Inside Experts: Electronic Discovery in the Cloud
Why a "ready, fire, aim" strategy doesn't work.
April 07, 2011 at 08:00 PM
7 minute read
The original version of this story was published on Law.com
I won't waste precious words citing the legion of statistics and analysts' reports showing how rapidly IT departments are moving data to the “cloud.” And, far be it from me to try and throw myself in front of the cloud computing train that is barreling ahead at breakneck speeds. What I will point out is that the prevalent “ready, fire, aim” strategy is bound to get companies in trouble from a compliance and electronic discovery perspective.
Instead of making enemies of your IT comrades by simply erecting roadblocks in the path to cloud nirvana, let's discuss how you can arm yourselves with some ammo to avoid downstream calamities, while utilizing a “measure twice, cut once” approach. This extra measure of caution applied before electronically stored information (ESI) is migrated to the cloud is well deserved since the legal and regulatory playing field isn't as fully developed as is the IT solutions landscape.
The goal of this piece won't be to delve into cloud characteristics (i.e., on-demand, self-service, broad network access, resource pooling, rapid elasticity, etc.) or delivery models (i.e., software as a service, development as a service, platform as a service or infrastructure as a service). We will, however, discuss the various deployment models (private, public, hybrid, etc.), with a particular focus on public clouds, since private cloud deployments tend to look very similar to on-premise IT environments. As a first step in trying to mitigate attendant cloud risks, hone in on the cloud environment that's germane to your enterprise and use the following as a guide to avoid obvious risks.
Control is the Name of the Game
As a starting place, there is very little case law that defines electronic discovery or compliance obligations for cloud data. For good or for ill, courts do not currently make material distinctions between data that resides behind an enterprise firewall and that which may be in a shared (public or private) cloud. Nevertheless, the basic starting point is generally the analysis of discovery rules, particularly Rule 34 of the Federal Rules of Civil Procedure (FRCP), which provides that a party may serve on any other party a request to produce data in the responding party's “possession, custody, or control.”
And, while there aren't any on-point decisions yet regarding cloud nuances, it's pretty clear from analogous circumstances that the “custody” or “possession” of data won't be a determining factor if the entity has the legal rights to “control” the information. The closest analogy under existing case law is seen in other circumstances where a third party holds data that the responding entity needs to preserve and produce. For example, in Tomlinson v. El Paso Corp., the court found that the defendants could not delegate their obligations to preserve and maintain data where a third party vendor had possession of their electronic information.
Similarly, in the very recent decision of Rosenthal Collins Group, LLC v. Trading Techs. Int'l the court addressed whether a responding party could legally distance itself from the actions of a third party consultant who had control of relevant data and altered it, despite being notified of his preservation duty. The Rosenthal court cited Cyntegra, Inc. v. Idexx Labs., Inc., when issuing terminating sanctions, noting that “courts have extended the affirmative duty to preserve evidence to instances when that evidence is not directly within the party's custody or control so long as the party has access to, or indirect control over, such evidence.”
The challenge then posed by ESI in a cloud environment is that there's a control continuum, which starts with actual control on one end and continues to the far end of the spectrum where there's just the perception of the ability to control information. We will get into Service Level Agreements (SLAs) in a moment, but a danger zone exists pretty clearly where there's a gap between the actual control a party may have over their cloud provider (and the hosted ESI stored therein) and what a court may consider as a reasonable level of control that the party should have (i.e., does the producing party have the right, authority, or practical ability to obtain the documents from a non-party?).
SLAs Can Make or Break the Cloud Decision
This highly nuanced and fact-specific discussion then may hinge on the SLAs that are in place to govern the cloud provider's obligations once discovery ensues. Given the host of potential issues, it's likely that a party with legal (but not physical) control over their data is at the mercy of the underlying contractual rights. In some instances, the cloud provider may simply proffer a one-sided, adhesion contract. While this will certainly be the case in a standard consumer context (e.g., Google Docs), most enterprises should wield enough power to meaningfully negotiate the terms and conditions applicable to their cloud hosted ESI. To that end, there are a number of things to consider when negotiating a service level agreement for the provision of cloud services:
- Physical Location of Data. From an individual user's perspective, the on-demand nature of the cloud often renders the physical location of the actual data meaningless. But, given the complications of moving data across international borders, it's wise to specify where data will physically reside, particularly avoiding countries with more restrictive data privacy regimes. Here, it would be useful to either create an inclusive list (defining countries where data could be physically located) or an exclusive list (defining countries where data would definitively not be physically located). If there are premiums associated with certain jurisdictions, it would be wise to consult local counsel to understand the nuances of data migration (out of a specific country) to evaluate the risk/reward value proposition.
- Access Rights. There are a number of scenarios where the preservation , identification, search and extraction of ESI may be required from a cloud environment. In order to understand the cost implications of these tasks, turnaround times and available functionality, it will be helpful to prepare for these potential issues well ahead of time, ideally locking in service level commitments during the contractual process. Failure to do so proactively may mean that a party won't be able to comply with judicial deadlines, which could result in fines and sanctions.
- Ownership. While it seems self evident that the user of cloud services should axiomatically “own” their stored data, it's wise to call out any anticipated issues surrounding downstream rights. For example, what happens to the stored data if the customer doesn't pay its bills? What happens if the cloud provider goes bankrupt? There's certainly a scenario here where a cloud provider might have to auction off its assets (e.g., client data), which could both keep the stored ESI in limbo and conceivably threaten the release of proprietary and confidential information.
- Notification. Given that the cloud hosting provider can be subpoenaed directly (by a litigant or governmental agency), companies need to know what type of notification their providers will give regarding third party requests for ESI. It is prudent to define whether the movement, migration or co-mingling of data requires advanced notice or permission. The safest course would be to have the cloud provider give substantial notice before complying with a third party request so that the data owner could file an action to either prevent the disclosure generally or dictate terms for the provision of ESI.
- Security. It may seem like a no-brainer, but the encryption and general security of stored data needs to be clearly outlined in the applicable service level agreement. The export of data out of the cloud would surely be a scenario where encryption should be considered mandatory. Sensitive proprietary data may warrant additional protections beyond encryption, where it may be valuable to have role based access rights.
In sum, the cloud's numerous economic benefits need to be tempered by the range of often unanticipated compliance and electronic discovery issues. A wise enterprise will delve into issues surrounding the preservation, collection, processing and review of ESI before simply jettisoning their data off into the cloud. No organization wants to be a test case for emerging case law, so additional proactive steps here are increasingly prudent.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
Lawyers Drowning in Cases Are Embracing AI Fastest—and Say It's Yielding Better Outcomes for Clients
GC Conference Takeaways: Picking AI Vendors 'a Bit of a Crap Shoot,' Beware of Internal Investigation 'Scope Creep'
8 minute read
Why ACLU's New Legal Director Says It's a 'Good Time to Take the Reins'
Trending Stories
- 1'Pull Back the Curtain': Ex-NFL Players Seek Discovery in Lawsuit Over League's Disability Plan
- 2Tensions Run High at Final Hearing Before Manhattan Congestion Pricing Takes Effect
- 3Improper Removal to Fed. Court Leads to $100K Bill for Blue Cross Blue Shield
- 4Michael Halpern, Beloved Key West Attorney, Dies at 72
- 5Burr & Forman, Smith Gambrell & Russell Promote More to Partner This Year
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
