In the age of cloud computing, electronically stored information (“ESI”) is no longer stored exclusively on physical drives or Facebook. Dropbox and Google Drive are programs (“apps”) that provide cloud storage services. A user can upload files to reserved space on a server from any computer, smartphone, or tablet connected to the Internet. The stored data can be synchronized and downloaded to the user’s other devices. Individual users get limited storage space for free, and higher limits are available on a pay-as-you-go basis. Apple’s “App Store” and Google’s “Google Play” store for Android devices show that Dropbox and Google Drive are among the top free downloadable apps for smartphones. (Microsoft Skydrive, Apple iCloud, and Amazon Cloud are other popular cloud computing services.)
Attorneys should bear in mind that a subpoena sent directly to one of the service providers of these apps likely will meet a motion to quash based on Title II of the Electronic Communications Privacy Act (the “Stored Communications Act” or “SCA”). The court in Crispin v. Christian Augigier, Inc., 717 F.Supp.2d 965 (C.D. Calif. 2010), for example, found that the SCA was passed by Congress to prohibit electronic communication service providers, such as Facebook and Myspace, from revealing the contents of communications electronically stored to anyone other than the addressee or other intended recipient. Therefore, to obtain “cloud” ESI, a subpoena to the plaintiff or defendant app user is the better route.
In the ongoing case of Integral Development Corp. v. Tolat, No. 3:12-cv-06575-JSW (N.D. Calif.), the plaintiff-corporation sought discovery as to where the defendant had stored its proprietary source code. The court ordered the defendant to return any proprietary information he possessed on any storage medium, including Dropbox.
The defendant subpoenaed Dropbox for information. Dropbox opposed the subpoena based on the SCA. The court ordered that Dropbox data be produced directly to defendant’s attorney, who in turn was ordered to turn it over directly to plaintiff’s forensic expert to ascertain if any relevant ESI had been uploaded, transferred, or deleted from the Dropbox account.
A full forensic report, however, cannot be conducted based on a copy of the cloud storage file on an end-user’s computer. Metadata on a single computer would be different from that of another computer that also had accessed the account at an earlier or later date. To obtain a complete forensic report, including information on who accessed the cloud account, Dropbox would have to provide the ESI. The alternative is that this information could be laboriously reconstructed by accessing each computer that had synchronized with the account (the Tolat court ordered this).
In another case, the plaintiff resorted to asking for preliminary injunctive relief. While the case eventually settled before the court ruled on the motion, this relief may be necessary to preserve information in cloud storage. A law firm sued its former managing shareholder claiming, among other things, violations of the Computer Fraud and Abuse Act based on allegations that the defendant installed Dropbox as “secret spy software” on the firm’s network and downloaded over 78,000 documents before leaving for another firm. Elliot, Greenleaf, & Siedzikowski, P.C. v. Balaban, No. 2:12-cv-00674-TJS (E.D.Pa.).
The firm filed for preliminary injunctive relief, requesting expedited discovery and specific instructions on how the Dropbox account was to be preserved, including: (1) removal of Dropbox from computers owned or used by the defendant; (2) certification that all Dropbox information had been preserved; (3) imaging of computers owned by the defendant; and (4) imaging of devices, e-mail accounts, and removable media owned by the defendant.
Keeping up with advances in electronically stored information can be a challenge, but employers can stay up-to-date with case strategies and assistance of e-discovery counsel.