The Cloud and E-discovery: A Complex Challenge
Is IT actually ready for cloud E-discovery, or is it just assuming it is ready?
If you are responsible for data retention (electronically stored information or ESI) and you are using the cloud for even something as mundane as voice mail, e-mail and IM, get ahead of the lawyers for E-discovery. You never know when some legal action will be taken against your organization. This country loves lawsuits. Is your IT department ready to satisfy the E-discovery requirements? What if the data is in the cloud? When an organization subscribes to UC or contact center services in the cloud, the ESI is in the cloud. When employees use social media like Facebook or LinkedIn for work, the ESI problem worsens.
Assuming that the data is easily accessible and in original unmodified form is just that, an assumption. This assumption by the organization’s lawyers is reasonable, but is IT actually ready for cloud E-discovery, or is it just assuming it is ready? The Federal Rules of Civil Procedure require an organization to be able to produce ESI that has been preserved by the organization and can be demonstrate to have in their possession, custody and control. When the cloud is involved, then this is a joint--organization and cloud provider--responsibility. This is a murky area. There are few court cases to base decisions upon for an organization’s lawyers to review.
A cloud problem is that the organization does not know where the data is stored. Further, the organization may be unaware of the data format stored and the data format required. Another wrinkle is how fast can the cloud provider deliver the data?
There are three approaches for E-discovery in the cloud. Christine Taylor of the Taneja Group posted a blog on this subject, "9 Top Trends in eDiscovery #4: eDiscovery in the Cloud". She defines the approaches and the risks associated with cloud E-discovery:
1. Using the cloud for E-discovery application delivery (SaaS), is low risk since data itself stays behind the organization’s firewall. The SaaS packages cover processes like data collection, data preservation, and review.
2. Archiving data sent to the cloud and contracting with the cloud provider to run E-discovery processes is also low risk. This puts the responsibility on the organization to select a secure service with an excellent track record.
3. Organizations that store active data in the cloud and are subject to security, privacy and other regulatory actions are the highest risk of the three. This is where the service level agreements are inadequate and usually do not have mechanisms available to report on physical data locations to their customers. This can be a serious defensibility issue for the organization. This is the likely scenario for those organizations that subscribe to UC or contact center services in the cloud.
Clearwell Systems, now part of Symantec, published a survey in June 2011, "Clearwell Systems Survey Finds Cloud and Social Media Applications will be Twice as Relevant in E-Discovery by End of 2011". The survey results show dramatic changes from the 2010 survey.
* Sixty percent of respondents expected E-discovery of cloud-based applications in 2011, twice the number in 2010.
* When social media applications were covered in the survey, 58 percent of respondents expected to manage them as part of e-discovery in 2011, twice the 27 percent who did so in 2010.
* The number of lawsuits and regulatory inquiries increased 70 percent from 2009 to 2010.
* Seven out of 10 companies believed that E-discovery investigations would continue to increase.
* In response to these issues, 93 percent of the surveyed organizations intended to bring some portion of ESI for E-discovery in-house over the next year.
Some good advice to follow is:
1. E-mail may be well covered by the cloud contracts. Other media may not, including voice mail, IM, video web conferencing.
2. Know where your ESI is stored at all times.
3. Cloud subscriptions are easy to implement. Watch out for business units that go their own way outside of IT.
4. Plan for E-discovery. Don't just respond to an E-discovery request when it arises.