This content is part of the Essential Guide: A CIO's guide to enterprise cloud migration
Manage Learn to apply best practices and optimize your operations.

Knowing your exact data needs key to cloud service agreements

The cloud has become a common solution for organizations seeking to decrease exploding data storage costs and improve information governance efficiency. But before entering a cloud service agreement, it is vital that organizations determine exactly how their data management processes will adapt to the new environment, according to information governance expert Jeffrey Ritter.

In this three-part SearchCompliance webcast, Ritter explains the key strategies for integrating cloud-based services that also comply with the customer's data management and e-discovery requirements. In part two, he explains why companies must be familiar with their own specific governance and e-discovery needs before entering a cloud service agreement.

Jeffrey Ritter: When we begin talking about the cloud, it's very important to first step away and really look at the key requirements for moving any of your company's business services to the cloud. As I mentioned earlier, companies have overlooked these requirements for decades. If you can focus on these requirements even before you begin talking about e-discovery, then you are achieving an operating environment that enables you to add in e-discovery services much more successfully.

What are those key requirements? First, you must appreciate that the cloud is based in contracts. Virtually every connection that exists -- between networks, between systems, between applications, and even in individual transactions -- is generated by an agreement to move the data. The service agreement with a cloud-based provider is not different. One of the key requirements is to properly value and understand that the service agreement that you have with any cloud provider is a vital control for managing the availability and quality of your electronically stored information. Companies that think of these service agreements as routine, or do not put the right personnel in the negotiation group looking at these contracts, are making dramatic mistakes about how important the cloud service agreement is.

Even before thinking about e-discovery, you have to begin asking, 'How do I build my corporate rules for managing electronically stored information? What are my corporate rules to be able to manage ESI? Do those rules properly contemplate what the changes may be when we're moving the related business activities for that data to a service provider for execution?' When we sign a contract for any cloud-based service, the corporate customer must move its business rules for governing electronically stored information to the service provider's environment. Those rules can be business rules, they can be security rules, and they can be legal rules. And of course, legal rules need to also include the corporate obligations under federal and state rules for electronic discovery.

We are beginning to see the momentum around information governance, and to have the ability to build these rules in a fashion that brings e-discovery into the fold. This occurs not at the back end when data has been sitting in storage for three years, but rather at the front end as we begin to develop the data. But what are the rules that are particularly important to e-discovery in the cloud? When we look at the discovery rules under federal and state regulations, and increasingly those for other nations, they include stipulations for electronically stored information related to production duties and litigation.

More on this topic

Making the business case for cloud-based data management

The keys to cloud-based e-discovery strategy

Several companies have challenged the breadth of those rules, and the courts have been very clear that the obligation to present information that may serve as potential evidence includes any information within the company's possession, custody or control.

They have also made very clear that merely transferring data to a service provider does not relieve a company of obligations to produce appropriate discovery. When we look at the impact of these rules on data structures and corporate systems, we realize that even before we're thinking about how we execute e-discovery through the cloud service provider, we first have to build the rule set for how we're going to apply e-discovery to our existing data. That's anything that's within our possession, custody or control: This could be the data that's on our corporate server, data that's on mobile devices, data that's in the cloud with service providers and unrelated to e-discovery. If your company does not have these rules and processes well-defined for general services that can be outsourced, then e-discovery of that data that is in the possession of a third party can become even more hazardous.

This can result in added service fees, added legal fees for negotiating and documenting how you retrieve the data from the service providers, and possibly fines for missing production deadlines. It's stunning to see a study from 2013 by Symantec that found 67% of cloud ESI storage customers, or corporations that are storing the business data in the cloud, miss legal production deadlines. Behind that headline is the obvious truth that the companies had not put in place their own processes for recovering ESI as potential evidence, nor had they negotiated with their cloud service providers how the providers would recover and access that data when it would be needed in litigation. As a consequence, the second key requirement is to build data governance in a way that tests and implements their rules for e-discovery so that cloud-based ESI with any type of service provider is incorporated into the e-discovery response plan of a company.

Only when we have built those rules, tested those rules and implemented them across our service provider community can we begin to understand how we will then conduct electronic discovery that might involve cloud service providers. These are the points that so often get missed. The cloud service agreement is not a perfunctory tool; it is how a corporation imposes governance of the data on any third party that has custody, control or possession of the company's data. Those rules have to be built so they properly take into account the corporation's e-discovery obligations. We can do both of those things: Build our governance and build our governance so that e-discovery can be executed. This helps build successful relationships with the service providers of all of our other IT related services, because now they become part of our infrastructure and part of our ecosystem across which discovery may need to be conducted.

Please visit to view the next segment in this webcast, where Jeffrey Ritter will continue his discussion on cloud-based e-discovery strategies.

Let us know what you think about the story; email Ben Cole, site editor. For IT compliance news and updates throughout the week, follow us on Twitter @ITCompliance.

View All Videos

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

It's pretty hard to do since data sovereignty rules are a moving target right now. Some countries are talking about applying their own particular rules even if you want to do *business* in that country, let alone have an office there or store data there. It has the potential to mess things up quite a bit.