One of the new buzz words of the last few years in computing has been Cloud Computing. After the initial hype, and the subsequent shakeout of its potential, everyone is beginning to recognize that it represents a paradigm shift in how we purchase, deploy, and utilize computing resources. The general impetus for the cloud has been its potential to reduce capital costs, offer flexibility in purchasing computing resources, and reduce operational costs in maintaining hardware resources.
A lot of what the cloud offers is achievable using existing technologies, but repurposed in new and innovative ways. Several forms of the cloud, with specific benefits to customers, are being packaged and promoted. The offerings are delivered as cloud services, such as Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and Software as a Service (SaaS). Without getting into specifics, each service offering comes with a set of service agreements between the purchaser and provider of the cloud services.
As with any new initiative, there are new challenges to contend with including security and compliance with corporate policies and industry regulations. Although these issues are substantial, for this article, let us consider the legal implications as it relates to electronic discovery. We all know that sooner or later, every organization faces litigation, and increasingly, fair number of them involves e-discovery. Traditionally, in house legal and IT teams have had an understanding of how to respond to legal requests and have focused on litigation readiness. But, how do these translate to the new cloud computing paradigm? I’ll examine some of the challenges in a series of posts on e-discovery and the cloud. For starters, let’s analyze the challenges and considerations inherent with the duty to preserve electronically stored information (ESI).
Duty to Preserve ESI
Before we get to the mechanics of electronic discovery and actual preparation for Rule 26(f) conference, the duty to preserve arises. The duty to preserve may be triggered when a legal proceeding is “reasonably anticipated” and increases in importance on receipt of pre-litigation correspondence or a similar trigger event. Traditionally, such duty to preserve is reflected by placing litigation holds. It is often the case that litigation holds are placed on at least a portion of the ESI well ahead of an actual triggering event. See Adams v. Dell as perhaps an extreme example. In fact, some organizations invest in litigation support software technologies for classifying data and placing holds on the most reasonable subset.
How does such a litigation hold translate into the cloud? As a customer of a cloud, one should craft service agreements to dedicate certain cloud-resident data, in the form of folders or other broad categories, to be preserved. If the cloud provider has deployed technology to ensure that no party within the customer’s user community can delete the preserved data, it is well and good. However, placing such restrictive access impedes normal running of the business, and becomes impractical. Essentially, data in the cloud that is available for normal course of business is in the hands of user-custodians. If they then delete the data either deliberately, or inadvertently, or through normal business functions, that data deletion is subject to spoliation claims. Even though the “safe harbor” from spoliation sanctions of Rule 37(f) applies when information is lost due to the “routine, good faith” operation of electronic information systems, when preservation order is in place, shelter under 37(f) is not possible. Thus, the actual implementation of litigation hold comes under scrutiny. Because of this, many implementations adopt preservation using a “copy and preserve” model. However, this model is at odds with live business data that is constantly evolving. Even if the latest point-in-time snapshot technology at the physical volume is employed, the result is inadequate – you end up preserving massive volumes of data in the cloud, unrelated to actual logical messages or files that need to be preserved. What is needed is some smartness in the form of an application in the cloud itself that can translate a litigation hold request into specific ESI in the cloud. Who owns and manages this application and what the service levels are for this application is a significant issue.
Now, the view from the cloud provider’s perspective is very different. In light of the flexible data management architectures available, there is a great temptation to share both data with a litigation hold and data without a litigation hold on the same physical infrastructure. As a result, the cloud provider preserves all data from every customer that is resident on that infrastructure – a very conservative approach. As a consequence, this would preserve another customer’s ESI accidentally and that data is now discoverable, in the context of a different litigation, despite the second customer’s active management of the data. Preserving a set of live, constantly changing data in the context of a single enterprise is technically difficult; doing so across multiple customers, sharing the data infrastructure is exponentially harder.
Another related issue with preservation is the need for the ability to release preservation holds. Typically, when the litigation response team determines that the legal hold is not necessary, the hold is released. In the “copy and preserve” model of litigation hold, one has to verify that the released ESI does not overlap with other litigation holds and is marked for destruction. One of the benefits of the cloud is the flexibility in storing bits and pieces of data wherever data capacity is available. Applying the release can again be tricky for both cloud customer and the cloud provider.
Given these additional complexities of evidence in the cloud and the fact that the duty to preserve may arise well before the trigger event of litigation, the costs associated with the duty to preserve can add up very quickly. It’s essential to understand three critical items related to the duty to preserve in the cloud: 1) what the cloud provider would charge for ongoing preservation, 2) whether agreements with the cloud provider cover the legal issues raised by the duty to preserve and 3) what the cloud provider offers in terms of a flexible workflow for applying and releasing legal holds.