Cloud-based services can be an efficient and cost-effective way to address a law firm’s data management needs. While contracts for cloud services typically address data security and service reliability, sometimes practical considerations surrounding the need to preserve, collect and produce data from the cloud for litigation or investigatory discovery are overlooked.
Courts have little patience for those who fail to meet their electronic discovery obligations, and the excuse that “the data is in the cloud” is unlikely to be persuasive. If you outsource electronically stored information (ESI) to a third party, you have the same obligation to preserve and produce relevant data as you would if the information were housed on an internal system, or stored in boxes offsite.
Start With the End in Mind
The time to ensure your cloud service provider can preserve and produce needed information in a timely manner is before you need it. Here are some things to consider when you or a client enter into any cloud services agreement.
- You own it. You should retain ownership and control of your own data. What will happen to the data if the service provider goes bankrupt or is sold?
- Who can search? What happens if the service provider receives a search warrant or subpoena for information, either for your data or for that of another company? Will you be notified? How? When? What will happen if your data is commingled on the same system as that of other customers who are the subject of a subpoena?
- Your policies rule. The service provider should follow your organization’s data retention (and disposition) policies. Does the agreement ensure that your rules are followed? How will the service provider ensure compliance?
- What about litigation holds? How, and how quickly, will the service provider implement a litigation hold on your data when required to do so? Is the provider preserving all available metadata, and will it be produced on request? How much will this service cost?
- Retrieving it. How easy will it be to retrieve data from the cloud when needed to respond to a litigation or investigatory discovery request? What process is in place to make that request? What analytical tools are available to search the cloud data for relevance? How will the identified data be collected? Can all relevant metadata be preserved and produced without alteration? What forms of production can the service provider accommodate? How long will this service take, and how much will it cost?
- Loss. If the service provider loses or is unable to produce requested data, are you indemnified for any consequences, including the imposition of discovery-related sanctions?
- Where is it, actually? Do you know where the cloud data is actually located? Particularly if your data includes information subject to export control restrictions, it is important that it not leave the United States without appropriate governmental licensing or other authorization. In some cases, placing data with a service provider that uses offshore servers or data centers may make data subject to foreign data privacy restrictions.
If you are using cloud service providers, that cloud data should be reflected in any data map, and the preservation and production of data from the cloud should be addressed in the company’s litigation discovery response plan. Service level agreements (SLAs) addressing the time frames for responding to and implementing a litigation hold, and responding to a data search, collection or production request, should be incorporated into any service agreement. In addition, consider an electronic discovery exercise to test the service provider’s capability to implement a hold and run a data search and production. Finally, the service agreement should also address the costs associated with these services, because they are typically not included in the standard data-hosting agreement.
Although these considerations are by no means comprehensive, cloud service agreements that address these points will help mitigate many of the potential e-discovery risks associated with the use of cloud-based services.
Jeffrey Jacobs is Senior Director of Information Governance and Litigation Readiness Consulting at Epiq (formerly DTI). He has more than 25 years’ experience as an in-house and outside litigation counsel, much of it spent executing or managing complex electronic discovery matters. Jeff spent 10 years as a special counsel in the litigation group of Sullivan & Cromwell’s Washington, DC office, after which he spent seven years as in-house litigation counsel at MCI.