In my last tip, I stressed the need to plan ahead for the eventuality that your company would be involved in a dispute and need access to documents or content hosted in a cloud. In this tip, I cover
Putting in place a plan of action for cloud e-discovery by carefully planning for the tools, capabilities or functions you will need, and identifying the players with whom you will interact to obtain documents or evidence, will simplify and ease the painful and time-consuming tasks of document or evidence gathering.
Cloud e-discovery: data access
First, you need access to the data. The conditions for access to the data should be set forth in the service-level agreement (SLA) with the cloud service provider. There may be restrictions or limits on the volume of data that is accessible. The SLA may limit the ability to collect large amounts of data quickly and in a forensically sound manner, so the related metadata are preserved. You should investigate these issues early, and agree ahead of time with the cloud service provider on the feasibility of this access and the procedure to follow. You should also understand the administrative and other costs, as well as the time frame for performing these tasks.
The investigation or collection of evidence is likely to require a large amount of data is downloaded from the cloud site. Check ahead of time on your cloud service provider’s capabilities in this area. Due to the volume of data, this download may require a very large amount of time, so large that attempting to download information would be impossible or take days and a lot of patience. This would be the case for a site that, for security, technical or other reasons, only allows users to download small volumes of data. This limitation could be a significant issue and cause major delays or hurdles in the collection of the information. You should make sure you understand whether it will be possible to bypass this restriction to download the relevant data or whether it will be necessary to seek special services from the cloud provider. If special services are needed, expect additional fees.
Data searches, quality and integrity
The cloud service customer will want the ability to perform complex, granular searches to limit the collected documents to those that are relevant to the subject matter of the search or investigation. An organization needs to find out what search tools the host provides and how efficient they are. You may want to experiment ahead of time with the search capabilities that are directly available to you, and investigate whether other tools should or can be used, where there are located, how to get access to them.
Also, it will be necessary to ensure the integrity of the data, especially in the case of litigation. That is, you must be able to prove the data is accurate, and has not been modified. What assistance and methodology will the cloud provider be able to furnish to ensure the data has not been modified? How will you be able to assure the judge and litigants of the integrity and accuracy of this information?
Cloud e-discovery: Whom to call
An investigation or the collection of evidence will be less painful and more efficient if you have established in advance a procedure for conducting the investigation, know whom to call and what to ask. When a problem, a dispute or a complaint hits the desk of the CISO, CPO or General Counsel of a company, it is too late to try to figure out what to do. Having established lines and methods of communication will be extremely useful. Having a process in place will be even more useful if the cloud service agreement was not negotiated, and the services were obtained through the mere clicking of an “I agree” button online.
The ease of access and ease of use of most cloud computing offerings hide or mask the complexity of the engines, applications and structures that make the machine run and operate. When a company must instead review, analyze and download large amounts of relevant data in a short time, the cloud can be a hindrance if there has been little preparation.
Whether or not you operate in the cloud under a negotiated agreement, it is important to prepare for the day when there will be an investigation of a dispute, and you have a short time to access the relevant data. If you put in place ahead of time the related safeguards, policies, agreements or tools, responding to a request for documents will be much easier.
About the author:
Francoise Gilbert focuses on information privacy and security, cloud computing, and data governance. She is the managing director of the IT Law Group and serves as the general counsel of the Cloud Security Alliance. She has been named one of the country’s top privacy advisors in a recent industry survey and, for several years, has been recognized by Chambers USA and Best Lawyers in America as a leading lawyer in the field of information privacy and security. Gilbert is the author and editor of the two-volume treatiseGlobal Privacy & Security Law, which analyzes the data protection laws of 60-plus countries on all continents. She serves on the Technical Board of Advisors of the ALI-ABA and co-chairs the PLI Privacy & Security Law Institute. This article only reflects her personal opinion and not that of her clients or the Cloud Security Alliance.
This was first published in October 2011