In challenging economic times, anything that can save companies significant money is a hot topic, like cloud computing, which promises to reduce the costs of storing information and implementing applications. But companies that store information in the cloud without regard for how it will be secured and accessed may be setting themselves up for nightmares down the road. Any company utilizing cloud-based solutions should create granular e-discovery and security requirements before moving any information to the cloud.
The cloud, as a term, is used as if there is a common understanding of what it means. The National Institute of Standards and Technology defines cloud computing as “a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.” These characteristics add up to huge potential benefits for customers. Resource pooling across multiple clients brings economies of scale, which lead to lower costs. Elasticity lets customers scale up without having to add internal IT resources.
However, just because cloud is a hot topic and seems to gaining traction, does not necessarily mean that it has achieved mainstream usage in corporations. While the cloud has gained mindshare, official usage is evolving slowly. This gives companies the opportunity to get ahead of the curve on how to conduct e-discovery on these new sources and types of information.
eDJ’s “eDiscovery and The Cloud Survey,” conducted throughout November and December of 2011, found that only 26.2 percent of respondents have adopted cloud-based storage of enterprise information, while another 18 percent did not know. More than half of the respondents have not yet adopted cloud-based, proactive information storage. (See Figure 1, below.)
This does not mean that cloud-based storage for information will not become widespread; it simply means that companies have to prioritize e-discovery efforts around the information sources currently in use. If an enterprise is moving to the cloud, e-discovery should be part of the strategic plan. In the meantime, initiatives must be focused on where the information lives right now.
In addition, while the use of Software-as-a-Service for applications like CRM (e.g., Salesforce.com) and bookkeeping (e.g., Quicken) feels pervasive, half of the respondents indicate that they are not using SaaS tools for these kinds of applications. Just over 25 percent of respondents indicated that they are using SaaS applications for enterprise processes. As such, these sources of information must be part of the e-discovery plan. (See Figure 2, below.)
Usage of the cloud will continue to grow. In fact, President Obama has called for the U.S. Government to investigate a move to managing digital records on the cloud. According to an article by Elizabeth Montalbano from November 2011, President Obama’s order calls on government agencies to “improve the management of existing and ongoing records -- including emails and social-media communications. Their plans should include the use of cloud-based services or storage systems for digital recordkeeping.” When government agencies begin adopting technologies and practices, it is common for corporate America to follow along or at least get over some of the concerns about those solutions; in the case of the cloud and social media, the primary concerns are security, privacy and control of the information.
In addition to cloud usage becoming more commonplace, there is another reason to address the data sources in e-discovery: case law is emerging that says companies have to. There may not be an overwhelming amount of case law pertaining to the cloud, but one important case to note is “IN RE NTL, INC. SECURITIES LITIGATION; GORDON PARTNERS, et al., Plaintiffs, -against- GEORGE S. BLUMENTHAL, et al., Defendants.” The main idea in this case is that if a company has “access to documents to conduct business, it has possession, custody or control of documents for the purposes of discovery.” One of the keys to the cloud is ubiquitous access to information, essentially putting companies on the hook to be responsible about e-discovery of that information.
A decade ago, the e-discovery focus was around a challenging data source known as email. Companies adopted email so quickly that e-discovery was never correctly planned for; discovery capabilities were built in after the fact. Many painful lessons were learned, and yet the possibility of repeating those mistakes is very real when it comes to information in the cloud and social media. For the eDJ survey respondents, e-discovery is very much an afterthought as companies evolve into using these data sources more and more. Less than 16 percent of respondents put an e-discovery plan into place before moving data to the cloud. (See Figure 3, below.)
The maturity level is rising, though. At present, 22.8 percent of respondents have put an e-discovery plan in place, while another 19.8 percent are working on a plan currently.
Getting information stored in the cloud under control for e-discovery is imperative. Best practices are just beginning to emerge, and the good news is that companies have the opportunity to get ahead of the curve in ways they were not able to do before solutions like email. The key is to treat cloud-based sources of data like any other data source; include it in data maps, have a plan for collecting and preserving it, know how to manage the chain of custody, and understand when to dispose of the data so that it poses no e-discovery risk.
For any company beginning to plan for e-discovery of cloud-based information, it is important to work closely with vendors of cloud-based services. In order to reduce risk, organizations storing data in the cloud should work out the e-discovery details before rolling out the solution. More than 71 percent of eDJ’s survey respondents did not know their cloud vendor’s policy for responding to clients’ e-discovery needs. (See Figure 4, below.)
In order to reduce risk, organizations storing data in the cloud should work out the e-discovery details before rolling out the solution. That plan should address how information in the cloud can be placed on legal hold, how the information can be accessed by various constituents (e.g., employees, compliance officers, third parties) and how review and analysis is executed (e.g., value-add functions for early case assessment). More specifically, companies should ask cloud vendors to show documentation of systems, data and backup procedures to ensure that information is protected and redundant. Before choosing a cloud vendor, companies should determine the physical location of information and the applicable legal/regulatory rules that apply to where information can be stored. It is also important to know exactly how information is stored (e.g., dedicated storage versus shared storage).
Companies should address information preservation and collection obligations, including costs, and also define any vendor liability that could exist for failure to preserve and collect. Also, it is advisable to identify a vendor employee to testify regarding preservation and collection issues; doing so goes a long way toward successfully managing the chain of custody of information.
Too often companies overlook privacy and security issues when utilizing the cloud. Companies must work with vendors to address encryption of data to manage privacy considerations and develop a process to address security breaches or unauthorized access to data. Also, make sure the vendor can execute any data destruction policies to the required specifications (e.g., DoD 5015.2 disposition). Finally, be sure to identify specific software to collect information if vendor goes out of business.
The saying goes that those who don’t learn from history are doomed to repeat it. Companies that don’t want the e-discovery nightmares of the last decade -- all the time wasted and dollars spent corralling information from distributed and hard to access information sources -- should ensure the same fate does not await in the cloud. Turning a blind eye to the issue, as many companies are doing now, does not make it go away. Legal teams continue to get smarter regarding ways to conduct discovery; it is a good bet that lawyers will target cloud-based sources of information in the hopes of catching the opponent off guard and unprepared.