Electronic Discovery in the Cloud

As organizations strive to minimize costs and maximize efficiency and scalability of computing resources, IT and legal departments across the globe are turning to cloud technology (a.k.a., cloud computing) for help. Although the idea itself is not new, the use of pooled technology outside an organization's own infrastructure is gaining momentum with expanded service offerings from companies like Google, Amazon and Microsoft. The recent surge in popularity is pushing industry groups to consider how to accurately define cloud computing and provide guidance as to how it can be properly managed ' especially in relation to regulatory compliance and electronic discovery requests.

According to the National Institute of Standards and Technology (“NIST”), cloud computing “is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” See, Peter Mell and Tim Grance, The NIST Definition of Cloud Computing, Version 15, 10-7-09, http://csrc.nist.gov/groups/SNS/cloud-computing (October 2009). From an IT perspective, cloud computing offers users seemingly unlimited resources for data storage, application development and data processing. From the legal and compliance perspective, cloud computing raises concerns and questions about the security, preservation and control of data stored in the cloud.

Transparency and communication regarding these topics are essential to the effective management of electronic discovery within the cloud. Including specifics about these topics in service level agreements (“SLAs”) with the cloud provider can mitigate the risk associated with impending discovery requests or litigation that companies in the cloud may face.

Data Security and Control

Perhaps the most significant concern when migrating data into a cloud environment is data security and control. In the initial phases of identifying the most effective use of the cloud for any given business, the IT and legal teams need to work with their business units to agree on the appropriate sources of data for the cloud.

By moving data into the cloud, a business surrenders certain controls over the physical infrastructure and network security of the data that may have otherwise been available if the data was maintained within the walls of the organization's operations. The ability to enforce the exact network structure, form of data encryption, or transmission of data is no longer at the fingertips of the company whose data is hosted online. Each potential user of the cloud must weigh the benefits of increased flexibility, speed and processing power against the loss of total control over all aspects of the data storage.

In a public cloud environment, companies may also be wary of sharing physical resources with adversaries or competitors. The security model designed on the physical server space may also be questioned if, and when, preservation of data residing in this architecture is required for legal, investigative or regulatory purposes. Additional complications arise when the legal team must identify the data that should be preserved and whether the need to preserve data includes media that hold multiple parties' data. The ability to retrieve and preserve data subject to litigation holds must be carefully evaluated as companies move data into the cloud. An approach to preserve and collect such data should be properly documented prior to migrating data.

Agreements with cloud providers should address:

• How data (and metadata) is stored, preserved and accessed;
• What protocols are in place for physical, network and system security, and how often are the protocols tested and reported; and
• What protocols are in place for a company that may need to forensically collect or extract data from the cloud and whether the efforts to do so are reasonable.

Before a company's sensitive information is moved into the cloud, the appropriate security measures should be researched and included in the contract between the company and cloud provider. Once clarity is reached on key topics such as ownership, access rights, security notifications and data encryption, the cloud provider and client can effectively employ security features within the cloud as well as at data access points and within company firewalls.

Data Retention Policies

Cloud users and providers must also collaborate on the appropriate data retention and destruction policies. In recent years, compliance departments across the U.S. have worked tirelessly to ensure that records retention and destruction plans accommodate regulatory requirements without hindering the ability for their businesses to operate effectively. Compliance departments must also be included in discussions regarding how data can be managed in a cloud to ensure that the efforts expended in retaining, retrieving and destroying data are not ignored once data moves to a cloud.

A company's ability to enforce a data retention or destruction policy is only as strong as the details laid out in SLAs with the cloud provider. Preservation practices should be monitored by the company's IT department with regular communication and testing surrounding how and when backups are created, where the backups are stored, who has access to them, and what disaster recovery operations are standard.

As the cloud computing market matures, we should expect to see standardization in how data is retained by service providers, which will ultimately lead to more efficient and economical practices related to data storage. IT departments will no longer be tasked with haphazardly collecting and storing backup tapes containing data that is no longer relevant and does not fit into the scope of any regulatory requirements.

Agreements with cloud providers should detail the following data retention practices:

• Frequency of data backups (and who has access to them);
• Storage of data backups for disaster recovery;
• Protocols for responding to litigation holds; and
• Procedures for notifying clients and end users if and when data retention policies are breached.

The goal of outlining retention policies and hold procedures prior to engaging in an agreement with a cloud provider is to ensure that the client's data is not at risk of data spoliation or inadvertent destruction, and that the provider is in a position to respond to requests for preservation without undue burden.

Data Privacy

There are currently very few regulations that require service providers to supply their clients with details surrounding the location of data storage or the frequency and likelihood of when data may be transferred to multiple facilities. Prior to entering into the cloud environment, companies should assess the risks associated with the physical location and transfer of data across multiple U.S. jurisdictions and, especially, internationally.

For example, the European Union's Directive on Data Protection prohibits the transfer of personal data to non-EU nations that are not considered “adequate,” according to the European standard for privacy protection. See, www.export.gov/safeharbor.

One approach to ensure that data may transfer lawfully between the EU and U.S. is for U.S. service providers to certify to the U.S. Department of Commerce that they will handle data from the EU with the same level of care required by the EU authorities (otherwise referred to as the “Safe Harbor Provision”).

Within the United States, various regulations (both at the federal and state level) require strict governance over the manner in which personal information, financial and health records are stored, accessed and used. Prior to moving data into a cloud environment, companies are required to analyze whether the content is governed by any regulations that require specific storage, privacy and disclosure. To the extent that data stored in a cloud may be governed by these regulations, coordination among corporate IT, compliance and the cloud provider is needed to ensure that specific measures are taken to guarantee that cloud-based data storage will comply with any applicable directives.

Case law examples defining the party at fault for unlawful transfers of data within the cloud are not immediately available, but we should expect to see precedents over the coming months as the use of the cloud architecture is adopted across more industries.

Prior to entering into agreements with cloud providers, companies should assess whether:

• The cloud provider has the ability to transfer data across international borders (or limit the transfer of data across international borders); and
• The applicable data is covered by privacy rules. For instance, whether the organization is in control of the data covered by the Safe Harbor Provision.

Addressing privacy concerns ahead of time during the SLA drafting phase will help to alleviate any complications in the future regarding data privacy.

Conclusion

Cloud computing is a powerful way to operate many core business functions; and its appeal is expected to continue to grow. The fear of the unknown that was prevalent only a few years ago is now replaced by optimism as technology firms are working to understand and provide solutions to their clients' legal obligations. The open nature of cloud computing as a cost effective and efficient method of leveraging technology should quickly replace the apprehension previously held by CIOs and legal departments.

Managing discovery and litigation within the cloud can, and will be, successful as new regulations evolve and as IT and legal professionals are able to collaborate on:

• Identifying the appropriate business processes that can benefit from the cloud; and
• Proactively setting out best practices for the information management, identification, preservation and collection of data for use in all facets of electronic discovery.

While this article is not intended to cover every issue that may arise, we should anticipate additional guidance from the legal community in the future. Because this industry is at a unique point in its maturity, technology leaders have the ability to set precedents on effective ways to manage data and eliminate risk in the cloud as the market for data storage takes on a more capitalistic methodology. As the competition grows for the fastest transmission speeds, greatest flexibility and most robust security features, the burden of infrastructure and maintenance on IT professionals will lessen and the confidence of legal departments in the cloud environment will improve exponentially.

As organizations strive to minimize costs and maximize efficiency and scalability of computing resources, IT and legal departments across the globe are turning to cloud technology (a.k.a., cloud computing) for help. Although the idea itself is not new, the use of pooled technology outside an organization's own infrastructure is gaining momentum with expanded service offerings from companies like Google, Amazon and Microsoft. The recent surge in popularity is pushing industry groups to consider how to accurately define cloud computing and provide guidance as to how it can be properly managed ' especially in relation to regulatory compliance and electronic discovery requests.

According to the National Institute of Standards and Technology (“NIST”), cloud computing “is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” See, Peter Mell and Tim Grance, The NIST Definition of Cloud Computing, Version 15, 10-7-09, http://csrc.nist.gov/groups/SNS/cloud-computing (October 2009). From an IT perspective, cloud computing offers users seemingly unlimited resources for data storage, application development and data processing. From the legal and compliance perspective, cloud computing raises concerns and questions about the security, preservation and control of data stored in the cloud.

Transparency and communication regarding these topics are essential to the effective management of electronic discovery within the cloud. Including specifics about these topics in service level agreements (“SLAs”) with the cloud provider can mitigate the risk associated with impending discovery requests or litigation that companies in the cloud may face.

Data Security and Control

Perhaps the most significant concern when migrating data into a cloud environment is data security and control. In the initial phases of identifying the most effective use of the cloud for any given business, the IT and legal teams need to work with their business units to agree on the appropriate sources of data for the cloud.

By moving data into the cloud, a business surrenders certain controls over the physical infrastructure and network security of the data that may have otherwise been available if the data was maintained within the walls of the organization's operations. The ability to enforce the exact network structure, form of data encryption, or transmission of data is no longer at the fingertips of the company whose data is hosted online. Each potential user of the cloud must weigh the benefits of increased flexibility, speed and processing power against the loss of total control over all aspects of the data storage.

In a public cloud environment, companies may also be wary of sharing physical resources with adversaries or competitors. The security model designed on the physical server space may also be questioned if, and when, preservation of data residing in this architecture is required for legal, investigative or regulatory purposes. Additional complications arise when the legal team must identify the data that should be preserved and whether the need to preserve data includes media that hold multiple parties' data. The ability to retrieve and preserve data subject to litigation holds must be carefully evaluated as companies move data into the cloud. An approach to preserve and collect such data should be properly documented prior to migrating data.

Agreements with cloud providers should address:

• How data (and metadata) is stored, preserved and accessed;
• What protocols are in place for physical, network and system security, and how often are the protocols tested and reported; and
• What protocols are in place for a company that may need to forensically collect or extract data from the cloud and whether the efforts to do so are reasonable.

Before a company's sensitive information is moved into the cloud, the appropriate security measures should be researched and included in the contract between the company and cloud provider. Once clarity is reached on key topics such as ownership, access rights, security notifications and data encryption, the cloud provider and client can effectively employ security features within the cloud as well as at data access points and within company firewalls.

Data Retention Policies

Cloud users and providers must also collaborate on the appropriate data retention and destruction policies. In recent years, compliance departments across the U.S. have worked tirelessly to ensure that records retention and destruction plans accommodate regulatory requirements without hindering the ability for their businesses to operate effectively. Compliance departments must also be included in discussions regarding how data can be managed in a cloud to ensure that the efforts expended in retaining, retrieving and destroying data are not ignored once data moves to a cloud.

A company's ability to enforce a data retention or destruction policy is only as strong as the details laid out in SLAs with the cloud provider. Preservation practices should be monitored by the company's IT department with regular communication and testing surrounding how and when backups are created, where the backups are stored, who has access to them, and what disaster recovery operations are standard.

As the cloud computing market matures, we should expect to see standardization in how data is retained by service providers, which will ultimately lead to more efficient and economical practices related to data storage. IT departments will no longer be tasked with haphazardly collecting and storing backup tapes containing data that is no longer relevant and does not fit into the scope of any regulatory requirements.

Agreements with cloud providers should detail the following data retention practices:

• Frequency of data backups (and who has access to them);
• Storage of data backups for disaster recovery;
• Protocols for responding to litigation holds; and
• Procedures for notifying clients and end users if and when data retention policies are breached.

The goal of outlining retention policies and hold procedures prior to engaging in an agreement with a cloud provider is to ensure that the client's data is not at risk of data spoliation or inadvertent destruction, and that the provider is in a position to respond to requests for preservation without undue burden.

Data Privacy

There are currently very few regulations that require service providers to supply their clients with details surrounding the location of data storage or the frequency and likelihood of when data may be transferred to multiple facilities. Prior to entering into the cloud environment, companies should assess the risks associated with the physical location and transfer of data across multiple U.S. jurisdictions and, especially, internationally.

For example, the European Union's Directive on Data Protection prohibits the transfer of personal data to non-EU nations that are not considered “adequate,” according to the European standard for privacy protection. See, www.export.gov/safeharbor.

One approach to ensure that data may transfer lawfully between the EU and U.S. is for U.S. service providers to certify to the U.S. Department of Commerce that they will handle data from the EU with the same level of care required by the EU authorities (otherwise referred to as the “Safe Harbor Provision”).

Within the United States, various regulations (both at the federal and state level) require strict governance over the manner in which personal information, financial and health records are stored, accessed and used. Prior to moving data into a cloud environment, companies are required to analyze whether the content is governed by any regulations that require specific storage, privacy and disclosure. To the extent that data stored in a cloud may be governed by these regulations, coordination among corporate IT, compliance and the cloud provider is needed to ensure that specific measures are taken to guarantee that cloud-based data storage will comply with any applicable directives.

Case law examples defining the party at fault for unlawful transfers of data within the cloud are not immediately available, but we should expect to see precedents over the coming months as the use of the cloud architecture is adopted across more industries.

Prior to entering into agreements with cloud providers, companies should assess whether:

• The cloud provider has the ability to transfer data across international borders (or limit the transfer of data across international borders); and
• The applicable data is covered by privacy rules. For instance, whether the organization is in control of the data covered by the Safe Harbor Provision.

Addressing privacy concerns ahead of time during the SLA drafting phase will help to alleviate any complications in the future regarding data privacy.

Conclusion

Cloud computing is a powerful way to operate many core business functions; and its appeal is expected to continue to grow. The fear of the unknown that was prevalent only a few years ago is now replaced by optimism as technology firms are working to understand and provide solutions to their clients' legal obligations. The open nature of cloud computing as a cost effective and efficient method of leveraging technology should quickly replace the apprehension previously held by CIOs and legal departments.

Managing discovery and litigation within the cloud can, and will be, successful as new regulations evolve and as IT and legal professionals are able to collaborate on:

• Identifying the appropriate business processes that can benefit from the cloud; and
• Proactively setting out best practices for the information management, identification, preservation and collection of data for use in all facets of electronic discovery.

While this article is not intended to cover every issue that may arise, we should anticipate additional guidance from the legal community in the future. Because this industry is at a unique point in its maturity, technology leaders have the ability to set precedents on effective ways to manage data and eliminate risk in the cloud as the market for data storage takes on a more capitalistic methodology. As the competition grows for the fastest transmission speeds, greatest flexibility and most robust security features, the burden of infrastructure and maintenance on IT professionals will lessen and the confidence of legal departments in the cloud environment will improve exponentially.