Practical eDiscovery in the Cloud
Discovery Management Digest – Q1 2013
Just when many attorneys felt like they were getting their arms around eDiscovery, along comes a new challenge—the cloud. When potentially responsive data resides in virtual environments, rather than on a server or custodians’ laptops, eDiscovery can become even more difficult, expensive and time-consuming.
Attorneys who haven’t dealt with the cloud yet should brace themselves, since the cloud is becoming tremendously popular in the public and private sectors. As we reported in the last issue of Discovery Management Digest, the federal government has created a “cloud first” policy to move more software and data to virtual environments, which will have a profound effect on how agency attorneys manage litigation [see “Obama Administration Provides More Framework for Federal Records Management Initiative”].
And more than 80 percent of companies used the cloud in some way last year, according to CompTIA’s Third Annual Trends in Cloud Computing survey. More than 50 percent reported plans to boost their investments in the cloud by at least 10 percent by the end of 2012.
When conducting eDiscovery in the cloud, legal teams must understand the challenges they face in obtaining the data, searching it and producing it. Here’s what attorneys need to know about how to do that efficiently, cost-effectively and defensibly.
Finding and owning the data
In the days before the cloud, organizations maintained physical control of potentially responsive ESI, even if that data resided within legacy software systems or on old backup disks in a closet in a satellite office. With the cloud, the question of where data exists or even who owns becomes more complicated. Depending on the vendor and the type of cloud model, organizations may not know who technically has possession of the information, how to access it quickly or even what country it resides in.
In order to address these issues, organizations need to create thorough contracts and service-level agreements with the vendors that supply cloud-based services. To avoid issues down the road, the legal department needs to be closely involved when any new cloud-based services are introduced or any data migrates outside the organization’s direct control.
Applying EDRM principles
The legal team doesn’t need to throw out the entire playbook when conducting discovery in the cloud. Many aspects of the Electronic Discovery Reference Model (EDRM) can be adapted and put to use. Three specific applicable areas include identification, preservation and collection.
With the right contractors, tools and approaches, identification should actually become easier in the cloud. Most cloud services allow for reporting and full-text indexing, which the legal team can use to identify potentially responsive information and target collections.
However, data stored outside the organization’s firewalls can be more vulnerable to spoliation during preservation and collection. The cloud service provider must be able to maintain and prove the chain of custody throughout the entire lifecycle of the data. The legal team must also understand how to maintain and acquire the data without altering meta-data or any other aspect of the information.
Attorneys need to be particularly sensitive to issues of bandwidth and spoliation while collecting ESI from the cloud. Certain services and providers, such as Gmail, limit the number of accounts that can be connected to one User ID simultaneously. It’s very easy for some organizations to reach the threshold with only two clients attempting to access the same account at the same time.
Processing the data
Processing data that resides in the cloud also adds new challenges and concerns. Meta-data must be handled very carefully, to be sure that no aspect of it is inadvertently altered. The team must also consider a plan for converting email and user files and handling structured data. Deduplication can be even more daunting, since the expanded storage limits the cloud often brings means that employees may be tempted to save every email and draft they create or receive.
Methods and tools
While attorneys should always focus on defensible, repeatable approaches, there are no hard-and-fast rules when conducting discovery in the cloud. In-house counsel and their teams should carefully consider which approach and platform will work best, depending on the cloud model, service provider and matter at hand.
Social media considerations
Social media presents another area of concern, since virtually all the social media platforms that organizations and employees use are based in the cloud. By their nature, social media communications are dynamic and constantly changing. This can leave attorneys scrambling to identify and preserve ESI.
It’s also important to consider how to develop family relationships among social media data, in order to provide the right context for the information. Since organizations will almost certainly need to tackle social media data as an aspect of eDiscovery someday, it’s best for the legal department to least begin formulating a plan that meshes the organization’s eDiscovery and social media policies before litigation arises.
The cloud also presents a host of ethical considerations for attorneys, and different jurisdictions have developed different opinions and approaches. The American Bar Association has created a map that summarizes rulings in different states. Attorneys should be sure to stay current on the rulings that could impact them.
As technology and legal rulings evolve, attorneys must keep pace. Organizations are discovering many advantages in the cloud, from fewer upfront capital investments to more seamless software upgrades to vastly cheaper storage. The legal department must learn to accept these changes and get in front of them. Attorneys should begin by working closely with their colleagues in the IT department to understand the organization’s technological goals and plans and to oversee contracts with cloud service providers. Some proactive planning will minimize challenges and disruptions when litigation occurs.
As used in this document, “Deloitte” means Deloitte LLP [and its subsidiaries]. Please see www.deloitte.com/about for a detailed description of the legal structure of Deloitte LLP and its subsidiaries. Certain services may not be available to attest clients under the rules and regulations of public accounting.
While the information in this article may deal with legal issues, it does not constitute legal advice. If you have specific questions related to information discussed in this article, you are encouraged to consult an attorney who can investigate the particular circumstances of your situation.