On December 14th, the Department of Justice released a new internal guidance memo instructing federal prosecutors to request digitally stored information directly from “enterprises” before requesting the same information from third-party cloud service providers. The memo defines enterprise as “companies, academic institutions, non-profit organizations, government agencies, and similar entities that pay service providers to store electronic communications and other records.” As these enterprises increasingly move their digitally stored information off of their own servers to servers remotely hosted by third-parties, practical and legal considerations have prompted DOJ to reconsider its process for obtaining information pursuant to grand jury subpoenas, search warrants, and other process.
Historically, prosecutors would approach an enterprise directly when gathering information. With the advent of cloud computing, some prosecutors began approaching cloud service providers with requests for information stored on their servers. However, many of those cloud service providers pushed back against some data requests citing privacy and related concerns. DOJ noted that making requests to cloud service providers was often impractical because the provider only had access to data that was encrypted, incomplete, or not easily extracted. By engaging an enterprise, rather than its cloud service provider, the DOJ guidance puts corporate counsel in a better position to monitor the disclosure for over-collection, inadvertent disclosure, and potential waiver of privilege, which “parallels the approach that would be employed if the enterprise maintained data on its own servers, rather than in the cloud.” However, the guidance maintains that gathering data directly from cloud service providers continues to be appropriate in certain circumstances, including where approaching an enterprise directly risks evidence destruction, where the enterprise’s personnel is not capable of isolating the appropriate information in the cloud, or where such a request would endanger a cooperating witness.
Finally, the guidance highlights prophylactic measures that companies can take. Many cloud customers have designated a person of contact within their organizations who is to be notified when their cloud service provider receives a government request for data. These individuals can coordinate the process of disclosing data by liaising with the cloud service provider, the government, and relevant parties within the organization.
This announcement comes on the heels of a related announcement in October 2017 wherein the DOJ announced an intention to limit the use of extended gag orders when requesting information from digital service providers, which we summarized here.
This guidance is likely to be well received by cloud service providers and their customers alike because it increases the ability of companies and organizations to be aware of the disclosure of their digitally stored information to the government.