It used to be so easy. You had your data and your customers' data, and you stored it on your servers in the company’s data center, religiously backing it up and ensuring secure access to the corporate data and customer information.
Things have changed. Now your data is likely to be on someone else's server, stored in the cloud. You're probably aware of all the usual availability, privacy, and security issues surrounding cloud storage, but do you know your legal responsibilities for that data? You had better learn them – starting with the technology you need to put in place for e-discovery.
“Organizations should be careful to ensure that a cloud service provider has the ability to efficiently store and retrieve data from the cloud. A provider should have the technological capacity to reduce data stockpiles like traditional on-premise archiving software,” says Philip J. Favro, Discovery Counsel for Symantec, which recently acquired the legal e-discovery business Clearwell. “That means having deduplication functionality as well as the ability to implement company retention policies. Intelligently organizing and storing data in this fashion will more likely enable organizations to timely respond to e-discovery requests and other legal demands.”
E-discovery? Oh yes, lawyers and courts can ask—and sometimes demand—that you turn over your data or the data of a customer. Over the last few years, the legal system has been giving businesses more reasons to retain e-mail and other electronic records. In addition, thanks to laws like Sarbanes-Oxley Act (SOX) you can end up in legal hot-water if you “destroy, conceal, or cover up any record to impede or influence a federal lawsuit or an investigation by any federal agency, or in relation to or contemplation of any such matter or case.”
If you're a CIO, you probably already knew that. It's easy to get into trouble with the courts if your electronic records are a mess.
But what about when your records aren't on your machines, when the data resides on your provider's clouds? You're not off the hook. And you get to worry about a whole new set of legal issues.
“Responding effectively to e-discovery issues in a cloud computing implementation requires that a variety of concerns be fully considered, weighed, and thoroughly discussed by a company’s legal and IT teams prior to any selection of and successful migration to the cloud,” says Rich Santalesa, senior counsel at Information Law Group, says. “For starters, 'e-discovery' is not a single act, event or process. Rather it and the search through and production of electronically stored information (ESI) in connection encompasses the entire life cycle of an potential, pending or actual legal action.”
This raises several specific concerns. Santalesa explains, “First and fundamentally, use of the cloud does not change a company’s responsibility to preserve and produce data. Given that the sanctions and penalties for ‘spoliation’ of evidence can be severe – up to in willful cases judgment in favor of the other party – a court is not likely to respond kindly to a proffered ‘my cloud provider ate my homework’ excuse if cloud-caused discovery problems arise.”
Organizations should also evaluate the level of control over data retention, Thomas says, suggesting you choose SaaS providers that offer fine-grained control over logging and retention because it allows organizations to tailor a data policy consistent with compliance needs. “It is also imperative to have superior service availability,” he adds. “Make sure SLAs [Service Level Agreements] are in place and the organization runs through e-discovery test scenarios on a periodic basis.”
Once the preservation, retention, and disposal policies have been determined, they should be expressly incorporated in the SLA recommends Aaron Messing, a technology and information privacy attorney with Olender Feldman,. “Since data protection laws generally do not specify the levels of commercial liability, it is important to ensure that your contract with your service providers allocates risk via indemnification clauses, limitation of liabilities, and warranties.” Your businesses should reserve the right to audit the cloud service provider’s data security and information privacy compliance measures, too, so you can verify that the third party providers adhere to the vendor’s stated privacy policies and terms of service. “Such audits can be carried out by an independent third party auditor, where necessary,” says Messing.
With regards to discovery of ESI, you might want to include in the contract how certain data and metadata will be retained, including the ability to search on the basis of content, sender, recipient, and other dates. According to Messing, the SLA should also explicitly discuss the roles and responsibilities of the cloud provider and the company, including (but not limited to):
- ownership of data and permissible uses
- the geographical location of the cloud provider's servers
- the cloud provider's use of subcontractors
- encryption and transmission standards
- data breach liability, including notification procedures, data security standards, and other technical security measures
- confidentiality provisions
- auditing rights, logs, and other related responsibilities
- procedures in the event of a litigation hold and/or discovery
- the cloud company's business continuity plan/disaster recovery procedures
- provisions in the event of a dispute with the cloud company (so that data cannot be held hostage)
- onward transfer agreements (in the event that the business migrates cloud providers)
Santalesa adds, “Notification contacts, processes, and procedures need also be weighed. While e-discovery inevitably brings to mind action by the company, in many cases a cloud vendor may be contacted directed by an opposing party, governmental agency, or other entity seeking information without notifying the owner of the data. Any cloud contract should spell out how such requests are handled and provided timely notification, preferably in advance of responding to the third party.”
In addition, Matt Stamper, Vice President of redIT, a cloud computing provider, with attorney Neil Ray of Sheppard Mullin, says there are four e-discovery questions you should ask of any cloud provider:
What’s the service mix? There’s a huge amount of variance between cloud computing providers on what they actually do for clients. It’s critical to know what services are in scope and how they are covered, including security, monitoring, backup systems, audits, and information assurance controls. Documentation of regular and one-time work performed must also be made available for an adequate period of time to cover your operational and legal requirements. Remember – detail counts.
Who actually manages the data centers? Some cloud service providers own and operate their own data centers, while others use third-party facilities to deliver their services. Control over the infrastructure is an important consideration when looking at providers and their service offerings.
Who’s liable when? In addition to data centers, many cloud service providers use other subcontractors to fulfill certain elements of their overall offering. While many don’t hide this fact, it is often not specified as to under what circumstances subcontractors are liable when things go wrong. Be sure to ask the tough questions in advance, such as:
- Does the subcontractor have to provide the same quality of service as the cloud services provider?
- What are the subcontractors’ limits of liability?
- How will disputes be resolved?
It’s important to get answers to these points before signing a contract. Otherwise, finger pointing will be the primary response during an adverse incident, which does no good for any of the involved parties.
What happens if a relationship is terminated? It’s critical to outline how the “exit strategy” will be executed prior to signing a services agreement. Things such as data removal, deletion, and transfer must be spelled out in advance. Chain of custodies must also be outlined throughout the process with clear and mutually agreed upon security protocols.
Sound complicated? Well, yes, it is. Technically it's easy to move data to a cloud. Legally protecting that data is complicated. So, come the day you decide to move your files to the cloud, make sure your in-house counsel as well as your CIO and CTO have signed off on the contract. If you don't, you could be in a world of legal trouble.