Does your cloud strategy take into account the fact that your company may be sued or may need to initiate litigation against a third party, and may have to comply with rules regarding the protection and provision of evidence?
Unique rules apply to documents and records when a dispute arises and there is a threat of litigation, or a complaint has been filed and served. This complex process involves many aspects, including, for example, preservation of evidence (so evidence necessary for trial is not destroyed), identification of evidence that is relevant to the case, and delivery of this material to the other party in a form and format that is useable. When this evidence is in electronic form, the plaintiff (or potential plaintiff) and the defendant (or potential defendant) must follow stringent rules imposed by the e-discovery provisions of the Federal Rules of Civil Procedure and state laws.
When these electronic documents have been stored with a cloud service provider, additional complexity arises because the data owner no longer has full control over its documents. It must find a way to make the cloud service provider cooperate on
Preservation of evidence
The law imposes on the parties to a dispute a duty to preserve information that may become evidence in a lawsuit. Failure to implement a “litigation hold” carries significant legal consequences. A litigation hold is the process by which information is identified, preserved and maintained. It is intended to ensure evidence, when needed, will be available. Thus, anything that may result in hampering the discovery process or the production of evidence will expose a company to significant risks of adverse action by a judge.
Courts have imposed hefty sanctions on litigants that have failed to adequately preserve their data or organize the proper litigation hold A case may be dismissed in whole or in part, or the jury may be instructed to assume the missing or unavailable evidence was in favor of the other party.
There have also been sanctions when parties did preserve the evidence, but transferred it to a less accessible format that made it more costly and time consuming to retrieve. The litigant may be required to bear the cost of recovering the data, assessed substantial monetary penalties, and required to pay attorney fees.
Thus, it is important to prepare adequately for the eventual need to initiate a litigation hold and preserve the needed evidence. In a cloud setting, where the cloud provider may have its own constraints, ways of operating and other obligations, the preservation of evidence reaches a higher level of complexity.
Identification of data custodians and data segregation
It will be necessary to identify the data that may be required in a dispute and the likely custodians of the data. For example, while some of the data may be located with your primary cloud service provider, back up or archives may be stored with a different cloud service provider. Make sure you have up-to-date data maps in place that identify the specific custodians of the different types of files.
Once you have identified the specific data within the scope of the litigation hold, it may be complex or cumbersome for you and your cloud service provider to segregate the material to be preserved from data that isn’t subject to the litigation hold. How would you and your cloud service provider proceed to segregate the required data? Would it be easier or more efficient to preserve more than the information pertaining to the dispute in order to limit the time spent parsing the relevant data? Consider also preparing in advance for the need to launch a litigation hold, and ensure files are organized and segregated in a manner that allows the parsing to be done more efficiently.
Storage duration and cost
It may be that the duration of the preservation requirement is longer than the terms of the cloud service agreement. What would happen to the data if your contract with the cloud provider expires before the end of the required retention period?
Would it be better to make a copy of the data or application at a certain time, and retain this copy outside the cloud? In this case, if you take the data out of the cloud, will it be in a format such that the data can be searched as needed? Would you also need a copy of the software applications necessary to process the data? It may be necessary or useful to work -- in advance -- with the cloud service provider to identify the storage method and format that is most appropriate under the circumstances.
When you negotiate a cloud service agreement, you need to make sure your cloud provider will cooperate with you if you need to implement a litigation hold, and you should also understand the cost associated with it. Understand what may be involved, and what will be charged in addition to the mere cost of storage. Will there be administrative fees? Will there be professional service fees for the retrieving the data? Be aware that preservation might require the storage of large volumes of data for extended periods, and that the related cost might be significant.
Companies need to account for the need to preserve evidence in their cloud strategy and weigh e-discovery cloud issues and cost in their due diligence, contract negotiation, back-up and archival routine, and performance monitoring.
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing, and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance.. She has been named one of the country’s top privacy advisors in a recent industry survey and has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatise Global Privacy & Security Law, which analyzes the data protection laws of 60-plus countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy & Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.
This was first published in August 2011