By Katie Taylor
SaaS, PaaS and data hosting providers stress the significant efficiencies to be gained from cloud computing when marketing their services. Depending on the cloud computing system you are considering, however, a number of features may have a significant impact on your company’s ability to comply with electronic discovery obligations should it be sued or subpoenaed.
Court rules require litigants to preserve and produce relevant electronic data in litigation (See, e.g., Fed. R. Civ. P. 34(a)). Failure to do so can result in significant monetary sanctions, an adverse inference of liability and/or a default judgment against the company. Courts have traditionally held companies responsible for preserving and producing electronic data that is within the company’s “possession, custody or control” (Fed. R. Civ. P. 34(a); In re Bankers Trust Co., 61 F.3d 465, 469 (6th Cir. 1995); United States v. Int’l Union of Petroleum and Industrial Workers, AFL-CIO, 870 F.2d 1450, 1452 (9th Cir. 1989)). Data is considered within a company’s “control” if it has the ability to order a third-party contractor to provide it upon demand, or if it resides with a third-party as a result of a contract to provide a service for the producing party (See Columbia Pictures Indus. Et al. v. Bunnell, No. CV 06-1093FMCJCX, 2007 WL 2080419 (C.D. Cal. May 29, 2007) (requiring defendant to produce data stored with third-party data storage provider and finding such data to be in the “control” of the customer because the customer had the ability to direct its data to the contractor or prevent such direction)). Accordingly, there is a significant likelihood that your company will be considered in “control” of its electronic data, even when that data is maintained in a cloud solution.
For these reasons, a company that may become involved in litigation should carefully analyze potential electronic discovery issues when considering a cloud solution contract. Before signing on the dotted line, here are some e-discovery issues to consider:
(1) Data Retention & Retrieval: Does the proposed system retain data for significantly longer than the company’s standard document retention policy, thus significantly increasing the volume of data that will have to be preserved and searched in the event of litigation? Does the proposed system include automatic deletion of data at some interval and, if so, can your company’s data be segregated and exempted from the deletion policy if it becomes subject to a legal hold? Will the provider readily cooperate with legal holds? How easy or difficult is it to collect data in a usable and producible form from the provider?
(2) Comingling Of Data: Will your company’s data be comingled with data the provider receives from other customers? How easy or difficult is it for the provider to segregate and search your data? If another customer is sued or subpoenaed, can the provider prevent your data from being retrieved in the other customer’s electronic discovery searches?
(3) Privacy Laws: Will your company’s data cross international borders and possibly become subject to another country’s privacy laws? If your data is comingled, what steps will the service provider take to ensure that privacy laws are observed during preservation, collection and production of electronic data?
(4) State Ethics Rules: Law firms and other enterprises in the legal services industry must also observe their state’s ethical rules when contracting for cloud computing solutions. Although eleven states have issued ethics opinions permitting lawyers to use cloud computing solutions, the lawyer must take steps to ensure that the system will allow the lawyer to maintain the confidentiality of client data. Accordingly, legal services providers should ask about the security of the cloud computing solution, and whether other users can obtain the lawyer’s data.
The answers to each of the foregoing inquiries will differ significantly among cloud solutions and providers. And the importance of any single factor will differ significantly depending on the litigation risk profile of the company and the nature of the data being housed in the cloud. A CIO or other company officer considering a cloud contract would be well-advised to consult the General Counsel’s office and/or an attorney knowledgeable about electronic discovery issues to ensure that the cloud solution is consistent with the company’s document retention policies and electronic discovery collection procedures, and thereby avoid a potential problem down the road.