Ascending to the Cloud Creates Negligible E-discovery Risk

Cloud computing platforms (a set of pooled computing resources that are powered by software and delivered over the Web) have been generating quite a bit of press in the last year. Indeed, just recently computing giant Microsoft launched its Microsoft 365 cloud computing platform, designed to rival Google’s "mega-cloud" platform, which launched in May 2010. Since the release of the first commercial cloud computing platform by Amazon in 2006, cost-conscious companies have been racing to evaluate the pros and cons of moving their computing operations to “the cloud.” According to the Booz, Allen, Hamilton technology consulting firm, “Cloud computing may yield:

Life cycle costs that are 65 percent lower than current architectures

  • Benefit-cost ratios ranging from 5.7 to nearly 25
  • Payback on investments in three to four years."

Notably absent from that cost-benefit analysis, however, is the effect cloud computing may have on the costs and risks associated with conducting electronic discovery. Those engaged in such activities may well ask the question, “Will the savings companies expect from moving their data to the cloud be absorbed by the additional costs/risks created by conducting e-discovery in the cloud?”

The short answer is no. Although there are risks associated with conducting e-discovery from the cloud, they are remote, manageable and eclipsed by the savings companies should expect from cloud computing. Some of the riskiest aspects of conducting e-discovery in the cloud are:

  • The loss/alteration of data and associated metadata
  • The potential violation of international data privacy laws by illegally disclosing data in the jurisdiction in which the cloud is located
  • The unintentional waiver of the attorney-client privilege by co-mingling data or disclosing attorney client communications to third parties
  • The failure to properly and timely implement and monitor litigation holds

Fortunately, companies can easily manage the risk of altering metadata and the risk of violating international data privacy laws by insisting the service agreement with their cloud provider:

  • State that none of the company’s data may be stored outside the United States
  • Provide a detailed mechanism for how the cloud will implement litigation holds
  • Address how metadata will be created and stored in the cloud environment

Similarly, companies can minimize the risk of waiving the attorney-client privilege by including “no waiver” language in their cloud computing service agreements and establishing security protocols to prevent the inadvertent disclosure of communications to the administrators of the cloud or any other third party.

When the technology has improved and cloud computing administrators have developed expertise at responding to e-discovery requests, companies might even enjoy e-discovery cost savings by moving their data to the cloud. “If the cloud fulfills its promise and supplants the hodgepodge of local hard drives, LAN servers, and removable storage that now house our data, the cloud will emerge as the simpler, ‘one-stop shop’ for preservation and search in electronic discovery,” Craig Ball, an expert on trends in e-discovery, predicts.

In fact, that technology already has been developed and is in use for other applications. In late 2010, Facebook (currently the largest functioning equivalent to a cloud computing environment) added to its regular user interface a one-button preservation tool for capturing user content. Now, by simply clicking the “Download Your Information” button (and providing the appropriate password), Facebook users can request a neatly packaged zip file containing all of their videos, messages, wall posts, friend lists and other profile content — it doesn’t require a professional background in information systems to comprehend how similar technology can be applied to collect corporate data stored in the cloud.

Furthermore, cloud administrators saddled with the responsibility of responding to many subpoenas or production requests on behalf of myriad clients will, in time, develop an expertise in culling, processing and producing data. In turn, cloud users will undoubtedly benefit from advances in technology as well as the experience that cloud administrators have gained in responding to e-discovery requests.

The hope is that these efficiencies will translate directly to the end-user. At the end of the day, in-house counsel should be confident that (if managed properly) the benefit of moving a company’s data to the cloud outweighs the risks and costs associated with producing data from the cloud as part of a lawsuit.

                                       *                                                   *                                                *

This article was originally published by Steven Hunter, a Quarles & Brady partner, in Inside Counsel.

Trackbacks (0) Links to blogs that reference this article Trackback URL
http://ediscovery.quarles.com/admin/trackback/253841
Comments (3) Read through and enter the discussion with the form at the end
Michael Hamilton - July 19, 2011 6:04 PM

Overall I think this was a great synopsis of the potential risks of moving e-discovery data storage to the cloud. I just as a lawyer don't want to be one of the first adopters of "taking things to the cloud" before all of these issues get tested in the courts.

Jim Shook - July 20, 2011 1:38 PM

Steven,

I thought this was an interesting and insightful piece. However, in reaching your conclusion I believe that there are a few critical assumptions that might be useful to call out.

One assumption is that the cloud provider actually has tools or a defined service that can help companies to identify, preserve, collect and process their ESI for eDiscovery purposes. Today, in fact, most do not, the tools and services are very ad hoc, or the tools are not reasonable in "real world" situations dealing with hundreds of gigabytes or even terabytes of data.

Another assumption is that the agreement is open to negotiation and that the legal department is actually involved in that process. While you would think that both of these would be common occurrences, in my experience that has not been the case.

Finally, the article discusses a public cloud model. Many companies are deploying private clouds (or hybrid clouds) where they do have more direct control over their data and related processes. Some of the potential trade-offs in the public v. private cloud decision may be based on simplicity of deployment v. control, but many companies can find just the right balance in a private model.

Aaron Taylor - August 18, 2011 12:07 PM

@Jim Shook,

Very good observations, Jim. Your list of assumptions provide excellent guidelines or "flags" for anyone contemplating moving to the cloud, or developing e-discovery policy/procedures in preparation for adopting cloud storage.

While there has been some blog interest in comparing public vs private cloud deployment, I believe we could all benefit from a more robust discussion of this topic.

Post A Comment / Question Use this form to add a comment to this entry.







Remember personal info?
Send To A Friend Use this form to send this entry to a friend via email.