a U.S. citizen clearly covered by the court's jurisdiction is stored on a cloud server located somewhere beyond the court's reach and it is deleted, lost or cannot be accessed after a litigation hold is established, the company could find itself facing severe sanctions in the U.S.

Litigation Technology Reacts

We have discussed why keeping data in the cloud can be a problem, but there are cloud-based solutions that can address preservation and e-discovery needs even for traditional computing environments. One example, Postini, a Google-owned company, developed a system that provides e-mail archiving services in the cloud to address some of the issues faced by litigation holds. A company running a traditional exchange server in its office can configure its system to have every e-mail flow first through Postini on the way to the server. Postini is used to address both document retention issues in general and litigation hold issues specifically.

As technology in one area advances in the cloud, introducing all sorts of legal issues, technology is developed in response to provide a solution to the litigation hold problems. This is not a complete solution by any stretch of the imagination, but other advancements will be developed. They may have to wait out the intense arguments of counsel and ultimately rulings by courts, but they will come.

Conclusion

Cloud computing is already here. Cloud computing on steroids is right around the corner. It is the necessary next advancement in technology as the globalization of business grows and the speed of innovation accelerates with it. Courts, attorneys, IT professionals and litigation support vendors will be charged with the task of wrestling with the legal implications of these new systems, just as they did when the telephone, the computer, the Internet, and other advancements drove business change.

Greg Freemyer is the Chief Technical Officer and co-founder of The Norcross Group, where he directs complex data collection and preservation operations for litigation support. Freemyer has testified as a technical ESI expert in many areas including Microsoft Exchange Server and the use of Index Engines. Hope Haslam is with trial and settlement sciences firm Courtroom Sciences, Inc. in Irving, TX. A member of this newsletter's Board of Editors, Haslam has written several CLE courses, exploring topics such as e-discovery issues in international litigation, export control laws, litigation readiness planning and analyzing specific sections of the amendments to the Federal Rules of Civil Procedure.

For Twitter and LinkedIn followers, subscribe to LJN's Legal Tech Newsletter at a special introductory rate. Click here: www.lawjournalnewsletters.com/subscribe/ltn309_landing.html. This offer is valid for new subscribers only.

Cloud computing, the process of storing and processing data on remote, outsourced third-party-owned servers, is growing in popularity, largely because it provides users with access to state-of-the-art and constantly updated software and fast infrastructure ' without the overwhelming costs. As technology advances at exponential speeds, companies must find ways to remain competitive. Buying the latest and greatest, only to find it obsolete before it is paid for, is a progressively unsustainable option.

For international companies, however, there are tremendous legal hurdles to accomplishing an effective conversion. Two of the most troubling are:

  1. U.S. preservation requirements; and
  2. International privacy laws.

As companies begin to set up, or more likely expand, a cloud computing system, they must understand the legal issues that need to be addressed in order to avoid subjecting the company to sanctions, fines, penalties and enormous e-discovery costs when litigation arises.

Preservation

Preservation is the e-discovery response to the “litigation hold” designed by the company's attorneys. This is a legal requirement that arises at the moment a “threat” of lawsuit exists. It is rare that the preservation needs of litigation are built into software applications. Most companies also fail to proactively address how they will handle preservation until the need arises. This is acceptable in your typical data center environment where the technology team has a wide variety of tools it can bring to bear as well almost total control of the data.

Advancements in cloud systems will eventually eliminate the need for local hard drives. Standard computer interfaces may ultimately be through much cheaper “dumb” and highly mobile units with everything stored, processed and accessed from the cloud system. Because they do not have to store hardware, software or data, devices will be smaller, simpler and easier to use in global trade.

In the cloud, the company has far less control of its data. It is therefore critical that the issue be considered as part of the overall solution selection process. In general, preservation in cloud-based solutions means capturing data stored in the cloud at a particular point in time and putting it on an accessible hard drive for later processing for relevant evidence in a litigation matter.

When data is stored in the cloud, i.e., not held in the possession of the company, preserving it for litigation purposes can be extremely problematic, if not impossible. As this inevitable technology advances at very rapid rates, the issues will become exponentially more problematic.

For example, executives of companies embroiled in a piece of litigation often have cloud-based e-mail accounts such as Yahoo!, Gmail, Mail.com or a host of other carriers. In theory, the individuals with access to the accounts can “agree” to not delete any files as the litigation hold strategy. For some applications and some court situations this may be acceptable, but eventually the data has to be retrieved from the cloud if it is going to be searched or produced as evidence.

There is no generic way to preserve these e-mails. A unique system can be created for each vendor, but even those are often thwarted by internal systems and protections within the vendor software. As to the big players, such as Yahoo!, AOL and Gmail, relatively standard protocols have been designed that work reasonably well at preserving this data. As each new system is encountered, such as Mail.com, a unique plan has to be designed.

Mail.com, for example, poses significant problems. Like other such services, Mail.com is owned by a company located in Hong Kong. One method that has been attempted has been to forward all e-mails from a Mail.com account to a Gmail account for which well defined preservation techniques have been established. This large scale forwarding, however, can be perceived by the Mail.com system as a spamming attempt and it may block any further outgoing e-mails for the day. To counteract this, one may be able to preserve the account by breaking the effort up into small daily chunks.

Mail.com is just one example and only the tip of the iceberg. Each new vendor creates unique challenges to accessing and preserving the data it holds. Even when it does work, this is nearly always a manual process and it can take hours per account to preserve the data. The costs of preserving data in the cloud are greater than lawyers and litigants are used to encountering.

The problem is exacerbated as the data stored in the cloud spreads beyond e-mail. Contact Relationship Management (“CRM”) systems (e.g., salesforce.com and ContactEase) are often accessed through the Internet. All of the company's clients, prospects, activities, opportunities, proposals, pricing strategies and the like may be stored on a server located anywhere in the world, owned by a third party. The objective is to provide the entire global operation access to data critical to the development of business for the company.

Accounting and payroll systems, logistics, supply chain and many other systems are already located in the cloud somewhere. Backups of the entire system are routinely located out in the cloud. In fact, certain historical data from a particular time period may be located only in the cloud.

The movement toward e-commerce will increase, making cash, and even credit cards, increasingly uncommon. Only 3% of the world's money is in the form of cash today and that percentage is shrinking every year. Every transaction will soon be handled using handheld devices through the cloud.

Cloud Access

Amazon's S3 is a full-service cloud-based infrastructure accessible through the Internet. Google, Microsoft and all the major players are working on similar systems. They are essentially Oracle in the cloud. These are the huge, remote, random-access infrastructures upon which cloud systems involving all of the company's data and all of a company's software will be built. They are robust, powerful, flexible and accessible to a mobile business from anywhere in the world; systems on which all businesses will operate in the near future. Servers and data will be located throughout the world, no matter where originated, optimizing access and processing speeds. Data will be stored in bytes on a hard drive as it is now, but perhaps on many different interconnected servers in many different locations.

For many of these, protocols have not been developed for the clients to preserve their own data stored on servers located in the cloud. As to the more recent developments, the tools do not exist and there are no approved practices on how professionals should execute preservation from these systems. In fact, most of these services intentionally fail to provide the capability to retrieve client data in bulk as required for your typical relatively less expensive preservation effort. Efforts to subpoena such data are met with stiff resistance and even when finally honored, one can expect the process to take many months. There is a good business reason for this as cloud providers compete.

Allowing bulk retrieval would make it easy for clients to move to a competitor's solution. As systems are developed that intentionally disregard issues such as legally required preservation, companies and e-discovery vendors must proactively develop new ways to preserve the data. Ideally, companies should consider this when the solution is in the evaluation phase. If the potential cloud-based solution is incompatible with the needs of preservation and e-discovery, it should be rejected as a viable solution for the company.

If the cloud vendor or the server handling the data is located outside the U.S., the preservation process is even more difficult. Foreign entities may be completely immune from a U.S. court. They are not parties to the lawsuit and may have no traditional legal “nexus” to the U.S. permitting the court jurisdiction. This can be important when establishing business relationships. Does a company want to do business with a company whose business records are effectively subpoena proof?

A first reaction may be to claim “inaccessibility” or “undue burden” to try to avoid legal obligations as to this data. The problem is that these are ordinary current business records, not old fragile backup tapes stored off-site somewhere and which the company itself rarely, if ever, accesses. It is difficult for a judge to side with the company ordered to produce, for example, business e-mails generated by a relevant company executive that might be the “smoking gun” source of proof in a case because they are arguably “inaccessible” or too expensive to retrieve, even though that same executive has routine access to the information.

Privacy Laws

As mentioned, the fact that cloud companies are located all over the world creates significant preservation and access issues. Beyond these technical impediments are potentially greater legal hurdles that must be addressed. Every country in the world has its own privacy laws. These laws, among other things, protect the information owned by its citizens from intrusion. One of the biggest sources of intrusion tends to be litigation being pursued in the United States. U.S. discovery laws permit extensive invasion of individual information if it is stored on an infrastructure owned by the company involved in the lawsuit.

The privacy laws of many countries, however, prohibit the location of a citizen's data outside of the country without the citizen's express permission. If a company employs cloud computing strategies without regard for the specific privacy laws of each country in which it does business, it could find itself in violation of those laws.

Because it is stored in bytes throughout the system and is moved continually to maximize efficiency, data is really not located anywhere. As the world becomes more and more mobile, trade becomes global at the lowest levels, and technology reacts to that reality. How could any company assert that “protected” data is ever still completely within the borders of the relevant country?

For example, if data protected by French and EU privacy laws is stored in the cloud on servers located outside the EU in an unprotected area, the company could find itself required to produce that data for U.S. courts and face criminal penalties in France and the EU for violation of privacy laws. If data from a U.S. citizen clearly covered by the court's jurisdiction is stored on a cloud server located somewhere beyond the court's reach and it is deleted, lost or cannot be accessed after a litigation hold is established, the company could find itself facing severe sanctions in the U.S.

Litigation Technology Reacts

We have discussed why keeping data in the cloud can be a problem, but there are cloud-based solutions that can address preservation and e-discovery needs even for traditional computing environments. One example, Postini, a Google-owned company, developed a system that provides e-mail archiving services in the cloud to address some of the issues faced by litigation holds. A company running a traditional exchange server in its office can configure its system to have every e-mail flow first through Postini on the way to the server. Postini is used to address both document retention issues in general and litigation hold issues specifically.

As technology in one area advances in the cloud, introducing all sorts of legal issues, technology is developed in response to provide a solution to the litigation hold problems. This is not a complete solution by any stretch of the imagination, but other advancements will be developed. They may have to wait out the intense arguments of counsel and ultimately rulings by courts, but they will come.

Conclusion

Cloud computing is already here. Cloud computing on steroids is right around the corner. It is the necessary next advancement in technology as the globalization of business grows and the speed of innovation accelerates with it. Courts, attorneys, IT professionals and litigation support vendors will be charged with the task of wrestling with the legal implications of these new systems, just as they did when the telephone, the computer, the Internet, and other advancements drove business change.

Greg Freemyer is the Chief Technical Officer and co-founder of The Norcross Group, where he directs complex data collection and preservation operations for litigation support. Freemyer has testified as a technical ESI expert in many areas including Microsoft Exchange Server and the use of Index Engines. Hope Haslam is with trial and settlement sciences firm Courtroom Sciences, Inc. in Irving, TX. A member of this newsletter's Board of Editors, Haslam has written several CLE courses, exploring topics such as e-discovery issues in international litigation, export control laws, litigation readiness planning and analyzing specific sections of the amendments to the Federal Rules of Civil Procedure.

For Twitter and LinkedIn followers, subscribe to LJN's Legal Tech Newsletter at a special introductory rate. Click here: www.lawjournalnewsletters.com/subscribe/ltn309_landing.html. This offer is valid for new subscribers only.

Read These Next
Major Differences In UK, U.S. Copyright Laws Image

This article highlights how copyright law in the United Kingdom differs from U.S. copyright law, and points out differences that may be crucial to entertainment and media businesses familiar with U.S law that are interested in operating in the United Kingdom or under UK law. The article also briefly addresses contrasts in UK and U.S. trademark law.

The Article 8 Opt In Image

The Article 8 opt-in election adds an additional layer of complexity to the already labyrinthine rules governing perfection of security interests under the UCC. A lender that is unaware of the nuances created by the opt in (may find its security interest vulnerable to being primed by another party that has taken steps to perfect in a superior manner under the circumstances.

Strategy vs. Tactics: Two Sides of a Difficult Coin Image

With each successive large-scale cyber attack, it is slowly becoming clear that ransomware attacks are targeting the critical infrastructure of the most powerful country on the planet. Understanding the strategy, and tactics of our opponents, as well as the strategy and the tactics we implement as a response are vital to victory.

Legal Possession: What Does It Mean? Image

Possession of real property is a matter of physical fact. Having the right or legal entitlement to possession is not "possession," possession is "the fact of having or holding property in one's power." That power means having physical dominion and control over the property.

The Stranger to the Deed Rule Image

In 1987, a unanimous Court of Appeals reaffirmed the vitality of the "stranger to the deed" rule, which holds that if a grantor executes a deed to a grantee purporting to create an easement in a third party, the easement is invalid. Daniello v. Wagner, decided by the Second Department on November 29th, makes it clear that not all grantors (or their lawyers) have received the Court of Appeals' message, suggesting that the rule needs re-examination.