If you begin with the following assumption:
“As businesses move more applications and data to cloud services, those businesses inevitably are going to find themselves in litigation with the need to retrieve electronically stored information (ESI) from the cloud to comply with their e-discovery obligations.”
….then it makes a lot of sense to make sure that you do not forget about e-discovery when you are considering moving your company’s data to the cloud environment.
In what our staff believes to be one of the better postings on this important risk mitigation topic, they would like to bring your attention to a recent article, written by Jay Yurkiw, and posted on the Technology Law Source blog, which clearly presents some great tips on how businesses can better manage their e-discovery risks —whether they are just considering a move to the cloud or even if they have already made that move.
A quick summary of where some of those tips offered by Yurkiw would be most helpful are: (1) standard cloud computing service level agreements (SLA’s), and, (2) pre-litigation planning considerations.
Yurkiw states, “…. that SLA negotiations should focus on including most (if not all) of the following suggested areas of concern included in the final SLA in order to mitigate its e-discovery related risks:
• Ownership of data
• Right to export data and method of doing so
• Storage and export of data (including corresponding metadata) in specified form
• Accessibility of data “on-demand” and by counsel and e-discovery vendors as designated by the business
• Establishment of time periods the provider will keep data before deleting it pursuant to the business’s and/or provider’s retention schedules
• Suspension of auto-delete settings and retention schedules when litigation is reasonably anticipated
• Limitation (or at least identification) of physical locations where data may be stored
• Implementation of specified security measures to protect against unauthorized third-party access
• Notification of any data breaches
• Notification of any requests for data by third-parties in advance of any production so that the business can oppose or take action to limit the disclosure of data
• Itemization of costs that the provider will charge for services connected to e-discovery
• Indemnification for losses incurred as the result of the unauthorized deletion or alteration of data (and corresponding metadata).”
Regarding pre-litigation activities to mitigate e-discovery risks associated with the cloud, Yurkiw suggests the following areas of planning for the organization be discussed and executed where applicable;
• Assess and document what cloud computing providers and services the business is using and what types of data are being stored in the cloud and by whom.
• Prepare a legal hold process that accounts for the use of public clouds by the business and its employees.
• Form an integrated team of personnel from legal, IT, compliance, information security, HR that is familiar with what cloud computing services the business is using and can address the business’s e-discovery obligations.
• Consider having designated outside e-discovery counsel who has experience collecting data from the cloud and can familiarize themselves with the nature and extent of the business’s public cloud computing
• Maintain a list of proven e-discovery vendors who have experience successfully collecting data from the cloud.
• Implement a usage policy stating what types of public cloud applications employees can use for business purposes and what types of business data employees can store in the cloud.
• Provide a site controlled by the business that employees can access remotely to help protect against employees using third-party sites to store data on their own
• Educate employees about the business’s usage policy and litigation hold procedure, and explain why they are important.
In conclusion, while businesses are taking advantage of the benefits of cloud computing, Yurkiw stresses they also should consider and plan for the e-discovery risks involved in entrusting their data to third-party cloud providers.
Click here to read Yurkiw’s full article, and where applicable please pass this information along to those e-discovery team members in your organization.
Jay Yurkiw is the chair of the PorterWright firm’s E-Discovery Practice Group and regularly advises clients on the management and discovery of electronically stored information. He is a member of The Sedona Conference® Working Group on Electronic Document Retention and Production and regularly speaks and writes about e-discovery issues.