Legal challenges in cloud archiving and e-discovery
January 2012 | TALKINGPOINT | LITIGATION & DISPUTE RESOLUTION
FW moderates a discussion covering the legal challenges in cloud archiving and e-discovery between Michelle Martinez Reyes at Clarium Group, Neal Lawson at Intelligent Discovery Solutions, Inc (iDS), and Wayne C. Matus at Pillsbury Winthrop Shaw Pittman LLP.
FW: More companies are collecting, storing and communicating their information electronically. What e-discovery considerations and implications should companies consider when migrating to the cloud?
Lawson: The revolution is underway as a broad spectrum of organisations has embraced cloud computing. However, there is a struggle to find best practices as regulators and courts have not yet had the opportunity to address e-discovery in the cloud. Companies should consider the following when entering the cloud. First, have an escape plan. Know how you’ll get your data out, whether for discovery, compliance, or change in provider before you enter. Second, don’t just toss your dirty laundry in a drawer and forget about it. Use your migration to the cloud as an opportunity to clean your records management house. Third, set standards. Clearly define who can use cloud data and when. Fourth, create and test a response plan before moving to the cloud. Finally, know where everything is. Maintain an accurate data and system map.
Martinez Reyes: As cloud computing becomes the new information technology (IT) standard for enterprises of all varying sizes and industries, replacing the traditional legacy IT systems, companies need to become better educated on evaluating and managing their own proprietary systems and related providers. From collecting, storing and transmitting key business data electronically, to sustaining the necessary technological infrastructure and processes, companies need to focus on the basics of hardware, software, peripherals, and applications. Pivotal areas for cloud computing environments also entail sensitive IT concerns and e-discovery key factors such as security, compliance, data storage, privacy, intellectual property, and disaster recovery. Businesses must consider and plan for how they will be affected by arising legal issues including e-discovery during design, planning, implementation, and migration to cloud computing.
Matus: E-discovery requires at least seven distinct steps: the identification; preservation; collection; processing; review; analysis; and production of electronically stored information. Before migrating to the cloud, companies need consider how they will continue to perform each of these steps once they have migrated. For example, many companies have developed methods for both the identification and preservation of information ‘in place’ within the corporate firewall. Will there be a corresponding method when adopting a provider’s cloud solution or can one be created?
FW: Broadly speaking, what are some of the major risks associated with data storage in the digital age? What weaknesses are associated with generic retrieval and file sharing processes used by companies?
Martinez Reyes: The primary concern and grandest associated risk with any form of data storage is ultimately security. Studies show over 60 percent of data breaches occur from within IT environments, and that percentage may equally apply within a cloud environment. Basic cloud architecture functions on the premise of optimising costs and streamlining performance by aggregating both physical and human resources. The overall percentage of security vulnerability may be greater in cloud environments without logical and physical segregation of the data stores. Security in the digital age goes far beyond the heights of necessary spam and virus protections, encryptions, passwords, or even hacking and intellectual property violations. Security encompasses an ever-changing IT and cloud-based landscape of threats. Data in stationary form, in varying grades of storage facilities or archives, and/or data in transit via sharing or retrieval pathways, can be targets. Security weaknesses can arise in archive or transmission cycles at any time. Key factors for consideration and to reduce risks such as data breach include adequate security procedures, from both businesses and IT and cloud computing providers, and also viably demonstrate legal parameters for data integrity and varying chain-of-custody compliance issues. Private, customised, scalable, and centralised cloud computing environments afford businesses the luxury of prioritising their security needs on demand.
Matus: The major risks associated with data storage, which I take to mean ‘data-at-rest’, include data confidentiality; integrity; infrastructure security – at the network; host and application level; access control; availability; and internal data leakage by authorised users. The technical ‘weaknesses’ within the corporate infrastructure are reasonably well addressed with security tools available to IT professionals that ensure proper access control – such as authentication, authorisation, and auditing – and provide data leak prevention (DLP). The more significant issue is how the paradigm changes when the enterprise employs a public cloud. In that case, your network topology will likely need to change as you are using internet facing resources and your corporate data will now be both ‘data-at-rest’ and ‘data-in-transit’.
Lawson: One of the biggest risks with data storage today is the misnomer that storage is cheap. Yes, the physical devices and even the software required to store information have consistently decreased in cost while increasing in capacity. Now, cloud-based on-demand storage has made the cost of procuring storage an afterthought. It’s not the cost of storage; it’s the cost of maintaining and protecting the information located on these physical or cloud-based devices. This requires analysts and engineers. It’s also the cost of not having records management guidelines which leads to not knowing what data you have, or don’t have, and not knowing where it’s stored. The lion share of records management, including e-discovery costs, relate to harvesting, processing, analysing and reviewing information unrelated to the matter at hand. The term ‘big data’ is thrown around a lot and companies the size and scale of IBM are spending billions to create insight through information awareness. The lack of awareness and cost to achieve it are driven by the data you store.
FW: If a company is involved in a dispute, to what extent can the process of collecting, analysing and reviewing electronic documents become costly, challenging and risky?
Matus: The entire process contains varying elements of cost and risk. Interestingly, the areas of risk and cost differ. The greatest risk, as demonstrated by case law, is the failure to preserve relevant information. Most cases involving sanctions arise from fact patterns that cause a court to conclude that a party should have identified and preserved information, but did not take timely or adequate steps, if any, to do so. On the other hand, the greatest cost is associated with the human review of electronic information. Electronic documents, in quantity, are simply quite time consuming to read and analyse for relevance and significance.
Lawson: Having a clearly defined process can definitely help manage dispute related fees and risks. However, process alone is not the proverbial silver bullet. This ties back to the major risks associated with data storage – the extent to which an organisation has clearly defined records information management (RIM) guidelines, truly has a handle on what data exists within the organisation, understands the business purpose, or value, of its information, and knows where data is located directly impacts downstream ‘discovery’ or dispute related activities. A defined process means the same steps will be executed in the same order. It doesn’t mean that each step will be efficient or cost optimised. The items listed above – to the extent an organisation doesn’t address them – will each require manual attention or ad hoc analytical processes for dispute related activities. As the snowball of costs rolls downhill it only becomes larger as an organisation moves through collection, analysis, and review. The size and complexity of each stage only expands downstream efforts and increases downstream risks.
Martinez Reyes: Businesses must acknowledge that IT and legal compliance must work in unison. The costs and risks associated with e-discovery and legal liabilities for companies are often so high that enterprises are requiring e-discovery competency training, standards, automation, and even built-in preventative controls to the core business systems and process via cloud computing platforms. The costs and complications of e-discovery involve collecting, processing, analysing and reviewing electronic documents in response to investigations, litigation, and legal and regulatory inquiries. Cloud is facilitating and enabling proactive preparations for businesses to minimise risks. IT is no longer an optional business accessory or upgrade, but a primary operational platform. The vitality of most businesses rests on IT as a backbone for accounting, marketing, transactional, communications, and otherwise across the spectrum of core business functions.
FW: How important is it for organisations to understand the process of e-discovery in order to meet compliance requirements? What penalties might be issued to companies for non-compliance?
Lawson: Understanding the e-discovery process and its associated obligations is critical as one can’t deploy a defined process without identifying clear goals and objectives. In the world of cloud computing and global outsourcing it’s fair to discuss who should ‘own’ the process and at what depth an organisation must internally understand the detailed process. Cloud providers, attorneys, and consultants alike are experts in this area and can provide critical thinking and support. It’s up to the organisation to determine the right mix. At a minimum they should be cognisant of the risks and high-level obligations. Only then can a company make an informed business decision on who is best suited to address which pieces of the process. Failing to weigh your options and execute on a sound business decision could lead to significant downstream costs and may bring unwanted legal and business risks in the form of sanctions or summary judgments.
Martinez Reyes: Cloud computing providers and enterprises themselves must acknowledge that e-discovery is a complex process that involves numerous parties including IT, as well as internal and outside legal counsel. Vendors and service providers should offer technological features and capabilities that address e-discovery issues on behalf of their customers. It is essential that organisations at all levels accept and comprehend e-discovery and that it is indeed a cornerstone of business litigation. IT and legal counsel often work closely and in tandem on many projects, with legal counsel providing search parameters and legal ease and IT providing technical expertise to tap key sources. The requirements for e-discovery in civil litigation are outlined within the Federal Rules of Civil Procedure, addressing electronic data, otherwise referred to as electronically stored information (ESI). Penalties for non-compliance for businesses are stiff and costly overall. Companies should regularly consult with and include their legal counsel on all related business matters as a quasi-healthy screening for any issues overall.
Matus: An organisation that is involved in litigation is presumed in the US to be on notice of the Federal Rules of Civil Procedure and will be sanctioned for noncompliance. Ignorance was, but often no longer is, a mitigating factor. The extent of internal corporate familiarity with what is necessary for compliance varies, as a company can certainly rely upon outside counsel for advice. However, a company must know when it is necessary to seek counsel’s advice and needs to have systems in place to identify and preserve information, before it is lost, once it is obligated to comply. I recommend to most clients that we assist them in creating a litigation hold process to identify when there is a likelihood of litigation, as that is the trigger that initiates the obligation to preserve evidence in most jurisdictions, and to implement a litigation hold once triggered.
FW: How does data privacy factor in to e-discovery and cloud computing strategies? What additional complexities do international companies face?
Martinez Reyes: Cloud computing strategies should include data privacy as a necessary and key security factor. Although security is the greatest risk in utilising cloud platforms, the benefits of cloud computing greatly outweigh the negative matters. Key points to consider throughout the e-discovery process overall and to include in related IT and business strategies are, but are not limited to identification; preservation; acquisition and collection; processing; review; analysis; and production. International businesses in particular may have a higher level of complexity or risk in dealing with this area due to lack of uniform country standards globally and otherwise. Varying local laws, privacy laws, regulatory matters, applicable labour and employment issues, among many other legal ramifications, all factor into the larger e-discovery landscape, particularly in cloud computing configurations.
Matus: In the typical case in the US, involving US data, data privacy is a potential factor, but a factor that the parties and the court are almost always able to address with a protective order issued by the court. When international companies are involved, US-based or otherwise, and the data is non-US, the data privacy issues often are quite complex. For example, the preservation of what is considered to be personal data in the EU other than in the ordinary course is considered processing, requiring consent of the data subject. However, the US court considers preservation of potential evidence to be a fundamental obligation of each litigant for all data in its possession, custody or control regardless of its character. So, a company, for example, might be obligated to hold data by US law, but obligated not to hold it in Spain. Resolving this type of conflict requires experience and patience to navigate and potentially negotiate a resolution. Not all conflicts can be resolved, and at that point one must address risk mitigation. As to cloud computing, the same considerations a company already addressed regarding the movement of data across a border before the advent of the cloud still apply to the cloud. If your data could not be moved outside of your borders without certain protections, such as standard contractual clauses under Article 26(2), before there was a cloud, you need those protections for such data in the cloud. All the cloud does is add a significant level of potential complexity, unless managed properly – especially if you are using a public cloud.
Lawson: This topic is critical for e-discovery and bridges information security, technology infrastructure, compliance, and records management to mention a few. It also serves as one of the primary risks that corporations will face and should consider as they expand. Without careful consideration data privacy can become the tail that wags the discovery dog. If jurisdictional data privacy obligations aren’t considered for those companies with even the smallest international presence, e-discovery costs and risks can increase exponentially. Imagine having to recreate a production processing, hosting, and review platform in multiple countries. Envision the process and time required to facilitate a manual review of each custodian email account by the owner before any discovery preservation or other activities begin. Now think about the judge who has mandated a discovery deadline with harsh penalties for non-compliance. It becomes easy to imagine a hypothetical situation where a company is forced to decide between violating local data privacy laws or a court order. Data privacy should drive infrastructure and information management strategies so it doesn’t end up dictating discovery process.
FW: What trends have you seen with e-discovery providers using (or not) the cloud for service delivery?
Matus: It is important to make a distinction here between a public cloud service and a private cloud service. Providers tend to use private clouds, which are very similar to traditional outsourcing models.
Lawson: Quietly, many providers have been moving their infrastructure to the cloud as a means to control their own costs. Some of the smaller providers have even made this transition without knowing about it as their third party tools have made the jump. Trends I’ve seen lately have providers unapologetically offering cloud-only based solutions. In fact, discovery related functionality is now being sandwiched into information management cloud solutions. So far it isn’t a perfect marriage but this is where big companies are headed. Most recently I’ve noticed the emergence of cloud-based offerings that focus on social media solutions for compliance and e-discovery needs. This niche will expand significantly in the coming years.
Martinez Reyes: As cloud computing rises steadily in use and popularity, and cloud systems uniformly become the standard required operating IT platform, most providers will be utilising the cloud. Definitive trends are difficult to pinpoint in this highly confidential and sensitive area where IT serves as a bridge for the law. However, regardless of trends, it is fairly conservative to predict that e-discovery providers in particular will switch to cloud as a preferred platform for service delivery. Cloud offers full control, customisation, access, and transparency. Transparency being key to e-discovery and legal concerns, cloud will provide a streamlined and centralised turn-key solution to a complex process with maximum controls.
FW: In your opinion, should companies be doing more to address the issue of handling their electronic information? What key points should be considered when reviewing existing systems and processes?
Lawson: A company’s strategy and execution for handling electronic information should be considered as a key factor to the success or failure of a given venture. If you don’t know what you have, where it’s stored or understand its value, how can you be successful? Key points to consider are to set standards; create and test a response plan before moving to the cloud; and know where everything is. Maintain an accurate data and system map.
Martinez Reyes: My opinion is that companies should certainly be more proactive in addressing their electronic information in a 360 degree fashion. Major areas of focus and specificity should include data handling, data storage, overall IT security and protection, plus so much more. In today’s technologically driven business environment, there has to be a necessary synchronicity between business units, IT units, and legal counsel. The alliance has to exist for predictive, preventive, protective, and resolution based business needs full circle. Key points to consider in review of existing IT and business systems and processes should include a detailed analysis and careful planning including trusted cloud computing and third party providers to facilitate the process.
Matus: There is no doubt that companies should be doing more, and there are numerous key points to consider. However, I have learned from experience that the best approach is not to look at a list of five or 10 key points. A generic list does not work because companies approach data differently: their cultures differ and their business needs vary. The only approach I have seen work is to engage the right mix of retained professionals to perform a risk assessment and then to develop a cost-benefit approach to addressing those risks. This would involve legal counsel handling the legal aspects and information professionals handling the data aspects; the results of such assessments are almost always surprising to senior management and the legal department. The risks are usually not where they were expected. And, rewardingly, clients are always grateful for the advice and well-served.
Michelle Martinez Reyes is a business manager at Clarium Group based in Miami, Florida. She has over 15 years of experience in multi-faceted roles focused on targeted business development, marketing, and communications. Ms Martinez Reyes has worked extensively with US and multinational clients throughout the technology and legal industries and amongst a broad range of corporate industries with professional services firms. She can be contacted on +1 305 721 7055 or by email: firstname.lastname@example.org.
Neal Lawson is the president and co-founder of Intelligent Discovery Solutions, Inc (iDS). He is a nationally recognised expert and thought leader in electronic discovery and information lifecycle consulting. Mr Lawson specialises in the development and analysis of technology systems, enterprise software development, data analysis, information life-cycle management and electronic discovery consulting for all manner of disputes. He can be contacted on +1 202 249 7860 or by email: nlawson@iDiscoverySolutions.com.
Wayne C. Matus is a partner at Pillsbury Winthrop Shaw Pittman LLP, and leads the firm’s Information Law & eDiscovery Practice. Mr Matus regularly advises clients on compliance with eDiscovery and document management obligations, as well as privacy and security, laws and regulations. His work includes counselling and management in connection with the preservation, collection, review and production of data in complex cases involving substantial volumes of information, and providing advice across corporations and institutions in the areas of information management, eDiscovery, cloud computing, privacy and security. Mr Matus can be contacted on +1 212 858 1774 or by email: email@example.com.
© Financier Worldwide
Michelle Martinez Reyes
Intelligent Discovery Solutions, Inc (iDS)
Wayne C. Matus
Pillsbury Winthrop Shaw Pittman LLP