When moving data management operations to the cloud, companies must ensure their own unique information governance requirements are met by the provider. This is particularly true for the corporate cloud customer's e-discovery process: Businesses must ensure they can access relevant information, and quickly, when it is required for litigation -- even if that data is housed by a cloud provider.
In this three-part SearchCompliance webcast, information governance expert Jeffrey Ritter explained how businesses can best integrate cloud services that also comply with an organization's data management and e-discovery requirements. In the concluding segment, he presents a five-step strategy to ensure a company's e-discovery and information governance mandates are followed by cloud service providers.
Jeffrey Ritter: That brings us to the five strategies for evaluating and acquiring cloud-based e-discovery services. Business case requires controlling data location and focusing on how we migrate our corporate rule set over to any service provider in a cloud. We then have to ask 'How do we do that successfully when we're looking to get services that facilitate our e-discovery activities from a provider that is using cloud-based resources to do so?'
In this series
Part 1: Making the business case for cloud-based discovery and data management
Part 2: Know your information needs before developing a cloud SLA
The first strategy is to design our information governance rules to anticipate cloud services. These steps are pretty important to how we make that transition: First, in your corporate governance development, your rules within the company should incorporate a formal decision process for how to identify ESI that will be considered for legal purposes. Being able to make those designations a part of the creation of the third-party relationship allows you to have better outcomes in the e-discovery process. Second, the world has changed in the last 10 years since we first saw the e-discovery issues enacted into the Federal Rules of Civil Procedure. Electronically stored information must be recovered and produced, and we're still seeing companies that have made the leap in reforming their information governance rules to anticipate that. The third piece of this is one which we could spend an entire hour on: Have we presented our corporate governance rules for how we manage information?
As companies pursue greater and greater efficiency, it's more and more likely that the rules of information governance will be executed by a third party. It's critical you write the rules so that they can be clearly transferred from corporate and your employees to third-party service providers. It's a technical process, but if done correctly it greatly facilitates both the negotiation of the service agreement and putting in place the framework for effective e-discovery. Your corporate rules must also express how compliance can be measured and reported. More and more, we are seeing that compliance can be measured and recorded, and I think it's time that we begin thinking about how to accomplish that outcome in information governance.
Rules should be able to not just anticipate adhesion, but actually use metrics to express how compliance is measured and recorded. Finally, recognize that preserving the records of compliance with your information governance rules is critical because if there is negligence or misconduct by the service provider, your ability to preserve and present the record of what went wrong goes a long way towards being able to demonstrate to the court that it's either incidental or negligent, but not part of a vast corporate conspiracy to deny production.
Strategy No. 2 is to engage e-discovery cloud services with precision. As we already noted, the service agreement is critical. It is vital that you describe, across all of the cloud services that you may be acquiring, exactly what the services are and the duties and the responsibilities of both the corporation and the service provider themselves.
The service agreement, therefore, has to have detailed statements of work aligned to your corporate rules. In effect, you're transferring some portion of your corporate e-discovery planning to the service provider to be executed. It's very important to declare and make clear what ESI is subject to the rules, how are you allocating the duties and -- most important to your service managers -- the costs of performing this duty. A key duty that is often overlooked by corporations is to cooperate with the e-discovery service provider when preparing and presenting testimony and records of performance. That testimony becomes vital for demonstrating the company's execution of this obligation, as well as being able to properly address omissions of performance by either the service provider or the company. Of course, it's also important to make clear to the service provider the duties required to create and maintain records.
One of the great ways of determining whether the service provider is where you need them to be is to simply ask for the transaction logs, monthly performance reports, and other activities they can produce for you as part of the evaluation and negotiation process. If they are showing you logs that will be suitable as compliance records, then they are great. But if they're not, you have to negotiate and/or look for other service providers.
Strategy No. 3 is to protect the chain of custody for electronically stored information. Think of any police show you've ever watched on television: When they're collecting any physical evidence, it is properly accounted for, with names written on the bag that are turned into the evidence room. The same kinds of concerns exist for electronically stored information, and evidence is needed in order to demonstrate that the information that you're working with is authentic.
Protecting the chain of custody when working with the ESI service provider for e-discovery is particularly important. First of all, you want to see the providers define the chain of custody processes. This is true not only for e-discovery service providers, but really [for] any general cloud-based service to understand how they take on your data; how they log it; how they record, access and make alterations to that data. Will it be subject to attack because the chain of custody was not properly documented?
It is critical to copy and preserve the original documents, and to have all your e-discovery work be conducted with secure duplicates of the electronically stored information. As we mentioned a moment ago, with chain of custody it is also important to require records of performance and compliance for all custody-sensitive processes. I would emphasize giving special attention to the security controls that, if absent, expose the ESI to alteration or corruption. We have to remember that when there is an investigation or adverse activity from a legal perspective, one of the first things that happen is the employees that may be involved or other bad actors in the company try to go and delete the role of that record, including electronic mail. As a consequence, it's vital that when you're beginning to move data to a service provider that you have control over possible alterations or corruption.
Strategy No. 4 is to test all of your e-discovery capabilities and procedures. When you begin to engage with third-party services in the cloud to conduct e-discovery, they become part of your ecosystem. Many corporations overlook the importance of then testing the integrated lifecycle of your e-discovery process. If you begin with internal corporate governance and are doing things correctly, you then look at how you communicate with your service providers. Are things happening the way they should, are the measurements effective? Are the reports being generated and are they adequate to demonstrate that the corporation and its broader ecosystem are meeting the legal rules?
This testing is not unusual. It is part of good software management and good implementation control. But for e-discovery, it is a bit more nuanced. New technology, new systems, new kinds of data and new rules -- including reform in federal e-discovery rules -- will come into effect. They will change what our corporate e-discovery process looks like, and in turn we will need to have the ability to adapt to that in our testing process. It's not enough to just be able to test once and think that your information governance is effective. You have to anticipate and make changes based on changes in rules, or corporate technologies or processes. This includes how those will be tested, how validation and sign-off will be measured, and from a vantage perspective, what fees are going to be charged to the company.
Finally, strategy No. 5 is to anticipate that ESI will include personal information and be subject to privacy and data protection controls. In a data operating environment, personal information has become ubiquitous. This is not merely individual consumer data on sales records at a major big box retailer. It's information about people that is protected by the scope of privacy and data protection laws. These rules have become increasingly significant when we look at the way cloud services are distributing data to different countries and different data centers, and are often being moved by the service provider without our knowledge or control. When we're building our cloud services for e-discovery, it is vital that we understand our data well enough to be able to look at these variables.
If there will be changes in location, will we be able to get to the data as ESI for litigation purposes? How can the information be stripped of personally identifiable characteristics so that we can produce it? Who at the service provider can access this data? Does that change when it is personal information? Who, among adverse counsel, can look at the data? Can it be distributed electronically across national boundaries? Can adverse counsel access the data without the consent and prior approval of the data subject?
All of these questions are very complex, but are the kind of issues that are often overlooked when negotiating e-discovery service agreements. By understanding the quality of your information and the presence of personal data in your systems, you can then figure out how to negotiate with your e-discovery service providers to assure that the provider's ability to move data or change access doesn't interfere with your ability to get the ESI when it is relevant as evidence in litigation.