TheSupe87 - Fotolia

Manage Learn to apply best practices and optimize your operations.

Privacy laws create obstacles for e-discovery in the cloud

Information governance expert Jeffrey Ritter discusses how privacy laws create barriers to cloud-based e-discovery, and strategies to manage these complications.

Companies and governments are rapidly adopting cloud-based IT services to decrease storage costs and support data management. At the same time, however, cloud services have become more complicated, as international privacy and data protection laws create potential barriers to the legal discovery of electronically stored information.

In this Q&A, information governance expert Jeffrey Ritter discusses the difficulties of balancing privacy and e-discovery when using cloud services, and offers strategies to offset these concerns.

What issues do companies face when it comes to balancing privacy laws and e-discovery?

Jeffrey Ritter: In many countries outside the United States -- and increasingly inside the [U.S.] within specific industries such as healthcare and financial services -- national laws are protecting how personally identifiable information such as our name, our address, our health condition or our banking history is collected and used.

Generally, those laws have a restriction that personally identifiable information cannot cross national borders unless the receiving location or entity can provide assurances that the interests for persons for whom the data is relevant are being protected. Do they know who is getting the data? Do they know how it is going to be used? Is it going to be destroyed when it is no longer required?

Those privacy laws become barriers that often interfere with [a corporation's] requirements to access, review and possibly produce information that is relevant to litigation.

It seems we have been hearing about the collision of privacy laws and e-discovery for a while. How do cloud-based e-discovery services change the discussion?

Ritter: To begin with, it's important to clarify that cloud-based e-discovery services means e-discovery activity is being performed by a service provider through the Internet pursuant to a contract. Because the Internet is involved, all of the things we can do with information -- access, edit, review, produce [or] distribute -- can occur with an immediacy that has never before been possible.

Of course, now with the Internet, a simple button push and data is immediately accessible. That immediacy is changed by cloud based e-discovery. It's critical for the service provider, in order to be profitable, to retain their discretion as to where data is stored. Many of the service providers have multiple data centers, in multiple locations. Part of their ability to be profitable hinges on their ability to shift and balance among these different loads based on customer demand. When that occurs, those transfers often cross international borders and trigger privacy protections that put the company at risk in regards to how they access and use that information in litigation.

What is the first step companies can take to not allow privacy laws to become obstacles when meeting their e-discovery obligations?

Ritter: The first thing is to stop talking about e-discovery. Instead, it's about the wisdom and diligence of internal corporate planning. Information governance really has a simple definition: It means applying rules to digital information and being able to measure compliance. In the 21st century, we can anticipate that our corporate data, particularly electronically stored information, will be subject to being recovered and used for litigation or some kind of legal proceeding, whether it's a civil litigation, an audit or a criminal investigation. The data has to be able to be recovered and used.

Internal planning teams put in place for information governance architecture development must anticipate that data can be recovered and used in e-discovery without violating privacy laws. The cloud service provider should be seen as an extension of the company's ecosystem, and the corporation must transfer to the service provider those rules that the company needs to be followed in order to ensure the privacy laws don't become an obstacle.

That's a two-step process. Companies that skip the first step face enormous difficulties negotiating with service providers because they don't have the rulebook for their own operations that allows them to be clear when specifying to the service provider what they need to accomplish.

How do companies address these concerns when acquiring cloud-based e-discovery services?

Ritter: If internal corporate planning is done well and the information governance structure anticipates e-discovery, then the company can negotiate by contract. Wherever we seek e-discovery support from service providers available through the cloud, there is going to be a contract involved.

Companies are essentially asking the e-discovery service provider to perform some portion of the duties and obligations the company has under legal mandates [in order] to produce information and make it available as evidence. Being precise is important. Many e-discovery service providers tout that they built their systems to comply with various laws. But when it comes down to actually measuring their services against those requirements, it becomes a very difficult discussion.

It's also critical that these agreements include stipulations for producing metrics that allow the corporation to demonstrate when compliance has occurred. As a result, if there are problems they can at least avoid sanctions because of the service provider's failure to adequately perform their contractual duties.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

Next Steps

Cloud, mobility create e-discovery complications

The five keys to cloud-based e-discovery

Dig Deeper on E-discovery and compliance

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

What strategies has your company incorporated to ensure adherence to data privacy laws when using cloud services?