Jeffrey Ziplow, MBA, CISA, CGEIT
Cloud computing is alive and flourishing. It has become the popular technology tool for many who want to shift from local PC/Network computer storage and processing to external computers in "the cloud" (on the Internet) handling these types of services. Email, word processing and financial systems are all examples of information that may no longer exist at a company's physical site and reside somewhere in cyberspace. Cloud computing technologies, however, can significantly impact how and where electronically stored information (ESI) resides, thus impacting the traditional eDiscovery model.
Everyone seems to have their own definition of cloud computing. Simply put, cloud computing is typically considered a subscription-based or pay-per-use service that is provided through the Internet. This also extends to the concept of Software-as-a-Service (SaaS). This includes software applications (email, word processing, etc.) that are provided as a service to company employees via the Internet. Their information is stored on third-party network servers and not on in-house computers. Typically, access to these applications is through a standard web browser, allowing a user to access the information from virtually any location.
Most of the cloud computing facilities are multitenant, allowing multiple companies to share the same physical hardware and application capabilities while segregating and securing access to each company's information. The advantage to this type of service is cost and scalability. A customer no longer needs to invest in capital purchases to manage, maintain and build a physical infrastructure or to handle additional employees, software upgrades, storage requirements or business continuity planning. Most of the time, these elements are built into the cloud model.
And Now The Challenge!
In the past, most ESI for eDiscovery was located on individual PCs or on a company's internal network server(s). Computer forensic tools could be used to capture the ESI information in its pristine state. More importantly, the company had control over where the information was located and the retention policies, along with data backup practices and the ability to restore this information. In a cloud computing environment, all of this changes. A company may have limited control over many of these practices.
Attorneys (in conjunction with a firm's IT Department) must now figure out where the ESI information resides. This is not necessarily an easy task. Cloud computing can drastically expand the ESI search requirements and significantly increase the difficulty and complexities of preserving, retrieving and producing this valuable information. Rule 34 of the Federal Rules of Civil Procedure allows the "requesting party or its representative to inspect, copy, test or sample....items in the responding party's possession, custody or control." The key words here are possession, custody and control. Various court cases have established that a party is obligated to preserve and produce ESI information that is not in its possession or custody, however in its control. Using cloud computing services will not absolve a party from eDiscovery responsibilities; it will just make them more challenging.
Another challenge for cloud computing is retrieving deleted files or other information located in unallocated hard disk space on cloud provider's server(s). Traditionally, a computer forensic expert could access the hard drive of a PC or network server directly to identify and preserve this type of ESI information. However, in our new cloud computing model, a server(s) will be stored off-site (maybe in another country) and may be shared between multiple cloud customers (multitenant). Absent assigned hard drives or partitioning of server space, captured ESI could contain information from other cloud customers. Understandably, these companies would not want their data picked over by other parties. In addition, there may be no way to preserve or produce this data without causing significant disruptions to the cloud provider's operations and/or to their customers. Ultimately, the ability to retrieve deleted files or inspect unallocated disk space within a hard drive for a computer forensic examination would be severely limited in the cloud.
Controlling ESI in the Cloud
Putting one's head in the sand and claiming no control over cloud computing, and thus no ESI compliance, will not be received well by opposing counsel or the court. Instead, there is a practical responsibility for a party to recognize and understand how they can best control ESI in a cloud environment. Asking the right questions, signing up for the appropriate services and having a solid service level agreement can help.
Many cloud computing facilities provide a broad range of services to help protect ESI. An example of this is email and IM archiving capabilities. This type of service can help companies manage document/file retention and allow for eDiscovery searches with relative ease. Although there is an extra charge for this service, it may well be warranted to protect a company's responsibilities for ESI eDiscovery. It should also help with litigation hold requirements.
Having a defined and documented retention policy is another key component to controlling ESI in the cloud. Once these policies are defined and approved, many cloud computing services have the ability to configure their systems accordingly. This will also provide a firmwide standard by which all employees must abide.
There is no question that cloud computing can challenge how ESI is produced related to eDiscovery. Although acquiring deleted files causes the biggest challenge for ESI in the cloud, it is possible to set up and configure cloud computing solutions to help with ESI discovery process. Upfront planning is the key.