Top 7 Legal Things to Know about Cloud, SaaS and eDiscovery

Editor’s Note: EMC markets solutions aimed at solving the problems presented by ediscovery and legal holds on electronic information. Our goal in publishing this article is to provide information you may find useful and thought-provoking. It is not intended as an endorsement of EMC products, services or technology.

Cloud computing — or computing as a utility– has captured the interest of IT departments and bottom-line focused executives everywhere. Proponents of the cloud compare it to the shift in electrical power generation at the turn of the century, where companies had to generate their own electric power to run factories. Power generation was not a core skill, so outages were common and facilities had to be over-built (and then re-built) to meet peak requirements.

Leveraging expertise and economies of scale, electric companies soon emerged and began delivering on-demand electricity at an unmatched cost point and service level. Similarly, cloud proponents argue, the cloud/SaaS model delivers IT services economically and on-demand.

Yet the cloud is not without its detractors. As interest in the cloud has turned into actual initiatives, real issues and problems have emerged to inject some real-world requirements and temper some of the initial enthusiasm. And one of the key parties involved in raising and addressing these issues is legal counsel.

A common reaction is often to ask why legal is getting involved in technology decisions. Put simply, moving data to the cloud is not simply a technology decision, and the stakes around legal and compliance issues are very high.

For example, during the litigation process, the parties to a case have a legal obligation to identify and produce relevant electronically stored information (ESI). This requirement generally applies regardless of whether the ESI is contained in the corporate datacenter, a rented cloud infrastructure and/or in a SaaS application. Because a cloud or SaaS model typically shifts much of the control away from the company, meeting these requirements is no longer solely within the company’s capability. An understanding of these requirements is thus critical to properly assess and reduce risk.

Let’s take a quick look at some of the key e-discovery and related requirements that must be addressed by early cloud adopters (note that we will focus here on public cloud and SaaS offerings):

1. Where is ESI actually located when it is in the ethereal cloud or SaaS application? Historically, a physical location contained all information, applications, data, computing and storage managed and controlled by a corporation. In stark contrast, cloud/SaaS services are dynamic, virtualized and disaggregated.

This begs an initial and critical question: Where is your data actually located? The answer — it depends. Part of the cloud/SaaS provider’s business is to deliver seamless data access to customers anytime, anywhere. To meet service level guarantees and maintain economies of scale (and hence, margin), information is often stored or replicated in multiple data centers in different locations for redundancy from hardware issues, bandwidth challenges, and disasters.

Today, corporate information in the cloud can reside in many datacenters across multiple states and provinces or in multiple countries. Because many countries have complex compliance and privacy requirements, frequently in conflict with those in the U.S., the cloud/SaaS model can make e-discovery matters significantly more complicated.

2. What are the legal implications of e-discovery in the cloud? At the outset of litigation, companies must put data on “litigation hold,” meaning that ESI relevant to a case must be preserved, and then possibly collected, regardless of its location or storage medium.

How does this requirement translate to a cloud environment? While few cases have yet addressed the issue, it seems likely that the obligation for securing and accessing data which has been voluntarily placed into a cloud infrastructure will remain with the corporation. So even though the reality may be that a cloud provider controls the actual access to the data, the corporation is probably still liable for timely preserving and collecting the data for litigation hold purposes.

3. What happens if a lawsuit is in the US but one company’s headquarters is in another country? Or what if the data is in a country where the privacy rules are different? The problem of applying another country’s privacy laws to U.S. litigation matter is enormously complex. For example, in AccessData Corp. v. ALSTE Technologies GMBH , 2010 WL 318477 (D. Utah Jan. 21, 2010), ALSTE, a German company, maintained that German data privacy laws prevented it from collecting relevant company emails that were located in Germany. The U.S. court disagreed, holding that the German Data Protection Act did not bar disclosure of information that was relevant to the litigation, and so ALSTE was required to proceed with e-discovery.

Whether the German data privacy authorities agreed with the court’s conclusion (which is unlikely) became irrelevant within the case — a failure to produce the data after the court’s ruling would likely result in severe sanctions. The ALSTE case is instructive that companies with data spread across different jurisdictions may well have to make difficult choices if that data is implicated in litigation and the cloud model may make it difficult to control where that data resides.

4. What if there are technical issues with e-discovery in the cloud? Again, there is little official guidance yet on this issue, which only increases the uncertainty and risk. CIOs and corporate general counsels (GC) should be aware that conducting e-discovery on information contained in the cloud will have its challenges. Identification and collection of large volumes of data can have intensive bandwidth, CPU, and storage requirements — and that’s assuming that there are self-help tools in place to locate the data on your own. If not, companies will have to rely completely upon the cloud provider to do this work for them, often on an ad-hoc basis, and maybe using employees who do not understand the nuances of the process.

Companies looking to deploy cloud services should discuss and understand their needs for compliance and e-discovery related to that data. Then, wherever possible they should negotiate these requirements as part of their cloud/SaaS service provider agreement (which may include minimum service level agreements too, such as a fixed time for turnaround to meet litigation requirements). At minimum, they need to factor the complexity and risk of this process into their decision on moving to the cloud.

5. If the cloud/SaaS provider loses or inadvertently deletes our information, aren’t they responsible? There are two parts to the answer to this question. First, the responsibilities of the cloud/SaaS provider to the company will be specified in an agreement that the parties have negotiated. Currently, it’s uncommon for a cloud agreement to reference e-discovery type requirements, and it’s very hard to claim that provider is responsible if there’s nothing agreed to between the parties to establish that obligation.

The second part of the answer involves whether (and who) a court might hold responsible if relevant cloud ESI that should be on litigation hold is deleted or lost; a “spoliation” claim. While there are few cases touching on the answer, the legal analysis normally focuses on “possession, custody or control” over the data, which generally points back to the company for hosted services. In addition, the provider is not (normally) a party to the litigation and the court will typically focus its efforts on the parties appearing in court.

6. If the cloud/SaaS provider loses or inadvertently deletes our information, what are the potential legal ramifications? If the court finds that the company is responsible — it did not produce information in its possession, custody or control — it can order a sanction against the company. These sanctions can range from mere money fines to the ultimate penalty: a terminating order that ends the case in the other party’s favor.

If the data was lost due to the cloud provider’s actions (or inactions), the company will probably want to argue that it is not at fault. Trying to establish this fact would likely require going far beyond merely establishing who deleted the data. The company must show that it acted diligently in selecting its cloud provider, negotiating terms, putting controls in place and notifying the provider in a timely manner — and that despite all of those efforts, the data was lost through no fault of its own. Even so, there is no case law guidance on whether this argument would be adequate. More likely, if the other party has been prejudiced by the loss of data, a sanction of some type is likely to balance the playing field.

Further, if sanctions do result, the company probably will not have much right to recover any it’s damages from the provider. Most agreements of this nature seek to minimize the potential for damages for loss of data or data access. For example, it’s common to limit damages to a future credit or a limit based on monthly or annual fees paid under the contract.

7. How do I protect our corporation from fines and sanction for ESI in the cloud? On average, Fortune 500 companies have 150 concurrent lawsuits at any given time. Most e-discovery requests (or requirements) will include ESI from email, email archives, collaborative tools, file shares and other repositories as standard practice. Preparing in advance for e-discovery is critical to a successful process, so consider these steps:

  • Understand what ESI is likely to be relevant to the cases that the company must defend against, and where that ESI is located — both data that is within the company’s direct company control and what ESI is in the cloud/SaaS;

  • Create a cross-functional e-discovery team (Legal, IT, Records and Security are common team members) to construct plans for internal and external ESI identification and collection; and

  • In the best case scenario, cover e-discovery and other compliance requirements with the cloud/SaaS provider when negotiating the initial agreement. If this was not done or if you’re not big enough to have the leverage to negotiate these terms take time before a litigation event occurs to sit down with your provider and discuss processes and the possibility of self-help tools to meet your requirements. If you wait until litigation begins you’re probably too late.

The cloud clearly holds great promise. However, with stringent e-discovery and compliance requirements, CIOs must also consider factor those concerns into its cost-benefit calculus. To protect the corporate interest and enable a swift response to ESI legal requests, CIOs must include corporate counsel in the cloud/SaaS conversation and co-create a holistic plan for cloud/SaaS ESI discovery.

David Morris is senior product marketing manager responsible for the EMC SourceOne e-discovery – Kazeon product suite. He has spent eighteen years in high technology working in both startup and Fortune 500 companies with operational experience in corporate development, business development and marketing. David holds a degree in Physics from Auburn University and advanced degrees in business from Columbia University and University of California, Berkeley.

As director of e-discovery and compliance at EMC Corporation, James D. Shook, Esq. works with customers to help them solve challenges related to e-discovery, compliance and privacy. James is a long-time member of The Sedona Conference, a well-known legal think tank, and is an active contributor on several of its committees.