Legal challenges related to cloud computing are emerging as the data-storage practice becomes more popular with businesses and public organizations. There are many types of cloud computing (public, private, community, and hybrid models) but, in general, it is the practice of using a network of Internet-hosted remote servers to store, manage, and process data, rather than using a local server.
Cloud Computing Supply and Demand
Cloud computing offers inexpensive access to almost limitless storage capacity wherever an Internet connection is available. It reduces the square footage dedicated to an organization’s IT infrastructure and saves on energy consumption costs. Cloud computing lowers barriers to entry for organizations because it requires less capital than traditional location-dependent hardware. Cloud computing also offers rapid elasticity to adapt to growth and usage trends. In response to these benefits, organizations throughout the world are migrating toward cloud computing.
Because of the increasing demand on IT infrastructure, cloud service providers -- including Apple, Cisco, Google, Microsoft and Amazon -- are investing millions of dollars in data centers. For example, Apple recently completed construction of a 500,000-square-foot data center in North Carolina and is scheduled to break ground on another data center in Hong Kong in the first quarter of 2013. Google also is investing in more data centers and has received a patent for placing data centers on floating ships that collect power from ocean waves and use seawater to dissipate the heat generated during operation.
Legal Implications of Cloud Computing
Organizations need to be aware of the legal implications surrounding a move to cloud computing and must ensure that cloud computing service contracts are drafted to minimize risk while adding security. Data protection needs will vary with the industry, so there is no one-size-fits-all solution to cloud computing. For example, organizations that operate in the financial services industry may be subject to the Gramm-Leach-Bliley Act’s data privacy requirements, whereas health care providers are subject to different privacy standards under the Health Insurance Portability and Accountability Act (HIPAA). Organizations may also be required to take additional measures to protect confidential data and other personally identifying information about their consumers and/or employees. Regardless of what standards apply to your organization, a well drafted, customized service contract is the key to addressing these issues.
Other considerations include information accessibility and how data is stored while “at rest” on a cloud provider’s system as well as how the data is transported to and from a location. For example, it is recommended that data be encrypted while stored on a cloud provider’s system. If that data were subpoenaed, the requesting party would have the data, but it would be unusable unless the requesting party also obtains the user’s encryption key. Similarly, data transferred over telecommunications or other methods (tapes/USB drives, etc.) should be encrypted to protect interception.
There also are legal implications when a cloud service provider and its users are involved in litigation or must respond to a subpoena. Cloud computing puts an organization’s data under the control of a third-party cloud service provider. Rule 34(a) of the Federal Rules of Civil Procedure states that a party may serve a request to produce electronically stored information (ESI) in the responding party’s “possession, custody, or control.” The cloud service provider often is the party that has “possession” and “custody.” Usually a cloud service contract gives the cloud user “the legal right to obtain the documents on demand,” therefore the customer is in “control” of the ESI.
Ideally, the cloud service provider should not be required to produce responsive documents without the permission of the cloud user. However, that issue is the subject of ongoing litigation. In Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008), a cloud service provider received a subpoena seeking the production of ESI in the cloud. The subpoena covered text messages sent or received by city of Detroit employees who used devices supplied by SkyTel. The court determined that this data in the cloud was potentially discoverable under federal discovery laws, however the court did not consider the subpoena issued to the cloud provider since the required evidence was more easily acquired by an ESI request to the cloud user, the city of Detroit.
The proliferation of cloud computing also raises jurisdictional questions. Information in foreign data centers may be subject to foreign laws. An organization migrating its data into the cloud should understand what a cloud service provider will do in response to legal requests for information and for discovery.
When selecting a cloud service provider, organizations should ensure a provider can efficiently retrieve data from the cloud and respond to litigation hold notices. A cloud service provider should also be able to suspend automated document retention/deletion rules to ensure the adequate preservation of relevant information. This goes beyond placing a hold on archival data in the cloud. An organization should be able to identify the data sources in the cloud that may contain relevant information and then modify its retention policies to ensure that cloud-stored data is preserved for discovery. Taking this step creates a defensible document retention strategy that protects an organization from court sanctions under the Federal Rules of Civil Procedure’s “safe harbor” provisions.
A cloud service provider should also be able to deploy automated legal hold acknowledgements. This feature allows record custodians to be properly notified of litigation and thereby retain information that might otherwise be deleted. Failing to ensure such protections increases the risk to organizations and their counsel of data loss, adverse evidentiary rulings (i.e. spoliation claims), and monetary sanctions.
For questions or assistance with cloud computing and other e-discovery issues, contact Gordon & Rees E-Discovery Practice members Elizabeth Lorell, Jeffrey Lilly, or Andrew Cary