E-discovery in the Cloud

Don't wait until the lawyers come calling to figure out if you can find your cloud-based data.

1 2 3 Page 3
Page 3 of 3

Social media represents a big challenge. Sites such as Facebook, LinkedIn and Twitter rely on standard contracts with users -- both individuals and organizations that use the services for marketing. What if a company wants to retrieve something a former employee wrote on Facebook? If the individual posted the comment on his personal account, the company has no right to access it.

That means companies must consider constantly collecting the content of all employees' posts as a safeguard. Certain regulated companies in financial services already do this, notes Murphy.

Companies that don't do that might encounter difficulties if they need to retrieve content from social sites. Although social media companies say that anyone can write to their open APIs to get the data they need, "accessibility changes on a regular basis as the APIs of the vendors change," Murphy points out.

In addition, how long would it take to download all the data? Murphy says most sites "throttle their APIs," which could slow downloads or search results. Some e-discovery service providers have started to target this problem. "They pay a lot of money to be in these API programs," he says. "They are essentially buying less throttling."

Know the Location of Your Data

Whatever type of cloud you're dealing with, it's important to know exactly where your data resides. In some cases, a cloud vendor might be storing it in a data center in a different country, where different data privacy and e-discovery rules apply.

Further complicating matters is the possibility that your primary cloud provider could be using subcontractors. That's frequently the case, says Kunick, meaning "it's more than likely that your data will reside in several locations." Even if you have an iron-clad contract with your primary provider, can that vendor access information in a prompt and defensible way if the data is held by a subcontractor?

Before there was a cloud, companies would contract with large managed service providers and would spell out most of these provisions in long, detailed contracts, Kunick says. But most contracts with cloud providers don't cover such details. "With cloud service providers, the contracts are seldom longer than 10 pages," he says.

Beware Renegade Business Units

Even if contracts cover every detail, shadow IT activities within corporations can be a source of other e-discovery problems. Charles Skamser, president and CEO of consulting firm eDiscovery Solutions Group, has spent several months interviewing some 60 cloud service providers. Most told him that their clients aren't asking about e-discovery. In fact, "some [cloud service providers] even said, 'What's e-discovery?'" Skamser reports.

In what may be a more telling finding, Skamser's research indicates that a high percentage of cloud customers are "renegade business units" of big companies seeking to do an end run around what they perceive as unresponsive internal IT organizations (see "The Upside of Shadow IT").

This could be a recipe for disaster. If a large corporation is sued and presented with an e-discovery request, the general counsel would likely ask the IT department for help. The attorney might not ask a particular business unit, and even if he did, the business unit's manager probably wouldn't know what to do and the unit's contract with the vendor probably wouldn't include any e-discovery provisions, Skamser explains.

Develop a Comprehensive Plan

Above all, a corporation should have a comprehensive information governance and discovery plan that covers all sources of data, including the cloud, says Murphy. The plan needs to cover not only how to conduct e-discovery on data stored in the cloud, but also how to review that data alongside data residing elsewhere. "You need to apply the same discipline on all data sources," he notes.

It's not too late to prepare for e-discovery on cloud-based data, says Murphy. "Best practices are beginning to emerge, and . . . companies have the opportunity to get ahead of the curve," he wrote in a recent report.

"The key is to treat cloud-based sources of data like any other data source," says Murphy. "Include it in data maps, have a plan for collecting and preserving it, know how to manage the chain of custody, and understand when to dispose of the data so that it poses no e-discovery risk."

Harbert is a Washington, D.C.-based writer specializing in technology, business and public policy and a frequent Computerworld contributor.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Copyright © 2012 IDG Communications, Inc.

1 2 3 Page 3
Page 3 of 3
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon