As a lawyer, the thing that concerns me about the use of cloud-based computing services is that it often involves the transfer of electronic data from internal IT infrastructure to systems managed by third-party vendors.
This change in custody, and potentially control, can create compliance issues. While not intended to be exhaustive, the following five questions are a good start to the analysis, from a legal perspective, that should occur during the planning of a cloud-based project.
1. How do cloud services affect e-discovery obligations?
Litigation discovery obligations extend to documents in a litigant’s custody or control. Accordingly, a consumer of cloud computing services may need to preserve, search and collect data placed onto the cloud if that data remains under the consumer’s control.
But how do you know whether such data remains under the consumer’s control? Courts have noted in similar situations that the service agreement is the starting point for determining whether data in the custody of a third party is under the control of its originator. For that reason, the service agreement is of singular importance when determining the suitability of a given cloud service.
In the most common uses of cloud services, the consumer retains control over its data, and therefore the scope of electronic discovery obligations is unaffected. Nonetheless, the use of cloud-based services can affect the consumer’s ability to meet its discovery obligations in a cost-effective and accurate manner.
For example, the consumer will not have the same knowledge of the workings of the cloud service as it would typically have of its own networks, potentially resulting in slower and more costly discovery, with a higher risk of errors. As another example, a lack of direct access to the cloud hardware coupled with the transitory nature of most cloud services may make preserving and collecting forensic information challenging.
If an organization is already in litigation, or if litigation is foreseeable, care should be taken not to reduce the level of control over litigation-relevant ESI (electronically stored information). Even in the absence of specific litigation on the horizon, a cloud service consumer should determine preservation, search and collection strategies during the process of selecting the cloud service provider. If necessary, the vendor’s cooperation in these discovery tasks can be contractually obligated in the service agreement along with an identification of related costs.
Finally, any organization that has taken steps to reduce its discovery burdens — by instituting a document retention program, for example — should make sure that the cloud service is capable of supporting those efforts. If information that is no longer supposed to exist is still available on the cloud service, the organization’s cost reduction programs would be undermined.
2. Will it be easier for a litigant to discover our data on the cloud?
When an organization uses a cloud computing service, it is potentially creating an additional source of access to its data. A litigation opponent could, in certain cases, seek the discovery of the organization’s data (or information relating to that data, such as log files) directly from the cloud provider.
In most cases, such a request may be objectionable as more properly served upon the consumer of the cloud services. However, a direct discovery request or subpoena to the cloud vendor might be the only way to discover certain information that cannot be obtained through the consumer. For example, certain metadata relating to a consumer’s documents may be under the control of the vendor, and not the consumer, under the terms of the service agreement.
The consumer can contractually obligate the vendor to notify it should the vendor receive a request or subpoena for the consumer’s data. It might also be a good idea to obligate the vendor either to directly resist the request for the data, to give the consumer an opportunity to resist the request, or at least to protect and data that is turned over with appropriate confidentiality restrictions.
3. How do we preserve the value of information placed onto the cloud?
The value of some data placed onto the cloud can be diminished if proper technological and contractual controls are lacking, resulting in the data being impermissibly exposed to a third party. Examples of such data are trade secrets and privileged communications.
The rights to any data given to the cloud vendor must be limited. Some minimum level of access is likely necessary so the vendor can operate the cloud service, but beyond that, risks increase. Services that allow the vendor access to a consumer’s data for the vendor’s own purposes — such as targeted advertisements may not be appropriate for applications involving sensitive data.
The same technological controls used on internal networks should also be used in the cloud, including encryption and access control. But remember, security is more complicated in the cloud than it is with internal networks, which generally only have to defend against outsiders to the network. A cloud service must secure data from outsiders of the service as well as other users of the service and the service provider itself.
4. Will the contemplated use of a cloud service violate any privacy laws?
A threshold question before placing data onto a cloud service is whether the service complies with any processing, retention or transfer restrictions, such as those imposed by the European Data Protection Directive, which may be applicable to the to-be-transferred data.
What’s more, the operation of the cloud service could unintentionally entangle data not already subject to processing restrictions if the data flows through countries adopting such rules. The vendor should be prepared to identify where data on its service will reside, and contractual restrictions can be contemplated that would prevent the service from moving data in any undesirable manner.
5. What steps can further manage risk after selecting a service?
Entering into a cloud project is a good reason to start a litigation readiness program if your organization does not already have one in place. Data placed on the cloud should be included in an ESI inventory, such as a data map, both to prevent the overlooking of the repository in the heat of litigation and to provide processes that can help ensure a more effective and economical collection effort.
For example, in addition to identifying the existence of the cloud repository and its contents, the data map should also contain the specifics of how to collect and preserve data located on that service. If you have followed my advice and already figured this out before selecting a service, this step should be easy. The data map should also contain a copy of the service agreement, which as discussed above, is central to determining litigation-related obligations.
Should something unexpectedly go wrong during discovery, a consumer can use the data map as evidence of the reasonableness of its efforts, possibly preventing the most severe discovery sanctions.
There are many different types of cloud-based services, ranging from lower-cost offerings that generally provide less control to the consumer as to how and where data is stored and processed, to premium services that provide the consumer with a lot of control. The best way to manage an organization’s risk is to select a cloud service that is appropriate for its intended applications in light of identified compliance risks, with the caveat that certain information does not belong in the cloud at all.
Nolan M. Goldberg is a senior associate in the patent group of New York-based Proskauer Rose LLP and a member of the Litigation Department’s e-Discovery Task Force.