Scenario: Your organization was served with a subpoena request for all board meeting agendas, minutes and financial reports for a certain time period. The subpoena also requested any communications among directors and officers relating to a certain time period of board activity. Responding to the request costs the organization more than expected to retrieve, review and produce the data, because your organization does not maintain its own email server, allows officers and staff to use “personal” email accounts (e.g., gmail or Yahoo mail) to conduct business, and emails board documents to board members using their respective personal or business (sometimes both) accounts. Now, your organization is evaluating options for centralized email and data management, including “cloud” options. What should you consider?

Cost-saving and flexibility are key reasons organizations are considering cloud computing for their IT infrastructure needs. From email hosting to data storage and security, using the “cloud”—or Internet-based services including software-as-a-service (SaaS), platform-as-aservice (PaaS) and infrastructure-as-a-service (IaaS) provided by third-party vendors—can offer practical solutions. But, those solutions come with legal implications. Care should be taken to understand cloud computing risk in your organization, including the risk of litigation costs and the risks associated with compliance with federal, state, local and foreign privacy and security laws, rules and regulations, and industry standards and other requirements. Your legal counsel can assist in evaluating and customizing your cloud contract so that these risks are shifted to the vendor if at all possible and to ensure that the vendor is itself compliant with applicable laws, standards and other requirements. As an initial step, consider the following areas when evaluating cloud service providers.

  1. Record and data retention and destruction. An effective record and data retention and destruction policy that clearly spells out schedules for record preservation, deletion or destruction under applicable law should be in place for every organization, regardless of IT infrastructure or the use of cloud services. This type of policy is particularly important where cloud services are being used, because the third-party cloud services vendors should be required to comply with the policy when collecting, storing and transmitting organization data. An effective policy will always contain provisions pertaining to litigation hold procedures (i.e., important exceptions to scheduled record and data destruction that apply automatically in the scenario above). Having such a policy will help to mitigate the risk that records and data relevant to litigation are destroyed inappropriately and associated penalties and litigation costs.

Ask your prospective cloud service provider:

  • What is its data retention/destruction schedule? (e.g., How far back can we retrieve emails if deleted by the user?) Is it consistent with the organization’s policy? Is there a data volume storage limit?
  • Is metadata (i.e., author, creation date, modification date) preserved in the backup data?
  • Where/How is the backup data stored? What data security standards are in place, and how does the vendor ensure that data stored by the vendor is protected against unauthorized access or destruction? Is any kind of encryption or security applied?
  • Are the security and privacy features consistent with what your organization requires?
  1. Data organization. Ask your staff and board members to maintain folders in their email systems clearly labeled with a particular subject matter agreed upon ahead of time (e.g., “Exec. Director job search” or “Capital Campaign study”), or adopt uniform document filename standards. This permits efficient identification and retrieval of relevant data should the need arise. It can also streamline the scope of data collection should litigation arise, thus reducing volume (and costs). Consider implementing one of the many software-based tools that are currently available in the marketplace to assist with eDiscovery.

Ask your prospective cloud service provider:

  • Will the email platform support organization of email by folders? How sophisticated is the search capability of the platform (i.e., searchable by keyword and date range)?
  • Is a standard email platform being used (e.g., Microsoft Outlook) or is it a proprietary system? If a proprietary system, can email be exported in a format eDiscovery vendors can work with?
  • Is there additional cost for searching for relevant email data or documents, or is that part of your standard services?
  1. Data retrieval and preservation. When litigation arises, or when responding to a subpoena is necessary, a document destruction policy should be suspended and litigation hold procedures put in place to preserve potentially relevant data. The parameters of these steps should be discussed with your legal counsel. However, you will be relying on your cloud service provider as well. Make sure you understand the capability of the provider to implement litigation holds and preservation and find out if additional costs will be assessed. Mandate in your contract with your cloud service vendor that they comply in full with any litigation hold notice issued by your organization.

Ask your prospective cloud service provider:

  • Can we suspend the provider’s data destruction schedule to preserve data should litigation arise? How much will this cost?
  • Are there additional costs with retrieving backup data?
  • If the relationship with the provider ends, does the contract spell out how the customer can retrieve and maintain (in an accessible format) the data once hosted by the provider?