Hey…You…Get Off of That Cloud
The adoption of cloud computing with the ability to store increasing amounts of data has presented new issues during the discovery process. Most organizations are currently using cloud solutions to store at least some of their data. However, it would be wise to consider other means of storing the types of documents you can reasonably expect to be requested in future litigation.
According to Rule 34 of the Federal Rules of Civil Procedure:
Rule 34. Producing Documents, Electronically Stored Information, and Tangible Things, or Entering onto Land, for Inspection and Other Purposes
(a) In General. A party may serve on any other party a request within the scope of Rule 26(b):
(1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control:
(A) any designated documents or electronically stored information—including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations—stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form
Possession, Custody and Control
A major issue from Rule 34 of the FRCP is whether the responding party is in possession, custody or control when the requested electronic documents are stored in the cloud. There may be an opportunity for the other party to obtain your data by serving a subpoena on the cloud provider, arguing that the cloud provider is also in possession, custody and control of the documents. You may be unable to prevent your opponent from obtaining privileged documents and may not even be made aware of the subpoena to your cloud provider.
International Law (Cross-Border Discovery Conflicts)
Most cloud services store data all over the world. This presents jurisdictional problems with data stored in other countries, many of which have autonomous data protection laws.
Preservation/Legal Holds/Deletion Policies
Your cloud provider may not follow your internal deletion policies, causing your document production and review to be over-inclusive or under-inclusive, depending on its policies. There may also be issues with accessibility for documents that have been deleted by the cloud provider.
Other Issues to Consider
Other issues to consider when storing data in the cloud are whether you have the ability to easily preserve, access, search, stamp and produce your organizational data. Secondly, does your cloud service provider commingle your data with that of other organizations it contracts with? If so, does that diminish your ability to perform those discovery processes and to provide an accurate chain of custody? Most importantly, is your data secure, and can you rest easy knowing that no one besides members of your organization are able to access it?
Limit the types of documents stored in the cloud. If your organization is one that is involved in regular litigation, it is often wise to narrow down the types and categories of documents that may be stored in the cloud. It may also be advisable to use other solutions for certain custodians whose documents are requested regularly. Make sure these types of decisions are discussed and a policy is developed, adopted and regularly communicated to your organizational members in order to show it is reasonable.
Even if you are using the cloud for a portion of your data storage, know your cloud service contract inside and out. Especially be concerned about your ability to defensibly delete, access, search, preserve and produce your data stored in the cloud, not to mention understanding the security measures in place. Have a plan for what happens when the contract with your cloud provider ends or the cloud provider goes out of business.
Consider leasing server space in a data center, especially one operated by a data discovery company. Many of these are highly scalable, more affordable than you might think and worth the extra investment. Like cloud providers, data discovery companies come in many shapes and sizes. Make sure you work with one that has a data center with highly secure intrusion and access control systems with top of the line physical and cybersecurity controls and management. To assuage your concerns about data security, there are certain certifications that any data center you consider should have.
SSAE 16 Certification and an SSAE 16 TYPE II Report
Statement on Standards for Attestation Engagements (SSAE) No. 16, including the service organization control (SOC) reporting framework (SOC 1, 2, 3), is the authoritative guide for reporting on service organizations. Service auditor’s reports review and test the following:
-Changes to customer production networks and equipment are authorized, verified, appropriately implemented and documented.
-Logical access to system resources is reasonable and restricted to properly authorized individuals.
-Physical access to computer equipment, storage media and program documentation is restricted to properly authorized individuals.
-The physical environment is monitored and protected from disruptive events.
-Client-hosting environments are monitored per client specifications, and deviations are identified and resolved.
-Backup and storage procedures are available to preserve the integrity of programs and data files.
-Network communication between the data center and its client organizations is secure, monitored and configured according to client specifications.
-Redundant V*NET network devices are in place to minimize disruptions due to infrastructure failures.
ISO 9001 Certification
The ISO 9000 family of standards, published by the International Organization for Standardization and available through national standards bodies, relates to quality management systems and is designed to help organizations ensure they meet the needs of customers and other stakeholders. ISO 9001 deals with the requirements that organizations wishing to meet the standard have to fulfill.
ISO/IEC 27001 formally specifies a management system that is intended to bring information security under explicit management control. ISO/IEC 27001 requires that management:
-Systematically examine the organization’s information security risks, taking account of threats, vulnerabilities and impacts;
-Design and implement a coherent and comprehensive suite of information security controls and/or other forms of risk treatment (such as risk avoidance or risk transfer) to address those risks that are deemed unacceptable; and
-Adopt an overarching management process to ensure that the information security controls continue to meet the organization’s information security needs on an ongoing basis.
In addition to the above certifications, other factors to consider in a data center are:
-Redundant independent power sources
-Tier I backbone Internet connectivity
-Monitored environmental controls and systems
-State-of-the-art VESDA smoke detection system
-FM-200 fire suppression system
-Escort access only
-Onsite personal 24/7/365
Finally, it is important to understand the possible levels for the data center in which your data is housed. There are four tiers of data centers the fourth being the most stringent and secure, the first being the simplest, essentially a server room. The Telecommunications Industry Association is a trade association accredited by ANSI (American National Standards Institute). In 2005 it published ANSI/TIA-942, Telecommunications Infrastructure Standard for Data Centers, which defines the four tiers for data centers in a thorough, quantifiable manner. They are described here: http://www.tia-942.org/content/162/289/About_Data_Centers.
Managing and storing data in the cloud can be the most cost-effective solution for many; however, serious due diligence is required to ensure that all data is protected and to guarantee eDiscovery best practices. Data security should be a prime concern, particularly when dealing with client data. Furthermore, if selecting a service provider for hosting or managed services, you must complete your due diligence to make sure the provider maintains the requisite security protocols and data security in its data center.