The IT department of a large international company is in the process of negotiating a contract with a cloud computing provider to maintain and hold all of the company’s electronically stored information and data. The company’s Chief Information Officer asks its General Counsel to review a nearly final draft of the contract with the cloud computing provider to make sure that any potential risks that might accompany the transition are addressed in the agreement.
What is Cloud Computing?
Cloud computing is Internet-based computing; it involves the use of remote computing resources that are usually shared and/or distributed rather than dedicated and centrally located. Cloud computing is generally a subscription-based service that satisfies both computing and storage needs with an infrastructure based in the Internet. Cloud computing, thus, is physically limitless, and can then be accessed by users “on demand” from virtually anywhere with an Internet connection with minimal administrative effort. This service is managed by a third-party provider rather than an internal IT department. For example, Gmail, Google’s free email service, stores email “in the cloud” which means that any user’s email “mailbox” may actually be stored in one of several different servers located all over the world and can easily be accessed from anywhere on the Internet.
Some of the benefits of cloud computing are that it potentially reduces costs and increases efficiency by freeing a company’s IT department from the need to own and service its own hardware and software. Thus, many businesses are seeking to take advantage of the still-evolving technological development.
Potential Risks: Redefining “Possession, Custody and Control”
From a litigation and investigation perspective, storing a company’s data in the cloud can lead to concerns about compliance with the company’s obligations to preserve and produce electronically stored information (“ESI”). For example, although it may not technically be in the company’s possession or custody, cloud-based ESI may still be considered to be in the company’s “control,” even though the company has little or no say over whether and when the ESI is destroyed, and even though the company may not have any assurance that the cloud provider will implement a legal hold correctly and quickly. The company may also have limited access to its own data, and the access it does have may be insufficient or too slow to meet court requirements for production of ESI.
Another risk is that ESI may be co-mingled with the ESI of another company or of a separate but related corporate entity. This can lead to problems determining what entity actually has “possession, custody and control” of data and is under an obligation to preserve or produce it.
Finally, given that a cloud computing provider may store data in any one of its many servers anywhere in the world, storage in jurisdictions with strict data protection and transfer laws may complicate access and retrieval of this data.
Tips for Managing the Risks of Cloud Computing
- Ensure that the legal and compliance departments understand fully what data will be stored, or is being stored, by the company in the cloud, ideally before decisions are made to store the data.
- Develop procedures to ensure that data can be preserved and collected in a timely manner in response to a legal hold.
- Negotiate with the cloud computing provider to ensure that the service contract contains provisions that protect the company’s interests and its need to comply with preservation and production obligations, including, if possible:
- Access: The company should have the right to access all ESI “on demand” and in a specified format that is easy to use.
- Control: The company needs the ability to reasonably direct acts of the provider to preserve and produce ESI for purposes of litigation.
- Cooperation: The provider needs to be willing to comply with the company’s directions regarding its ESI and ensure compliance with any and all legal holds.
- Speed: The provider must agree to cease any data destruction (to comply with a legal hold) in a timely manner and produce data with sufficient speed to meet the company’s obligations.
- Metadata: The company should inquire in what form or format the data will be stored and returned for production during litigation, including whether metadata will be in tact.
- Costs: Beyond the price of subscription service, the contract should address the costs of potential production, as well as potential indemnification policies and attorneys’ fees should the cloud provider’s failure to comply with the contract terms result in liability for the company.
- Transparency: Ensure that the contract addresses confidentiality, data integrity and availability issues, including whether data will be commingled with data of other cloud customers.
- Jurisdiction: Discuss with the provider where the data will be maintained. Consider whether production of the data might require compliance with data transfer laws or international privacy laws.
- Ownership: The contract should clearly state that the company owns the data.
- Security: Inquire about the security measures that the provider has in place to protect data privacy and attorney-client privilege. Determine if the company will be informed of a security breach.
- Policies: Determine whether the provider has policies and procedures that may impede the company’s obligations to preserve, collect and produce ESI during litigation.
- Disaster Recovery: Have plans for what happens if a server crashes or data is otherwise lost or if the provider goes bankrupt or out of business. Stipulate that contractual provisions will continue to remain in force if the provider is acquired by another company.
The best way to manage the inherent risks associated with the use of cloud computing in relation to a company’s obligations in litigation and regulatory investigations is to obtain a comprehensive understanding of how the company plans to use the cloud computing, and take pro-active steps to establish procedures and contract terms before the need arises to preserve and collect data from the cloud.