As data volumes increase, so does the complexity of searching, collecting, processing and producing potentially relevant evidence required for internal investigations, civil litigation, compliance filings and enforcement proceedings.
To manage this complexity, a new generation of cloud-based e-discovery products and services has emerged. Here are five key contract agreements to ensure cloud providers meet your e-discovery management and information governance requirements.
Strategy #1: Use the cloud in business -- carefully
A provider may license software applications to be accessed and used on its systems, including the processing and storage of related digital information (software as a service or "SaaS"). The provider may also lease the use of its systems, servers and infrastructure, whether for general computing purposes (infrastructure as a service or "IaaS") or for building and launching various types of software applications (platform as a service or "PaaS").
In any of these three service models, the service contract is very important to the future performance of e-discovery management, as well as to the ability to meet legal requests and deadlines for information. The Federal Rules of Civil Procedure imposes discovery obligations (including those for electronically stored information or "ESI") with respect to information that is within a company's "possession, custody or control." Courts regularly conclude cloud-based data is still within a company's, or the cloud customer's, control. But unless the customer has clearly defined a service provider's duties and services with respect to cloud-stored data in the provider's custody, significant costs and administrative challenges emerge: A 2013 Symantec survey reported two-thirds of the responding companies with cloud-based storage had missed legal deadlines for delivering the requested information.
Therefore, customers should anticipate that any digital information stored with a cloud provider may be required as potential evidence in legal proceedings. The contract agreement, as well as internal corporate procedures, should anticipate how e-discovery will be performed against the data, and the respective duties (and costs) of the provider to do so.
Strategy #2: Govern your cloud-based ESI
Beyond the direct service agreement, cloud customers (and law firms with respect to their own business records, as well as their clients) should include cloud-based ESI in the design and management of their information governance programs. Information governance is far more than just records management. It involves applying all of the rules applicable to business data at any location at which the data may be collected, processed or stored. It is astounding the number of companies that have yet to revise their 20th century records management practices to fully embrace 21st century digital realities.
Effective information governance means a company is also anticipating the impact of collecting, processing, or storing ESI with cloud providers under various legal duties unrelated to e-discovery management. Privacy and data protection, information security, data transfers and destruction rules all must also be navigated when e-discovery is conducted in the cloud.
A business must both build a complete inventory of those rules, including the e-discovery rules to which the company may be subject, and assure those rules can be -- and are being -- enforced against all of the company's data assets. In fact, without that foundation, any service agreement with a cloud provider will likely fail to support the company's future e-discovery needs.
Strategy #3: Engage cloud e-discovery services with precision
As part of a company's information governance program, rules describing e-discovery processes and their application to all of a company's ESI should be in place before engaging cloud-based products and services. Those rules then become the basis by which detailed statements of work can be composed and included in the related agreements. Doing so is a dramatic step toward minimizing the potential for data management chasms between the customer and the providers, particularly when operating under court-imposed deadlines.
Whether using a provider to store ESI for later processing in discovery, or for licensing the use of advanced e-discovery software for filtering and reviewing ESI, companies still will want to assure their internal controls are being properly implemented for the data assets in the provider's custody. That assurance often requires the provider to develop and deliver operating logs and similar records that demonstrate performance and log-relevant events.
Strategy #4: Protect the chain of custody for ESI
If a company (and its lawyers) cannot show the digital chain of custody through which ESI has passed, when offered to the court, opposing counsel may successfully argue the ESI is not worth the paper on which it may be printed.
Therefore, customers should choose providers that properly design and carefully control ESI management processes. Once the ESI is under the custody of the provider (e.g., at the moment of collection from the desktop machine of an employee or a backup server archive), the providers often have superior chain of custody processes. After all, protecting the integrity of the ESI as evidence is their full-time job. It is not merely an incidental task, as is often the case in corporate departments and divisions who crowd information governance onto an often too-filled plate of other business duties.
The agreements must also have documentation of those procedures. As an added safeguard, the agreement must also include stipulations that the cloud service provides for production and delivery of process documentation on specific cases or specific ESI assets. It is not enough to offer the agreement's promises of how ESI will be managed. What matters is the customer's ability to demonstrate the actual ESI management activities that occurred for a specific data set. The customer may also want to negotiate the availability of a provider's staff to testify in depositions or in court regarding those activities.
Strategy #5: Test the capabilities and procedures
Complex litigation and the potential for sanctions, fines or irreparable adverse rulings imposed for e-discovery negligence are like any other substantive disasters. Careful planning and testing is essential to assure everything fires correctly when things get hot. Cloud providers should be strong partners with their clients in developing suitable tests of their capabilities to execute the required e-discovery procedures.
Based on the contracted services being implemented (SaaS, IaaS or PaaS), these tests will vary in their complexity. But it is important that the documentation of their execution (and the results) be retained as further evidence of the company's commitment to responsibly execute its e-discovery obligations. The primary agreement should ensure these tests are part of the initial set up and launch of the services, and that recurrent testing occurs. If major services are altered, including in response to changing legal rules, additional testing to assure conformity with the alterations is always appropriate.
About the author:
Jeffrey Ritter is one of the nation's experts in the converging complexity of information management, e-discovery and the emergence of cloud-based services. He advises companies and governments on successful 21st-century strategies for managing digital information with legal and evidential value. He is currently developing and teaching courses on information governance at Johns Hopkins University's Whiting School of Engineering and Georgetown University Law. Learn more at www.jeffreyritter.com.
Cloud tests data security strategy
Cloud SLAs: Crafting a clear contract with providers