Ascending to the Cloud Creates Negligible E-discovery Risk

Cloud computing platforms (a set of pooled computing resources that are powered by software and delivered over the Web) have been generating quite a bit of press in the last year. Indeed, just recently computing giant Microsoft launched its Microsoft 365 cloud computing platform, designed to rival Google’s "mega-cloud" platform, which launched in May 2010. Since the release of the first commercial cloud computing platform by Amazon in 2006, cost-conscious companies have been racing to evaluate the pros and cons of moving their computing operations to “the cloud.” According to the Booz, Allen, Hamilton technology consulting firm, “Cloud computing may yield:

Life cycle costs that are 65 percent lower than current architectures

  • Benefit-cost ratios ranging from 5.7 to nearly 25
  • Payback on investments in three to four years."

Notably absent from that cost-benefit analysis, however, is the effect cloud computing may have on the costs and risks associated with conducting electronic discovery. Those engaged in such activities may well ask the question, “Will the savings companies expect from moving their data to the cloud be absorbed by the additional costs/risks created by conducting e-discovery in the cloud?”

The short answer is no. Although there are risks associated with conducting e-discovery from the cloud, they are remote, manageable and eclipsed by the savings companies should expect from cloud computing. Some of the riskiest aspects of conducting e-discovery in the cloud are:

  • The loss/alteration of data and associated metadata
  • The potential violation of international data privacy laws by illegally disclosing data in the jurisdiction in which the cloud is located
  • The unintentional waiver of the attorney-client privilege by co-mingling data or disclosing attorney client communications to third parties
  • The failure to properly and timely implement and monitor litigation holds

Fortunately, companies can easily manage the risk of altering metadata and the risk of violating international data privacy laws by insisting the service agreement with their cloud provider:

  • State that none of the company’s data may be stored outside the United States
  • Provide a detailed mechanism for how the cloud will implement litigation holds
  • Address how metadata will be created and stored in the cloud environment

Similarly, companies can minimize the risk of waiving the attorney-client privilege by including “no waiver” language in their cloud computing service agreements and establishing security protocols to prevent the inadvertent disclosure of communications to the administrators of the cloud or any other third party.

When the technology has improved and cloud computing administrators have developed expertise at responding to e-discovery requests, companies might even enjoy e-discovery cost savings by moving their data to the cloud. “If the cloud fulfills its promise and supplants the hodgepodge of local hard drives, LAN servers, and removable storage that now house our data, the cloud will emerge as the simpler, ‘one-stop shop’ for preservation and search in electronic discovery,” Craig Ball, an expert on trends in e-discovery, predicts.

In fact, that technology already has been developed and is in use for other applications. In late 2010, Facebook (currently the largest functioning equivalent to a cloud computing environment) added to its regular user interface a one-button preservation tool for capturing user content. Now, by simply clicking the “Download Your Information” button (and providing the appropriate password), Facebook users can request a neatly packaged zip file containing all of their videos, messages, wall posts, friend lists and other profile content — it doesn’t require a professional background in information systems to comprehend how similar technology can be applied to collect corporate data stored in the cloud.

Furthermore, cloud administrators saddled with the responsibility of responding to many subpoenas or production requests on behalf of myriad clients will, in time, develop an expertise in culling, processing and producing data. In turn, cloud users will undoubtedly benefit from advances in technology as well as the experience that cloud administrators have gained in responding to e-discovery requests.

The hope is that these efficiencies will translate directly to the end-user. At the end of the day, in-house counsel should be confident that (if managed properly) the benefit of moving a company’s data to the cloud outweighs the risks and costs associated with producing data from the cloud as part of a lawsuit.

                                       *                                                   *                                                *

This article was originally published by Steven Hunter, a Quarles & Brady partner, in Inside Counsel.

Google Docs Ready for (Legal) Primetime?

Today's predominant word processors are Microsoft Word and Corel WordPerfect. MS Word is also offered as a web-based application or Saas (Software-as-a-Service).  However, there is a newer type of document collaboration, where numerous people have access to the same document so that they can all contribute and monitor changes made by others.  These types of applications are becoming more common.  For example, Google has begun to offer its own Google Word Processor called "Google Docs" -- which allows users to share and collaborate on documents. 

What does it matter which type you use in your business?  Here's one comparison between the Google and Microsoft web products.  But there's much more when it comes to the battle between WORD v. GOOGLE DOCS.

Sass and Microsoft Word.  SaaS, which Word uses, is really a form of cloud computing, or internet-based computing. Applications such as a word processor is accessed via the Internet, and the resulting data created by the user (documents) is stored on servers managed by particular service providers. This form of service delivery has a siginificant advantage over "localized" computing from a cost and management standpoint.  For example:

  • By paying a SaaS provider to run applications and store documents, businesses no longer have the need to purchase/upgrade their word processing software.
  • It reduces and/or allows the redeployment of hardware (servers) used to store documents.
  • Applications can be accessed anywhere, anytime as long as the user has Internet access.
  • For remote users, an iPhone, iPad, Blackberry, or other Android-powered phones can be used to access documents, and there is no need to login to an internal network using software such as Citrix or any flavors of VDI.
  • SaaS providers typically guarantee 24/7 access due to elaborate network redunduncies.
  • Fewer or no technical staff is needed to manage software and handle storage issues.  This frees them up for other tasks.

Google DocsDepending on your perspective, Google Docs could be a blessing or a curse. Documents created by Google Docs are devoid of metadata. This means that no document scrubbing (e.g., iScrub) is needed before they're being sent to a recipient. There is no chance of inadvertently disclosing confidential information.  Additionally, numerous people can be in the document at one time, make changes, and monitor the changes others are making.  This can work wonders for collaboration.  Unfortunately, there are some down sides for Google Docs:

  • Google Docs tracks all document edits in the form of a "revision history" trail that cannot be eliminated by the user. This same trail could potentially be subpoenaed by the courts for e-discovery purposes.  Google Docs, and Gmail, stores everything. 
  • Google Docs exists as an independent product from Document Management Systems (DMS). As a result, it cannot be integrated with an in-house DMS or part of a company's overall enterprise content management (ECM) strategy.  In other words, you can't develop a record retention policy that can be followed with these documents. 
  • The document versioning method is quite different. For example, a particular MS Word document in a DMS such as iManage will present itself as "document_number.1" and a new version is saved as "document_number.2". The same document created in Google Docs will present itself as two separate entries in the "revision history". Hence, a Google Docs document would be saved as "document_name" and a new version would be saved as a separate document but renamed as "document_name_revised".  As a result, there is no easy way to move all the separate entries into a DMS as a single document with different versions.

Google Docs may be more appealing to smaller businesses that do not want to worry about internal networks and in-house DMS issues.  But large or small, whether Google Docs is a feasible solution depends on your business infrastructure, records compliance requirements, and the resources available to manage it.  Before taking the plunge, consult with Google, your legal department, and perhaps your existing e-discovery vendor on how Google handles litigation holds and document search and retrieval in e-discovery situations.

Regardless of its short-comings, Google Docs could be a solution for certain businesses that don't require a DMS and the main focus is document collaboration without overburdening the IT staff.

Cirrus, Stratus, Cumulus - What's in Your Cloud?

It's official. The Big Blue (a/k/a IBM) joined other technology behemoths such as EMC, Cisco Systems, and Sun Microsystems by creating a Cloud Computing Division to handle the increasingly complex digital information environment, as reported by eWeek.

Not only is this a significant business development for technology companies that span the globe, but it is also a recognition of the importance of a single point of contact in terms of managing data centers to supply infrastructure for cloud-type services.

Although cloud computing is as pervasive and complex as the classification of clouds in atmospheric terms, it can be summed up as computing from anywhere at any time, as IBM articulated in its overview of cloud computing. Despite this massive web of interconnectivity, it can also be cohesive, if it is well-managed.

But what does cloud computing have to do with e-discovery? When information is transported across the Internet, it is done in the form of bits and bytes wrapped in data packets, which contain lots of information about the information that is being transmitted. Each data packet has a header and a "payload." While the header keeps overhead information about the packet, the service and other transmission-related things, the payload is the data itself.

A packet header includes the source IP address, the destination IP address, and the type of service. If you compare data packet delivery to the US Postal Service, a data packet would be similar to an envelope with the sent and return addresses (header) along with the actual sealed document (payload) delivered via First Class or Standard (type of service). So, in essence, a data packet contains information not dissimilar to metadata in any electronic documents.

On the issue of discoverability, we all know that metadata can be subject to discovery.  Courts have held that when a party is ordered to produce electronic documents, as they are maintained in the ordinary course of business, the producing party must produce those electronic documents with the metadata intact.  See Williams v. Sprint/United Mgmt. Co., 230 F.R.D. 640 (D. Kan. 2005).  On the flip side, the Federal Rules do allow a party being asked to produce metadata to move for a protective order if the requested metadata is "not reasonably accessible" and will result in "undue burden and cost."  See F.R.C.P. Rule 26(c) and Rule 26(b)(2)(B)

The question remains, however, will data packets be handled in the same way as metadata?

Now that the major tech players have separate divisions to handle cloud computing, it presents potential advantages in retrieving data that proved to be difficult to track in the past, particularly for law firms and companies that have a multinational presence. This may be good news for the e-discovery universe since data and packets can now (at least in theory) be traced or retrieved in a more controlled manner. Unlike language issues in e-discovery, the world of data packets still conveys itself in expression of zeros and ones.  However, it might be bad news for companies that are trying to reign in their e-discovery costs and obligations.

Regardless of technological advances, it remains to be seen whether courts will require technology companies to retain "records" of transient information such as the astronomical number of data packets that traverse through the Internet by the millisecond.

Cloudy Days Ahead for E-Discovery

When it comes to e-discovery, your IT department and forensic experts may be ill-equipped to search, organize, and produce electronic files and documents that are outside the realm of the firm's internal network infrastructure.

The proliferation of vendors that offer web-based computing solutions compounds this problem. Commonly referred to as "Software as a Service" (SaaS), they range from simple email accounts to office suites to whiteboarding and other types of collaborative tools.

This technological alphabet soup in turn facilitates cloud computing and/or utility computing. Basically, it translates into a user's ability to access services from the Internet without having control over the technology infrastructure that supports them. From the IT management perspective, it's like the Wild West of computing. Here's a brief discussion on cloud vs. utility computing.

Lawyers are increasingly mobile due to the shear number of devices, applications and services that connect people, ideas and places. Invariably in-house software may be viewed as inadequate due to various reasons-- system downtime, malfunctioning, subpar performance, and even personal preference. Much to the chagrin of IT staff, users quite often resort to applications that fall outside of the firm's offerings. After all, no firm can acquire and support a large number of applications without a significant drain on IT resources.

Without evolving laws dealing with this type of computing environment, significant barriers will present themselves in the context of e-discovery. First, SaaS providers typically do not have document retention schedules nor are they obliged to initiate litigation holds. Second, information stored on 3rd party systems (databases and server farms) may require subpoenas for retrieval.

In the foreseeable future, e-discovery will no longer involve solely the litigation parties and their respective technical gurus. A multitude of Internet services and ASPs could conceivably be targets of discovery and the cost could escalate with no relief in sight.