One of the hottest information technology (IT) trends is to move data once stored within the corporate firewall into a hosted cloud environment managed by third-party providers. In 2013 alone, the public cloud services market is forecast to grow an astonishing 18.5 percent to $131 billion worldwide, up from $111 billion in 2012. The trend is driven largely by the fact that labor, infrastructure, and software costs can be reduced by sending email and other data to third-party providers for off-site hosting. Although the benefits of cloud computing are real, many organizations make the decision to move to the cloud without thoroughly weighing all the risks and benefits first.
A common problem is that many corporate IT departments fail to consult with their legal department before making the decision to move company data into the cloud even though the decision may have legal consequences. For example, retrieving information from the cloud in response to eDiscovery requests presents unique challenges that could cause delay and increase costs. Similarly, problems related to data access and even ownership could also arise if the cloud provider merges with another company, goes bankrupt, or decides to change their terms of service.
The bad news is that the list of possible challenges is long when data is stored in the cloud. The good news is that many of the risks of moving important company data to the cloud are foreseeable and can be mitigated by negotiating terms with prospective cloud providers in advance. Although not comprehensive, the following highlights some of the key areas attorneys should consider before agreeing to store company data with third-party cloud providers.
1. Who Owns the Data?
The cloud market is hot right now with no immediate end in sight. That means competition is likely for years to come and counsel must be prepared for some market volatility. At a high level, delineating the “customer” as the “data owner” in agreements with cloud service providers is a must. More specifically, terms that address what happens in the event of a merger, bankruptcy, divestiture or any event that leads to the termination or alteration of the relationship should be clearly outlined. Identifying the customer as the data owner and preserving the right to retrieve data within a reasonable time and for a reasonable price will help prevent company data from being used as a bargaining chip if there is a disagreement or change in ownership.
2. eDiscovery Response Times and Capabilities
Many businesses know first-hand that the costs and burdens of complying with eDiscovery requests are significant. In fact, a recent RAND study estimates that every gigabyte of data reviewed costs approximately $18,000. Surprisingly, many businesses do not realize that storing data in the cloud with the wrong provider could increase the risks and costs of eDiscovery significantly. Risks include the possibility of sanctions for overlooking information that should have been produced or failing to produce information in a timely fashion. Costs could be exacerbated by storing data with a cloud provider that lacks the resources or technology to respond to eDiscovery requests efficiently.
That means counsel must understand whether or not the provider has the technology to preserve, collect, and produce copies of data stored in the cloud. If so, is the search technology accurate and thorough? What are the time frames for responding to requests and are there surcharges for expedited versus non-expedited requests for data? Also, is data collected in a forensically sound manner and is the chain of custody recorded to validate the integrity and reasonableness of the process in the event of legal challenges? More than one cloud customer has encountered excessive fees, unacceptable timelines, and mass confusion when relying on cloud providers to help respond to eDiscovery requests. Avoid surprises by negotiating acceptable terms before, not after, moving company data to the cloud.
3. Where is Data Physically Located?
Knowing where your data is physically located is important because there could be legal consequences. For example, several jurisdictions have their own unique privacy laws that may impact where employee data can be physically located, how it must be stored, and how it can be used. This can result in conflicts where data stored in the cloud is subject to discovery in one jurisdiction, but disclosure is prohibited by the laws of the jurisdiction where the data is stored. Failure to comply with these local foreign laws, sometimes known as blocking statutes, could result in penalties and challenges that might not be circumvented by choice of law provisions. That means knowing where your data will be stored and understanding the applicable laws governing data privacy in that jurisdiction is critical.
4. Retention, Backup, & Security
Part of any good data retention program requires systematically deleting information that the business does not have a legal or business need to retain. Keeping information longer than necessary increases long-term storage costs and increases the amount of information the organization must search in the event of future litigation. The cloud provider should have the ability to automate the archiving, retention, and disposition of information in accordance with the customer’s preferred policies as well as the ability to suspend any automated deletion policies during litigation.
Similarly, where and how information is backed up and secured is critical. For many organizations, merely losing access to email for a few hours brings productivity to a screeching halt. Actually losing the company email due to technical problems and/or as the result of insufficient backup technology could cripple some companies indefinitely. Likewise, losing confidential customer data, research and development plans, or other sensitive information due to the lack of adequate data security and encryption technology could result in legal penalties and/or the loss of important intellectual property. Understanding how your data is backed up and secured is critical to choosing a cloud provider. Equally important is determining the consequences of and the process for handling data breaches, losses, and downtime if something goes wrong.
5. Responding to Subpoenas and Third-party Data Requests
Sometimes it’s not just criminals who try to take your data out of the cloud; litigants and investigators might also request information directly from cloud providers without your knowledge or consent. Obviously companies have a vested interest in vetting the reasonableness and legality of any data requests coming from third parties. That interest does not change when data is stored in the cloud. Knowing how your cloud provider will respond to third-party requests for data and obtaining written assurances that you will be notified of requests as appropriate is critical to protecting intellectual property and defending against bogus claims. Furthermore, making sure data in the cloud is encrypted may provide an added safeguard if data somehow slips through the cracks without your permission.
Today’s era of technological innovation moves at lightning speed and cloud computing technology is no exception. This fast-paced environment sometime results in organizations making the important decision to move data to the cloud without properly assessing all the potential risks. In order to minimize these risks, organizations should consider The Top 5 Tips for Corporate Legal Departments and consult with legal counsel before moving data to the cloud.