Legal Implications of Cloud Computing -- Part 4.5 (Extending the Discussion of E-Discovery in the Cloud)
My colleagues Dave Navetta, Tanya Forsheit and Scott Blackmer have framed a definition and outlined the essential legal implications of cloud computing. Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). Tanya has started a discussion of the application of electronic discovery and electronic evidence issues in the cloud. Part Four (Electronic Discovery). This post extends Tanya's discussion of the intersection between electronic discovery and the cloud.
In short, "cloud computing" is using the digital resources of providers in remote locations for creating, transmitting or storing digital information pursuant to an agreement that gives you access and some measure of ownership or control of the information, including the power to grant or withhold layers of access to persons within your organization and outside. Cloud computing creates a symbiotic relationship between those remote resources and you. Each of these characteristics of cloud computing -- location, resources, creation, storage, transmission, ownership, control, access and symbiotic relationship -- has important implications for the electronic discovery issues in litigation, and therefore should be understood and addressed in creating a relationship between a cloud provider and its customer.
Here are some comments on issues that Tanya has raised, a few additional electronic discovery issues likely to arise in the cloud, and clues about how those issues are developing and are likely to develop.
Possession, Custody or Control
As Tanya pointed out, the legal similarities and differences between premises-based data and data in the cloud pivot around whether the data is within the company's "custody, possession or control." ESI on a company's captive computers presents primarily "possession" issues. ESI in the cloud presents primarily "custody" and "control" issues.
The pivotal issue regarding custody or control of ESI in the cloud -- i.e., your ESI in the possession of a third party with whom you have the right to access the data but to exclude others -- is already clear: regardless of location or possession, you must produce discoverable ESI over which you have custody or control. There are already lots of cases about the duty to produce your relevant ESI that is in the possession of former employees, application service providers (ASPs), accountants, affiliates, subsidiaries, parent companies and some third-party providers. The test for determining custody, possession or control in the context of determining whether a party must produce relevant ESI has been construed broadly. In general, so long as you have the practical ability or contractual or other legal right to obtain the information, the fact that the ESI is not in your physical possession, or even within the United States, does not normally constrain your duty to produce the information. E.g., In re NTL, Inc. Securities Litigation.
For ESI that is not within the custody, possession or control of a party to litigation, relevant ESI within the custody, possession or control of a nonparty may be obtained by serving a subpoena upon the nonparty, including a cloud provider. Sedona Conference Commentary on Non-Party Production & Rule 45 Subpoenas.
Preservation and Negligence
In general, the duty to preserve relevant ESI for civil disputes attaches to your ESI in the cloud as well as to ESI in your possession. Given that the scope of the preservation duty, and the type and severity of sanctions for breaching the preservation duty -- i.e., for spoliation -- are complex, the duty and the remedies for breach of the duty may look somewhat different for ESI in the cloud than for ESI in your possession.
Inaccessibility and Location
For example, Rules 26(b)(2)(B) and 45(d)(2)(D) of the federal rules of civil procedure give some protection against needing to produce ESI whose existence and sources you identify as not reasonably accessible because of undue burden and cost. Isom, The Burden of Discovering Inaccessible Electronically Stored Information: Rules 26(b)(2)(B) & 45(d)(2)(D), 2009 Fed. Cts. L. Rev. 1 (January 2009).
Inaccessibility issues that may be unique to the cloud include: What level of cost to retrieve ESI from the cloud might excuse the duty to produce from the cloud? Might there be a duty to structure cloud contracts so that retrieval for production in civil litigation is not unduly costly in order to be entitled to the protection of these rules? Will the fact that ESI is in the cloud affect the specificity needed to satisfy the identification requirement of these rules? How will the cloud issues impact the burden that the holding party must carry to prove inaccessibility? How will cloud issues affect the weighing of factors to determine whether good cause exists to require the production of inaccessible ESI? Will the cloud influence whether the court should require cost shifting or cost sharing for production of the information?
"Litigation hold" often refers to the process and technology for preserving ESI. The cloud will add another dimension to the litigation hold process. Depending upon the search and retrieval capabilities of the cloud provider, implementation of a litigation hold may be more or less doable than for premises data.
Spoliation Liability and Remedies
Liability for failure to preserve relevant ESI that a party knows or should know to preserve is near-strict liability. But defining when the duty arises, and deciding what remedy is appropriate if spoliation is found -- what monetary, evidentiary or dispositive sanctions are appropriate -- turn on complex perceptions of fault, opportunity, bad faith, competence, intention and willfulness. For a time, the excuse that information in the cloud is out-of-sight-out-of-mind might be given weight. A lack of sophistication in structuring cloud technology that is litigation-friendly might be given weight. On the other hand, in some courts, the day may already have passed when you could find forgiveness in the excuse that you did not appreciate the extent of your data in the cloud. In any event, as awareness of cloud technology and processes grows, the law relating to duties with respect to information in the cloud will evolve. For now, the prudent path is to know as much as you can about what cloud data you and your company control, and to understand how to access, control and ultimately dispose of that data.
Courts are requiring early and sophisticated awareness of the ESI that a party must disclose early in the litigation to support the party's claims and defenses. Courts are likely to require that this awareness include awareness of information in the cloud.
Over the last two years, courts have begun to expect real, tested, testable expertise with search logic and technology in electronic discovery. At present, the fact that ESI is in the cloud usually complicates the search process. Cloud providers are likely to gain real advantage in the market by enhancing the efficiency of search and recovery of information from the cloud, including for electronic discovery.
Physical Inspection of Cloud Computers
In rare instances, usually only after showing actual spoliation or facts demonstrating a palpable risk of spoliation, a party can obtain an order to impound and/or inspect the hardware of a party on which ESI resides. For information in the cloud, in similarly rare instances, a party may get the right, usually by subpoena, physically to inspect relevant party information on the computers of the cloud providers.
The extent to which a party will be liable for the acts of a cloud provider will continue to develop. For example, if ESI stored on the computers of a provider becomes unavailable or inaccessible as an economic or practical matter because of the bankruptcy of the provider, sorting out liability as between the provider and the owner of the information will be complex.
Issues relating to privilege are likely to have an added layer of complexity for cloud information. These issues will include whether confidentiality of the information has been properly contained, and the mechanics of a quick peek or clawback for information claimed to be privileged.
Key Persons and Enterprise v. Manual Search
Several recent cases examine whether the identification and preservation of ESI may be done by focusing on key persons, or whether in some cases the search for data across an enterprise or at least across a defined segment of an enterprise may be required. These issues will likely be affected in future cases by whether data is stored in the cloud, and what the technology of search and access is in a given cloud platform.
Rule 37(e) provides that "absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system." This protection is likely to apply to ESI on cloud systems in much the same way as it is applied to premises systems.