Federal Rule of Civil Procedure 34(a) requires litigants to produce documents – including, of course, ESI – so long as those documents are in their “possession, custody, or control.” This phrase makes clear that parties have to preserve, search, and produce relevant papers stored in file cabinets in their employees’ offices, as well as relevant files saved on the hard drives of their employees’ work computers. But as data storage and processing functions are increasingly outsourced to third-party vendors, such as cloud-based document management systems, the contours of the phrase “possession, custody, or control” are becoming ever fuzzier and more prone to dispute.

Take this blog post, for instance. It was originally written by a lawyer working remotely through a law firm vendor’s cloud-based document management system and then posted to IT-Lex for your reading pleasure. If a party sought a native copy of this article for litigation, to whom should they turn: the law firm, the cloud vendor, or IT-Lex?

1. Legal Principles

Rule 34(a)’s concept of “possession, custody, or control” has been applied to paper documents and other tangible items for years. The principles that have evolved are straightforward. First, because the phrase “possession, custody, or control” is written in the disjunctive, “only one of the enumerated requirements must be met.” Cumis Ins. Society, Inc. v. South-Coast Bank, 610 F. Supp. 193, 196 (N.D. Ind. 1985). Therefore, “actual possession of the requested documents is not required” to satisfy this language. Soto v. City of Concord, 162 F.R.D. 603, 619 (N.D. Cal. 1995). Indeed, since “control” is generally a broader and more nebulous concept than either “possession” or “custody,” discovery disputes are most likely to center around whether a party “controls” a requested category of documents. “Control” in this context means “the legal right, authority, or ability to obtain upon demand documents in the possession of another.” American Rock Salt Co. v. Norfolk Southern Corp., 228 F.R.D. 426, 460 (W.D.N.Y. 2005).

This definition demonstrates that the determinative issue in an eDiscovery “control” dispute is not whether the requested information is stored locally on a party’s computer systems or electronic media. Rather, whether that party has “the legal right, authority, or ability to obtain upon demand” the requested documents is key. And while the definition is easy to state in a sentence and apply to boxes of documents, its application in particular eDiscovery cases can be fact-intensive, broader than you might expect, and not at all easy to resolve.

2. Case Law

A growing body of case law provides some guidance on when data resides in a party’s control. In Procter & Gamble Co. v. Haugen, 427 F.3d 727 (10th Cir. 2005), the Tenth Circuit considered whether Procter & Gamble had a duty to preserve certain market share data that was maintained by a third-party data aggregator. P&G subscribed to this aggregator’s database, and as a subscriber P&G was able to access the data through designated terminals at P&G’s facilities. (The data was relevant to P&G’s claim for damages from the defendants’ spreading rumors that P&G was funneling profits to support the “Church of Satan” – a back-story worthy of another post.) The court held that because P&G did not own, possess, or have the right to download any of this data without paying an additional fee, it had no duty to preserve the third-party’s database. Although the case was not specifically about the scope of Rule 34(a), it stands as persuasive authority limiting a litigants’ duties to produce data owned by somebody else.

On the other side of the spectrum is Columbia Pictures, Inc. v. Bunnell, 245 F.R.D. 443 (C.D. Cal. 2007), where the plaintiffs successfully compelled the production of server log data relating to the pirating of copyrighted movies and TV shows. In an attempt to shroud this data from review, the defendants routed all user traffic through servers operated by a third-party vendor, to ensure that no user information would be logged on the defendant’s own servers. After a day-long evidentiary hearing, the court held that the defendants still controlled the data (even “ephemeral” data existing only on defendants’ RAM). Finding that the defendants had the “ability to manipulate at will how the data in issue in routed,” it compelled the production of the data stored on the third-party’s servers.

More recently, a number of eDiscovery custody disputes have arisen in employment law cases. This makes sense, since companies have increasingly outsourced human resources and payroll functions to third party vendors. In Kiser v. Pride Communications, Inc., 2011 U.S. Dist. LEXIS 124124 (D. Nev. 2011), the court compelled the defendant to produce its payroll and time-clock records, rejecting an argument that the defendant used a third-party payroll vendor to process and maintain the data. In the court’s view, it was “inconceivable” that the defendant lacked the ability to request – i.e., “control” – the records from this vendor.

Similarly, in a Title VII case, Chura v. Delmar Gardens of Lenexa, Inc., 2012 U.S. Dist. LEXIS 36893 (D. Kan. 2012), the court rejected the defendant’s argument that it had no duty to produce system schematics that were kept by a third-party IT vendor. Rather, the court directed that “[i]f responsive documents are in the possession of its IT service provider but Defendant has authority or control over the documents, then Defendant has a duty to contact the IT service provider and obtain any responsive documents being maintained by the IT service provider.” By contrast, in a wrongful termination case, Abulsaad v. Reliable and Loyal Management, 2012 U.S. Dist. LEXIS 122721 (E.D.N.C. 2012), the court held that the defendant, a temp agency, did not “control” the medical records of the clinic at which its employee had spent his time before being let go.

3. Implications

These cases suggest a few observations. First, to resist discovery, it is not enough to say that the information is kept by a vendor. Instead, a party must consider the extent to which it has the right to collect the requested information upon request. If it does, it is more likely that courts will find that the party “controls” the documents for purposes of Rule 34(a).

Second, because eDiscovery custody disputes turn on whether a party has “the legal right” to obtain documents, the terms of vendor agreements are critically important. Service agreements with payroll processors, document management providers, and similar vendors should therefore be drafted with the possibility of future litigation in mind. Such agreements should specify who controls the underlying data, who controls the metadata, and who controls the formulas by which the data is analyzed. While perhaps not dispositive, such provisions may provide additional arguments.

Third, remember that “control” is still only one piece of the analysis of production obligations. Courts will also balance the burden and cost of the production (which, with extensive database data maintained by third parties, often in forms that are largely inaccessible without costly hardware, may be considerable), with the relevance and importance of the requested information.

Finally, it is important to appreciate how custody disputes can add time, expense, and complication to the eDiscovery process. Therefore, parties should engage competent eDiscovery counsel to spot custody issues early on in the process and to minimize disruptions and delays down the road.