A large US company recently outsourced its IT functions and has begun to use cloud computing vendors, or other service providers, to store or process data. The company’s general counsel is concerned about any additional risks the company may face when responding to e-discovery requests, such as discovery penalties for inadequate preservation or incomplete disclosure, waiver of legal privileges and improper disclosure of confidential information to third parties. The general counsel is seeking ways to mitigate these risks through contract terms and advance planning.
Preserve Your Privileges
As a general matter, if your service provider has access to data that may fall within the attorneyclient or work-product privileges, consider adding specific clauses to the provider agreement to protect any electronically stored information (ESI) that you have identified as potentially privileged. For example, the contract could provide for additional restrictions on disclosure, data tagging or segregation of potentially privileged information.
If you cannot specifically identify the privileged information, consider using a broad brush—e.g., requiring that the provider treat all communications to or from your corporate law department as potentially privileged. Or, if you are not aware of any particular privileged information, consider obtaining an option in your contract to designate information as protected at a later time; you may even agree to accept additional charges for such later-requested additional security.
Create a Litigation Response Plan
If your service provider will store ESI that may be subject to preservation or production requests, consider contractually requiring the provider to engage in developing and implementing a joint litigation response plan. Such a plan might involve, for example:
- A list of responsibilities for preserving the ESI described in any preservation or production request that can be identified with reasonable certainty, and for providing prompt notification of any technical or other limitations that would prevent fulfillment of the preservation or production request;
- Participation in periodic meetings to discuss and update litigation response policies and procedures; and
- Appointment of an experienced legal information management representative by the service provider to manage production and preservation activities.
Provide Your Service Provider with a Litigation Requirements Notice
When litigation that has been filed, or is reasonably anticipated, relates to ESI possessed by your service provider, consider sending your provider a copy of the litigation hold notice that describes in reasonable detail all items to be preserved. Ask your provider to promptly contact you with any questions or concerns related to the notice and to provide you with any additional information you or the provider may need to more clearly determine the scope of the request.
Generate Information for Legal Proceedings
As litigation progresses, there are additional activities that you might want your service provider to undertake. For instance, you may request that your provider assist with the following:
- Cost estimates for the preservation and/or production of data;
- Descriptions of systems, data, media and processes utilized by the provider;
- Reports, declarations and affidavits from provider personnel; and
- Explained reasons why preservation or production of certain documents is infeasible or impossible in certain circumstances.
Regardless of the responsibilities assigned to your service provider—whether related to preservation and production or trial proceedings—it is recommended that you request that your service provider document, in writing, all steps taken to fulfill its obligations. This documentation helps ensure that your company’s requests are being carried out in full, and provides evidence of your company’s diligent efforts to comply with preservation obligations and discovery requests should your efforts come under scrutiny.
Third Party Data Requests
Opposing parties may request or demand access to your ESI from one of your service providers directly. There is a risk that a provider might provide ESI that should not be delivered to the opposing party. You can reduce that risk by including in your agreement or litigation response plan requirements that the provider:
- Immediately contact a company representative upon receipt of any request or subpoena by third parties for corporate ESI possessed by the provider and forward a copy of the request or subpoena to the company, to the extent legally permissible;
- Meet and confer with the company prior to responding to the third party(ies);
- Tender responsibility for responding to the request to the company and assist with any responses; and
- Take all commercially reasonable steps to preserve the company’s legal rights in connection with any response in the event the provider is barred from notifying the company of the request.
Having contractual obligations in service contracts and/or a litigation response plan can allow your company to handle discovery requirements faster, more effectively and with lower risk and expense when some or all of your data is managed by outsourced providers or cloud computing providers. Companies that do not already have these contractual provisions can attempt to amend their agreements with third-party providers that possess critical ESI. Consider including litigation readiness provisions as a standard requirement for new contracts and new relationships with outsourcing and cloud computing providers.