Identifying, retrieving, and producing electronically stored information (ESI) in response to a subpoena can be a time-consuming and costly business. Processing just one gigabyte of data in response to an electronic discovery (eDiscovery) request can cost at least $30,000, according to the Sedona Conference Journal.
It's not surprising, then, that few cloud providers have yet addressed the issue of eDiscovery responsibilities in their standard contracts. But that leaves enterprises with their ESI in the public cloud at risk. "Courts have shown little patience for companies that fail to meet their discovery obligations," says Kim Leffert, counsel in the litigation practice of Mayer Brown. "An excuse that 'the data is on an outsourcing provider's systems' will likely fall on deaf ears." Indeed, courts have issued sanctions for failing to respond to ediscovery requests, including fines, suit dismissals, default judgments, and even potential jail time.
A company that outsources its ESI to an third party has the same obligation to preserve and produce relevant data as it would if the information were housed on its own servers, says Leffert; they may even face more risk if the subpoena or discovery request goes directly to the cloud provider.
While eDiscovery responsibilities are negotiated and written into most traditional outsourcing contracts, cloud computing providers have been reluctant to address the issue as it would require more customisation than they say their business models are built to accommodate. And that's unlikely to change anytime soon. "We're probably in round one or two of cloud computing, and this is a round three, four, or five [issue]," says Leffert. "[Cloud computing] customers may not be thinking about it either. They may view cloud [offerings] as more of a storage thing - like taking boxes of documents and putting them into a records warehouse."
But smart IT leaders should be proactive about addressing the issue before the prospect of litigation or government investigation arises, especially since the time frames for responding to ediscovery requests are often limited. "Even if the time frame is two months, that could be very short if you're talking about producing and reviewing 2 million documents," says Leffert. "A request to get six months of emails from one person is one thing; three years of emails from 100 people that's something else. It's all a matter of scale."
There are several steps IT leaders can take to make sure they don't run afoul of ediscovery requirements when storing their data in the cloud:
1. Develop a records management program
Don't leave the fate of your data to the provider. "Companies need to think in advance about how they're managing their own records," Leffert says. "Where they are, how they're organized, and when - if ever - they should be discarded." That knowledge will make responding to eDiscovery requests and subpoenas more efficient and also provide a potential defense to claims of improper destruction of evidence.
2. Create a litigation response plan
Consider including litigation readiness provision in your cloud computing contract, requiring the vendor to develop and implement a litigation response plan. That plan could include a list of responsibilities for data preservation, regular meetings to discuss and update the strategy, and the appointment of an experienced ediscovery professional at the vendor to oversee the process.
3. Handle privileged data with care
If the cloud provider has access to information that may fall under the category of attorney-client or work-product priveleges, add a contractual clause to protect that data specifically. That might come in the form of restrictions on privileged disclosure, defining all communication to and from the legal department as privileged, or reserving the option to designate protected information at a later date.
4. Address third-party requests
Opposing parties in a lawsuit or government agencies with subpoena power can demand access to a company's data directly from its cloud computing vendors, opening up the possibility that the provider might divulge information that should not be shared. Mitigate that risk by inserting a provision that the vendor immediately contact a company representative upon receipt of any data request or subpoena, forward a copy of the request or subpoena to the company (if legally allowable), and confer with the customer prior to response.
5. Tell your provider if you're about to be sued
When litigation has been filed - or is expected - inform your provider immediately. Consider sending your provider a copy of the litigation hold notice that describes all items to be preserved, advises Leffert, and meet with the vendor to answer any questions or concerns.
If litigation progresses, it's time to ask more from the cloud provider, such as cost estimates for the data preservation and production and explanations of why preservation or production of certain documents is not possible or feasible. It's also a good idea to require the cloud provider to document all the steps it is taking to fulfill its obligations, says Leffert. That will help to ensure not only that they're responding in good faith to the ediscovery requests but also can serve as evidence of the customers' due diligence in complying with its obligations.