Even a cursory glance at the sky will tell you that no two clouds are alike, and the same holds true for the kind that stores data instead of rain drops. While there were no meteorologists at Legalweek, the “Information Governance in the Cloud: Compare and Contrast” panel did offer some practical tips to consider when evaluating the variety of solutions available in the marketplace.

Insights were dispensed courtesy of Michael Haley and Carol Stainbrook, respectively, principal consultant and executive director of Cohasset Associates, a management consulting firm specializing in records management and information governance.

Stainbrook indicated up front that for most organizations, there was likely no avoiding the cloud. “It's likely that you will be involved in more than one cloud in one way or another,” she said.

The reasoning that led her to that conclusion is pretty simple: Companies are handling tons of data and it has to go somewhere. A graphic used during the presentation showed that the bulk of that information, 80 percent, is discretionary or of lower business value.

The remaining 20 percent constitutes the high-value data that is either critical to operations or possesses high regulatory or legal relevance. Storing that information has become a more nuanced endeavor as companies strive to comply with the likes of the European Union's General Data Protection Regulation (GDPR), which says that personal data shouldn't be stored any longer than necessary.

Haley didn't think that this was necessarily a bad thing. “Regulatory bodies set the controls that drive us to better protect our info and in that light they are actually doing us a favor,” he said.

Naturally, the patchwork of regulations different industries face means that organizations have varying needs to consider before committing to any one cloud solution. But Haley and Stainbrook did lay out a few minimum requirements that should apply across the board.

A cloud should offer nonrewritable/nonerasable record format, an accurate recording process, the ability to serialize the original data and duplicate units of storage media, and have a capacity to download indexes and records.

Immutability and retention are especially important when it comes to data that has been placed under legal hold or falls under the parameters of regulations. Cloud providers touting immutability should ensure that data will be protected against unauthorized alteration and that any annotations or additions will be indicated and traceable.

Retention can be a little more complicated because depending on the jurisdiction or regulatory framework a company falls privy to, prematurely ending or indefinitely extending the life span of a certain piece of data could have consequences.

To be sure, some cloud services offer storage “buckets” to which organizations can ascribe a minimum or maximum retention period. But the risk there is that items could inadvertently be placed into the wrong bucket. An alternative approach would be to address data at the object level and place individual pieces of data on hold as needed.

“The capabilities of each solution is very different and I can't underscore that enough,” Stainbrook said.