Outside Publication

E-Discovery Considerations for Choosing Cloud Providers, The Legal Intelligencer

August 14, 2013

Reprinted with permission from the August 14, 2013 edition of The Legal Intelligencer© 2013 ALM media Properties, LLC. All rights reserved. Further duplication without permission is prohibited. For information, contact 877-257-3382 or reprints@alm.com or visit www.almreprints.com.

It's 10 a.m. on a Saturday morning in an airport departure lounge. Your employee is about to depart with her family for a well-deserved vacation. Suddenly, her mobile phone buzzes with an email containing an urgent request. She pulls a tablet from a carry-on suitcase and logs on to the airport Wi-Fi network. Within minutes she is able to access her business documents, make the requested edits, and email back the final product. She can then turn back to her vacation plans. Your customer is thrilled with the timely response. Everyone wins, right?

Cloud Computing Goes Mainstream

The widespread adoption of the use of email in the mid-1990s fundamentally changed the way that the world does business. The nascent cloud computing industry is poised to again alter the way that we think about and use data. Cloud computing is broadly defined by the National Institute of Standards and Technology as "a model for enabling ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources ... that can be rapidly provisioned and released with minimal management effort or service provider interaction." Those very characteristics - significant cost savings coupled with ease of access and collaboration, low maintenance, scalability and customization - make cloud computing very attractive to most businesses. Indeed, various recent studies have shown that a majority of businesses are either utilizing cloud computing or planning to implement it in the near future.

It is very hard to argue against a technology that can provide high benefits at low cost. However, there are very real risks inherent in the adoption of cloud computing that must be taken into consideration. These risks include, among others, those pertaining to electronic discovery. Failures in meeting discovery obligations of identification, preservation, collection, or production of data can also expose a company to serious sanctions. It has become established law that the act of turning to the cloud will in no way shield an entity from these obligations and risks.

For this reason, it is absolutely essential to consider potential risks when evaluating whether and how to take advantage of the benefits of the cloud. One of the most important decisions that must be made is choosing the provider or providers through which your company will access the cloud. Factors in that decision should include security and data integrity, reliability of provider and platform, physical location of servers on which the data will reside, commingling of data, and the provider's willingness to provide customized services or contract terms.

Key e-Discovery Elements in Cloud Computing Contracts

Most cloud computing providers utilize standard service level agreements (SLAs) to govern their relationships with customers. Most of these SLAs do address business needs and data security, but very few take on discovery or other legal concerns directly. However, legal considerations may be encompassed by other provisions. It is crucial for you as in-house counsel to be involved in the negotiation of cloud contracts so you can ensure that each SLA has key provisions that will allow your company to meet its discovery obligations if and when data stored in the cloud is subject to litigation and/or an investigation.

A good SLA should indicate that your company retains ownership and control of its data stored in the cloud. Access to data should be specified, including any provider personnel specifically excluded from the data. Ideally, company users should be able to access and export data from the cloud at any time.

In order to best meet discovery obligations, an SLA should spell out key discovery-related provisions. For preservation of data residing in the cloud, specify how a legal hold will be implemented. In particular, ensure that auto-delete settings can be suspended in a timely manner, if required. The SLA should include key terms for accessibility, including how quickly your company's data can be accessed and retrieved when facing litigation or an investigation. Include key provisions specifying the format in which data will be stored and retrieved, including corresponding metadata. Given the sheer volume of data that your company may store in the cloud, consider SLA provisions regarding the type of collections that can be utilized. For example, can the provider execute searches and targeted collections? Discuss what e-discovery tools the provider utilizes for the search and collection of data. You should confirm that the provider's tools do not alter metadata during search and collection. Last, consider including a risk-of-loss provision in the event that potentially relevant data is deleted or altered due to the provider's error.

Other key provisions for consideration include details as to how the cloud provider will acknowledge your company's requests to delete or preserve data, including that all such requests will be complied with in a timely manner and that the cloud provider will document all efforts to carry out your requests. Also determine how the cloud provider will notify clients and respond to subpoenas. There should be language in the SLA requiring the cloud provider to notify the company in the event that the provider receives a third-party subpoena for your company data. Establish in the SLA that your company has the ability to challenge, answer and/or quash the subpoena.

Finally, consider including provisions in the SLA that address disaster recovery plans, what would happen to your company's data in the event that the provider is acquired by a third party and the process for transitioning the data at the end of the customer's relationship with the provider.

Don't Forget Your Internal Policies

Once the cloud provider and platform have been selected, it is necessary to ensure that your company's internal policies and procedures are in place to minimize risk. Existing acceptable-use policies should be reviewed to make sure the policies encompass work done on the cloud or with personal devices such as phones and tablets. Preservation and legal hold notices should clearly state that they apply to data housed in the cloud. Steps should also be taken to minimize security risks caused by cloud access through public Wi-Fi networks.

When done correctly, cloud computing can be a great opportunity to enhance collaboration and flexibility in the workplace at reduced cost while protecting data and minimizing legal risks. Of course, your vacationing employee may not thank you for it.

Tara Lawler is a senior attorney in Morgan, Lewis & Bockius' eData practice, resident in the firm's Philadelphia office. Katie Langston is an associate in the firm's eData practice, also resident in the firm's Philadelphia office.