This Page

has been moved to new address

eDiscovery in the Cloud: The Sky is Not Falling

Sorry for inconvenience...

Redirection provided by Blogger to WordPress Migration Service
----------------------------------------------------- Blogger Template Style Name: Snapshot: Madder Designer: Dave Shea URL: mezzoblue.com / brightcreative.com Date: 27 Feb 2004 ------------------------------------------------------ */ /* -- basic html elements -- */ body {padding: 0; margin: 0; font: 75% Helvetica, Arial, sans-serif; color: #474B4E; background: #fff; text-align: center;} a {color: #DD6599; font-weight: bold; text-decoration: none;} a:visited {color: #D6A0B6;} a:hover {text-decoration: underline; color: #FD0570;} h1 {margin: 0; color: #7B8186; font-size: 1.5em; text-transform: lowercase;} h1 a {color: #7B8186;} h2, #comments h4 {font-size: 1em; margin: 2em 0 0 0; color: #7B8186; background: transparent url(http://www.blogblog.com/snapshot/bg-header1.gif) bottom right no-repeat; padding-bottom: 2px;} @media all { h3 { font-size: 1em; margin: 2em 0 0 0; background: transparent url(http://www.blogblog.com/snapshot/bg-header1.gif) bottom right no-repeat; padding-bottom: 2px; } } @media handheld { h3 { background:none; } } h4, h5 {font-size: 0.9em; text-transform: lowercase; letter-spacing: 2px;} h5 {color: #7B8186;} h6 {font-size: 0.8em; text-transform: uppercase; letter-spacing: 2px;} p {margin: 0 0 1em 0;} img, form {border: 0; margin: 0;} /* -- layout -- */ @media all { #content { width: 700px; margin: 0 auto; text-align: left; background: #fff url(http://www.blogblog.com/snapshot/bg-body.gif) 0 0 repeat-y;} } #header { background: #D8DADC url(http://www.blogblog.com/snapshot/bg-headerdiv.gif) 0 0 repeat-y; } #header div { background: transparent url(http://www.blogblog.com/snapshot/header-01.gif) bottom left no-repeat; } #main { line-height: 1.4; float: left; padding: 10px 12px; border-top: solid 1px #fff; width: 428px; /* Tantek hack - http://www.tantek.com/CSS/Examples/boxmodelhack.html */ voice-family: "\"}\""; voice-family: inherit; width: 404px; } } @media handheld { #content { width: 90%; } #header { background: #D8DADC; } #header div { background: none; } #main { float: none; width: 100%; } } /* IE5 hack */ #main {} @media all { #sidebar { margin-left: 428px; border-top: solid 1px #fff; padding: 4px 0 0 7px; background: #fff url(http://www.blogblog.com/snapshot/bg-sidebar.gif) 1px 0 no-repeat; } #footer { clear: both; background: #E9EAEB url(http://www.blogblog.com/snapshot/bg-footer.gif) bottom left no-repeat; border-top: solid 1px #fff; } } @media handheld { #sidebar { margin: 0 0 0 0; background: #fff; } #footer { background: #E9EAEB; } } /* -- header style -- */ #header h1 {padding: 12px 0 92px 4px; width: 557px; line-height: 1;} /* -- content area style -- */ #main {line-height: 1.4;} h3.post-title {font-size: 1.2em; margin-bottom: 0;} h3.post-title a {color: #C4663B;} .post {clear: both; margin-bottom: 4em;} .post-footer em {color: #B4BABE; font-style: normal; float: left;} .post-footer .comment-link {float: right;} #main img {border: solid 1px #E3E4E4; padding: 2px; background: #fff;} .deleted-comment {font-style:italic;color:gray;} /* -- sidebar style -- */ @media all { #sidebar #description { border: solid 1px #F3B89D; padding: 10px 17px; color: #C4663B; background: #FFD1BC url(http://www.blogblog.com/snapshot/bg-profile.gif); font-size: 1.2em; font-weight: bold; line-height: 0.9; margin: 0 0 0 -6px; } } @media handheld { #sidebar #description { background: #FFD1BC; } } #sidebar h2 {font-size: 1.3em; margin: 1.3em 0 0.5em 0;} #sidebar dl {margin: 0 0 10px 0;} #sidebar ul {list-style: none; margin: 0; padding: 0;} #sidebar li {padding-bottom: 5px; line-height: 0.9;} #profile-container {color: #7B8186;} #profile-container img {border: solid 1px #7C78B5; padding: 4px 4px 8px 4px; margin: 0 10px 1em 0; float: left;} .archive-list {margin-bottom: 2em;} #powered-by {margin: 10px auto 20px auto;} /* -- sidebar style -- */ #footer p {margin: 0; padding: 12px 8px; font-size: 0.9em;} #footer hr {display: none;} /* Feeds ----------------------------------------------- */ #blogfeeds { } #postfeeds { }

Wednesday, November 16, 2011

eDiscovery in the Cloud: The Sky is Not Falling

It appears that Chicken Little is alive and well when it comes to moving your data to the cloud.  In an article titled, "The Promise of the Cloud Meets the Obligations of E-Discovery", published on the Law.com website on October 12, 2011, authors Brendan M. Schulman and Samantha V. Ettari state that, "cloud computing also poses a serious threat to an organization's ability to prepare for and respond to document preservation and discovery obligations, and erodes protections against discovery of the data by government authorities and third parties."

Putting this into perspective, ancient scholars thought that the world was flat and some even thought that Columbus would fall off the edge.  Many adults during the 1960's believed that Rock and Roll music would destroy Western culture and there are still some that believe that the world is going to end in 2012.

Closer to home with Chicken Little arguments that we have heard regarding advances in Information Technology (IT), some thought that putting computers (PCs) in the hands of common people was a crazy idea, decentralizing IT with departmental client/server computing would be the end of the corporation as we know it and all of these mobile computing devices and associated social media communication options are destroying our ability to communicate in person.

And, even closer to home, it wasn't that many months ago that some litigators were contending that all of this eDiscovery technology was going to destroy the basic fabric of the legal process.

Obviously none of this is true and likewise there is very little real danger in moving your data to the cloud.  So, let's examine Ms. Schulman's and Ms. Ettari's concerns in more detail.

First of all, they do admit that, "The cloud computing revolution sweeping through corporate IT departments does, indeed, promise substantial cost savings and organizational efficiencies."  But then the go on to state that placing data in the cloud will compromise the legal hold and associated collection process and can compromise rights to privacy.  Let's examine these claims in more detail:

The Legal Hold Process
Many corporations are already dropping the ball on fulfilling their legal hold obligations.  They don't really know where their data it located, don't have well defined data retention policies in place and as a result treat most legal requests for data as a very costly and highly inefficient one-off fire drill that in most cases doesn't meet even the minimum legal requirements.  I contend that consolidating data in the cloud will at least ensure that most of the data is in one place and will enable a much more effective data retention and associated legal hold process.

eDiscovery Collections in the Cloud
As with legal hold, many corporations are already dropping the ball on fulfilling their legal obligations in regards to collecting ESI in a forensically sound manner. Therefore, as with legal hold, consolidating ESI under a common CSP and utilizing state-of-the-art Early Case Assessment (ECA) technology that has been designed to run in the cloud (its a very short list but it does exist), should and will make eDiscovery collection in the cloud much more efficient and cost effective.  Please note that I am not oblivious to the fact that tyring to perform ECA with no technology or with the wrong technology and in partnership with some CSPs can in fact be difficult. However, there is technology and best practices available today and the CSPs that embrace eDiscovery as a standard component of their technology (yes technology) stack will in fact find it (eDiscovery in the cloud) to be a "key competitive advantage" that will accelerate the move to the cloud.

Rights to Privacy
With the accelerating proliferation of ESI, mobile computing devices and associated mobile communications, privacy and rights to privacy has become a difficult issue to get our collective arms around. In regards to corporate data or law firm data, I am going to contend that they already have multiple holes in their security dikes and that for all practical purposes the security that we all knew in the era of the bricks and mortar corporation with paper is long gone.  Further, with the proliferation of  email, texting, blogging and now social media such as Facebook, Twitter and LinkedIn, the core concepts of rights to privacy need to be adjusted.  And, as with legal hold and collections, moving your data to the cloud is not going to make rights to privacy issues any worse as this data is already in the cloud.

Summary
I appreciate the concerns of these authors.  However, these concerns do in fact rise to the level of Chicken Little. As I have said many time in the past 24 months, "the cloud train has left the station."    And therefore, to shout  that riders had better not get on or that if they do get on they had better hang on to their hand bags because some dark stranger is going to grab it.  Or to say that there is a dark cloud on the horizon that is going to swallow all of your crazy cloud people is not much different than the people that said Columbus would never return.  Columbus made it and so will cloud computing.  It fact, cloud computing has already made it and most of us are just fine, eDiscovery in the cloud and all!!

The full text of the article by Brendan M. Schulman and Samantha V. Ettari is as follows:

Cloud computing" refers to the revolution sweeping through corporate information technology departments of using remote computing providers connected via the Internet, rather than internal servers and network drives, to store and access a corporation's electronically stored information. The cost savings and efficiency gains offered by cloud computing make it an irresistible lure to companies looking for cheap data storage and technical support.

However, cloud computing also poses a serious threat to an organization's ability to prepare for and respond to document preservation and discovery obligations, and erodes protections against discovery of the data by government authorities and third parties. When the negotiation of a terms-of-service agreement with a cloud service provider takes place without the input of legal departments or outside counsel who are familiar with these issues, corporations and their counsel lose a valuable opportunity to include favorable provisions that could help mitigate substantial e-discovery risks and costs in the future.

UNDENIABLE BENEFITS
Recently, President Barack Obama's former chief information officer, Vivek Kundra, published an op-ed piece in The New York Times describing the administration's "Cloud First" policy, an initiative to cut 50 percent or more of the $80 billion federal information technology budget simply by moving government agency data to the cloud.[FOOTNOTE 1]

The Times piece implored American corporations to avoid "wasteful spending" inherent in current IT infrastructure and concludes that "those that embrace the cloud will be rewarded with substantial savings and 21st century jobs."

The cloud computing revolution sweeping through corporate IT departments does, indeed, promise substantial cost savings and organizational efficiencies. A large part of that efficiency is attributable to the dynamic scalability of cloud-based systems. For decades, whenever a company purchased an enterprise-level computer system, such as an e-mail server, it purchased excess capacity in anticipation of its future needs, and employed a full support staff to implement and maintain it. Cloud services eliminate these and other inefficiencies by pooling the vast centralized storage and computing capacity made available by a CSP, allocating storage space and computing resources to the customers who need them, when they need them. Customers pay only for their use of actual computing services in time units or storage space, allowing them to eliminate IT positions. For small companies, some CSPs provide the added benefit of 24-hour technical support and may afford greater data security as well as backup redundancy and faster crash recovery.

However, aspects of cloud computing that may not be immediately obvious threaten to make compliance with various e-discovery obligations more difficult and more expensive, in some cases potentially negating some of the long-term promised benefits of moving to the cloud.

A MORE COMPLICATED PROCESS
Placing corporate ESI into the cloud can complicate efforts to institute a litigation hold upon the reasonable anticipation of litigation. Generally, the preservation obligation requires that reasonable efforts be made to preserve "all sources of potentially relevant information."[FOOTNOTE 2]

Data in the cloud is by its nature fluid, accessed by the client from various remote locations and often shuffled around by the CSP. The practice of circulating a litigation hold notice to a list of custodians may be less reliable if the relevant data is on a shared cloud service and can be altered or deleted by persons who are not included in the notice.

Alternative methods of preservation, such as the making of a "forensic image," may be rendered infeasible because the relevant data exists in fragments across various locations around the world. It also may be difficult to locate a CSP representative who will assist counsel in understanding the cloud system and implementing the necessary preservation steps. Additionally, cloud providers that contractually cap a customer's storage limit or that delete data after a certain time period could unintentionally cause spoliation of evidence. For these reasons, it is prudent for companies to negotiate a terms-of-service agreement that requires automatic deletion routines to be suspended when necessary, and that sets out a litigation hold protocol, or to find a CSP who offers these options.

A move to the cloud also impacts the ability of the corporation to respond in a timely manner to initial disclosures and document requests. No longer can the general counsel call the company's IT director and ensure an appropriate response to an urgent litigation need. Instead, the CSP might be expected to respond in accordance with the terms-of-service agreement, which may fail to address litigation response at all. Thus a party's ability to respond to document requests within the timeframe provided in the applicable rules, or as ordered by a court, may be jeopardized by the selection of a CSP who is leanly staffed. Care should be taken in selecting a suitable CSP, and a prudently negotiated services agreement would include specific provisions for response time to litigation-related requests.

Court rules increasingly anticipate that counsel will quickly learn the facts concerning a client's data system. For example, the August 2010 amendments to New York Uniform Rules 202.12(b) and (g) require that:
counsel for all parties who appear at the preliminary conference must be sufficiently versed in matters relating to their clients' technological systems to discuss competently all issues relating to electronic discovery; counsel may bring a client representative or outside expert to assist in such e-discovery discussions.
When a client's ESI is in the cloud, it is difficult to imagine effective compliance with this rule in the absence of cooperation from the CSP.

The cloud also may impact a party's ability to efficiently prepare documents for review and production. Fed. R. Civ. P. 34 provides that, as to electronically stored information, "[a] party must produce documents as they are kept in the usual course of business or must label them to correspond to the categories in the [document] request."[FOOTNOTE 3]

The most common form of electronic production tends to involve TIFF images of each document with a corresponding "load file" containing metadata. Under certain circumstances, courts have required parties to produce files in "native" format.[FOOTNOTE 4]

A mature industry now exists to provide for collection, processing, review, and production of ESI in this manner. However, cloud computing raises the prospect that satisfaction of discovery obligations will be more difficult and expensive if a company's ESI is stored in a special proprietary format devised by individual CSPs.

The content of ESI available to be produced may also be unexpectedly affected by cloud systems. It is generally accepted that ESI should be produced together with at least some of its metadata when requested,[FOOTNOTE 5] such as information about the file name, custodian, the source path, the date and time the document was last modified.[FOOTNOTE 6]

Each of these metadata fields, and perhaps others, is at risk of being altered by cloud systems that constantly move data to the most efficient storage location, use automated file naming conventions, and store files without reference to custodian. These technical complexities may remain unclear until the time that data is actually collected. Therefore, counsel who engages in a Fed. R. Civ. P. 26(f) meet-and-confer and agrees to produce "standard" types of metadata or native files may be in for a surprise when she learns that the metadata does not exist or that there is no readily accessible "native" file. Moreover, the metadata located in a cloud-based version of a document may be unreliable.

INCREASED RISKS
Government and third-party access. Cloud computing raises concerns with respect to government agencies and third parties seeking to obtain customer data content. The Stored Communication Act, enacted in 1986, provides an extensive and complex set of Fourth Amendment-like privacy protections for electronic communications and stored data in the possession of third-party service providers.[FOOTNOTE 7]

Under the act, for example, the contents of unopened electronic mail present on a public electronic communications service that is 180 days old or less may only be obtained by authorities using a search warrant.[FOOTNOTE 8]

However, when that same data is stored with a CSP (who does not send and receive the e-mails but only stores them), the service provider may be deemed to be a "remote computing service" under the Stored Communication Act and the stored data may be obtained through a court order upon a showing of "reasonable grounds" to believe the data is "relevant and material to an ongoing criminal investigation" -- a far lower standard.[FOOTNOTE 9]

Moreover, notification that a subpoena was received can be delayed for 90 days upon written certification of a supervisory official that notification would jeopardize a pending investigation.[FOOTNOTE 10]

Thus, a cloud customer may not find out that its data has been collected by investigating authorities until months after the fact.

Cloud computing also provides an additional way for civil litigants to potentially gain another avenue of access to electronic documents. Courts have held that the Stored Communication Act prohibits an electronic communications service or remote computing service from producing documents in response to a Rule 45 subpoena in the absence of the consent of the data's owner.[FOOTNOTE 11]

However, some courts have ordered parties to provide that consent, thereby resulting in production of the documents by the CSP rather than the party litigant.[FOOTNOTE 12]

Additionally, it is conceivable that a court might construe broad language in a terms-of-service agreement or lax controls over a CSP's access to customer data as indicative of prior consent to production pursuant to a subpoena. For these reasons, it is a best practice, where possible, to negotiate into the terms-of-service a provision requiring that the CSP provide notice to the customer upon receipt of a civil subpoena, and express language indicating that no ESI may be produced to a civil party without the customer first having had an opportunity to be heard.

Losing access. Access to data when CSPs become insolvent may well become one of the most vexing issues for companies who have moved to the cloud. For preservation and discovery purposes, documents are generally considered to be within the possession, custody, or control of a party if it has the "legal right" or "practical ability" to obtain the ESI.[FOOTNOTE 13] If a company's CSP shuts down, it could be argued that there is no longer such an ability, although a court may view the terms-of-service agreement as providing the customer with a "legal right" to the ESI.

Alternatively, Fed. R. Civ. P. 26(b)(2)(B) might be invoked to argue that the data is no longer "reasonably accessible," although that rule is typically concerned with "undue cost or burden." It is conceivable that a party may become caught between a court order in a far-off jurisdiction compelling production, and a bankruptcy proceeding that prohibits the debtor from committing resources to a customer's response. Even if a cloud customer caught in this situation is afforded relief from certain discovery obligations, there is always the risk that documents that are helpful to the company's case will remain inaccessible, posing a threat to the substantive outcome of the case. A terms-of-service agreement that specifically contemplates this scenario could be of assistance in asking a Bankruptcy Court to require cooperation, although the outcome is likely to turn on the practical ability of the debtor to undertake the effort. These risks may be mitigated, in part, by implementing an appropriate backup regime allowing ESI to remain accessible by the company.
CSPs, in an effort to find the cheapest locations to house their massive data centers, are likely to store customer data in foreign jurisdictions with low labor, energy, and real estate costs. Foreign data privacy laws may therefore apply and make it more costly to review and produce the data, or expose the company to the risk of violating a foreign statute. For example, the French blocking statute provides for criminal penalties when discovery is conducted within France.[FOOTNOTE 14]

Yet courts in the United States have generally ordered discovery to proceed notwithstanding a conflict with overseas privacy laws,[FOOTNOTE 15] and have even imposed sanctions upon parties who have invoked foreign privacy laws as grounds for resisting discovery.[FOOTNOTE 16]

In some cases, a customer may be able to negotiate the geographical limitations of where its data will be stored in the cloud, or at least require notice before data is moved to another jurisdiction.

CAUTION FOR LAW FIRMS
Law firms considering moving their data to the cloud should keep in mind ethical rules concerning the exercise of reasonable care to protect client confidences.[FOOTNOTE 17] The New York State Bar Association concluded in 2008 that a lawyer may use an e-mail service that scans e-mail to generate computer advertising, but:
would reach the opposite conclusion if the e-mails were reviewed by human beings or if the service provider reserved the right to disclose the e-mails or the substance of the communications to third parties without the sender's permission.[FOOTNOTE 18]
Caution is therefore warranted when cloud service agreements appear to provide outsiders with broad access to law firm data.

THE STORM AHEAD
Judges who are prominent in the e-discovery field, including U.S. District Judge Shira A. Scheindlin of the Southern District of New York, have informally expressed concern about the unforeseen discovery consequences of corporate ESI moving to the cloud.[FOOTNOTE 19]

Many companies appear to be focused on the cost-saving aspects with little regard for the many discovery ramifications and without consulting counsel proficient in e-discovery issues. The full impact of cloud computing on the discovery process remains to be seen, but in the interim it is prudent to exercise caution when deciding to move enterprise data to the cloud, to evaluate each CSP candidate in light of future litigation needs, and to negotiate favorable discovery-related terms of service whenever possible.

::::FOOTNOTES::::
FN1 Vivek Kundra, "Tight Budget? Look to the 'Cloud,'" The New York Times, Aug. 31, 2011, at A27.
FN2 Zubulake v. UBS Warburg LLC, 229 F.R.D. 422, 432 (S.D.N.Y. 2004).
FN3 Fed. R. Civ. P. 34(b)(2)(E)(i).
FN4 See, e.g., In re NYSE Specialists Sec. Litig., 2006 WL 1704447 at *1 (S.D.N.Y. June 14, 2006).
FN5 See Aguilar v. Immigration & Customs Enforcement Division, 255 F.R.D. 350, 357 (S.D.N.Y. 2008).
FN6 Before it was withdrawn, U.S. District Judge Shira A. Scheindlin's decision in National Day Laborer Organizing Network v. United States Immigration and Customs Enforcement Agency, 2011 WL 381625 (S.D.N.Y. Feb. 7, 2011), listed these among nine specific metadata fields that should accompany production of all forms of ESI.
FN7 18 U.S.C. §§2701-2712.
FN8 Id. at §2703(a).
FN9 Id. at §2703(d).
FN10 Id. at §2705(a)(1)(B).
FN11 See Viacom v. Youtube Inc., 253 F.R.D. 256, 264 (S.D.N.Y. 2008).
FN12 See, e.g., Thayer v. Chiczewski, 2009 WL 2957317 (N.D. Ill. Sept. 11, 2009).
FN13 NTL Inc. Securities Litigation v. Blumenthal, 244 F.R.D. 179, 195 (S.D.N.Y. 2007).
FN14 Law No. 80-538 of July 16, 1980, Journal Officiel de la Republique Francaise, July 17, 1980.
FN15 See, e.g., Strauss v. Credit Lyonnais, 249 F.R.D. 429, 456 (E.D.N.Y. 2008).
FN16 Lyondell-Citgo Refining, LP v. Petroleos de Venezuela, S.A, 2005 WL 1026461 at *4 (S.D.N.Y. May 2, 2005).
FN17 See New York Rule of Professional Responsibility 1.6(c).
FN18 N.Y. State Bar Ass'n Op. 820, at 2.
FN19 "Status of E-Discovery Law: A Judicial Perspective On The Current State of E-Discovery," The Metropolitan Corporate Counsel, April 2010, at 6.

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

Links to this post:

Create a Link

<< Home