eDiscovery Daily Blog

• December 13, 2010

Friday, we began talking about the article regarding Software as a Service (SaaS) and eDiscovery entitled Top 7 Legal Things to Know about Cloud, SaaS and eDiscovery on CIO Update.com, written by David Morris and James Shook from EMC.  The article, which relates to storage of ESI within cloud and SaaS providers, can be found here.

The article looks at key eDiscovery issues that must be addressed for organizations using public cloud and SaaS offerings for ESI, and Friday’s post looked at the first three issues.  Here are the remaining four issues from the article (requirements in bold are quoted directly from the article):

4. What if there are technical issues with e-discovery in the cloud?  The article discusses how identifying and collecting large volumes of data can have significant bandwidth, CPU, and storage requirements and that the cloud provider may have to do all of this work for the organization.  It pays to be proactive, determine potential eDiscovery needs for the data up front and, to the extent possible, negotiate eDiscovery requirements into the agreement with the cloud provider.

5. If the cloud/SaaS provider loses or inadvertently deletes our information, aren’t they responsible? As noted above, if the agreement with the cloud provider includes eDiscovery requirements for the cloud provider to meet, then it’s easier to enforce those requirements.  Currently, however, these agreements rarely include these types of requirements.  “Possession, custody or control” over the data points to the cloud provider, but courts usually focus their efforts on the named parties in the case when deciding on spoliation claims.  Sounds like a potential for third party lawsuits.

6. If the cloud/SaaS provider loses or inadvertently deletes our information, what are the potential legal ramifications?  If data was lost because of the cloud provider, the organization will probably want to establish that they’re not at fault. But it may take more than establishing who deleted the data. – the organization may need to demonstrate that it acted diligently in selecting the provider, negotiating terms with established controls and notifying the provider of hold requirements in a timely manner.  Even then, there is no case law guidance as to whether demonstrating such would shift that responsibility and most agreements with cloud providers will limit potential damages for loss of data or data access.

7. How do I protect our corporation from fines and sanction for ESI in the cloud?  The article discusses understanding what ESI is potentially relevant and where it’s located.  This can be accomplished, in part, by creating a data map for the organization that covers data in the cloud as well as data stored within the organization.  Again, covering eDiscovery and other compliance requirements with the provider when negotiating the initial agreement can make a big difference.  As always, be proactive to minimize issues when litigation strikes.

Let’s face it, cloud and SaaS solutions are here to stay and they are becoming increasingly popular for organizations of all sizes to avoid the software and infrastructure costs of internal solutions.  Being proactive and including corporate counsel up front in decisions related to SaaS selections will enable your organization to avoid many potential problems down the line.

So, what do you think?  Does your company have mechanisms in place for discovery of your cloud data?  Please share any comments you might have or if you’d like to know more about a particular topic.