While cloud technology is a godsend to consumers everywhere, cloud technology can significantly complicate the process of ediscovery. Because a party to litigation is no longer in sole custody and control of their data, they may be unaware of where in the world their data is located, how to access it, or even who to ask for access. eDiscovery in the cloud can feel like searching for needles in haystacks when the haystacks are half a world away.
Continue reading below for a quick primer on how ediscovery interacts with cloud technology and a few issues you should watch out for if you’re legally responsible for data held in the cloud.
What is eDiscovery?
To refresh your memory, ediscovery simply refers to “electronic discovery.” Electronic discovery, in turn, refers to the process of identifying, collecting, and producing electronically stored information (ESI) to another party in litigation or an investigation.
What is “The Cloud”?
When people refer to “the cloud” they could be referring to several different things. They might be talking about a distributed server bank that holds data. They might be talking about distributed processing resources used to run an app or program.
What’s common to all of these definitions however is the notion of distribution. Properly understood, “the cloud” refers to a distributed collection of computer resources (often either storage or processing resources).
For example, when you access your email in the cloud, you’re doing so by accessing several different servers distributed around the world that contain and store your email data. This access happens “behind the scenes” and without your direct input.
Issues With eDiscovery in the Cloud
Because data is stored in multiple locations on multiple physical computer systems, issues with identifying, collecting, and producing this data upon request often arise.
The Federal Rules of Civil Procedure in the United States require an organization to be able to preserve and produce information in response to litigation. Holding one’s data in the cloud does not absolve a firm of that obligation. It can, however, add an additional layer of complexity to that responsibility.
This is especially true when you consider that ediscovery in the cloud may implicate at least three levels of technological separation:
- IaaS: Infrastructure as a Service. These services provide the physical infrastructure of a cloud network. So, for example, they might provide organizations with the use of several servers scattered throughout the world to use as processing and storage resources.
- PaaS: Platform as a Service. These services provide web and software developers a place to host applications they create.
- SaaS: Software as a Service. SaaS is software served up as a hosted service accessed on the Internet. For example, the popular webmail service Gmail is a SaaS.
eDiscovery in the cloud can involve all of these different layers which may, in turn, involve at least three additional organizational entities in an eDiscovery request.
For an example of how the use of cloud technology can complicate ediscovery efforts, consider the case of Beluga Shipping GMBH & Co. KS “Beluga Fantastic” v. Suzlon Energy Ltd, Federal Court Proceedings, NSD 1670 OF 2008 Before the Federal Court, New South Wales, Australia.
In this case, Suzlon sought an order requiring Beluga Shipping’s employees to produce Gmail messages that would, according to Suzlon, reveal an unlawful scheme to profit from Suzlon’s cargo. The US District Court, Northern District of California, San Jose Division declined to order production because the emails were located on US servers.
The court found that the Electronic Communications Protection Act applied to the employees, even though they weren’t citizens or residents of the United States. Therefore, the petition to compel the production of the emails was denied.
Service Level Agreements
Service level agreements between cloud service vendors and organizations are critically important for ediscovery in the cloud. These agreements typically spell out the rights and responsibilities of both parties with respect to the creation, use, and preservation of data.
To maintain an appropriate level of litigation readiness, firms should be fully aware of the terms of all of their cloud service agreements and take steps to supplement data preservation with their own efforts where their cloud provider fails to adequately provide this service.
Service level agreements often change over time, and this can require firms to keep a close eye on whether their rights or responsibilities with respect to electronically stored information have changed.
Service level agreements have become the subject of ediscovery litigation. In Kamatani v. Benq Corp., 2005 WL 2455825 (E.D. Tex. Oct. 4, 2005), $500,000 in costs were awarded against the defendant Benq for failure to comply with discovery orders. Among other issues, Benq had claimed it did not have access to ESI requested by the plaintiff. However, a network access agreement between Benq and Philips which had been provided to the court revealed that it did, in fact, have such access.
Various pieces of legislation and regulation around the world restrict and shape whether and how an organization can produce data pertaining to a particular consumer. eDiscovery in the cloud can be complicated by the fact that the electronic and hardware resources of a cloud provider may be physically located in multiple different nations, all with different data privacy laws and regulations. For example, a company may be headquartered in the US, do business with a US citizen, but use a cloud server located in Europe. In that case, the European Union’s General Data Protection Regulation (GDPR) would be implicated, as well as the United States’ Electronic Communications Privacy Act (ECPA), as well as Title II of the ECPA, the Stored Communications Act.
Physical presence in the US can also implicate First, Fourth, and Fifth Amendment rights under the United States Constitution. Cases like Juror Number One v. California, 206 Cal.App.
4th 854 (2012) and Ehling v. Monmouth‐Ocean Hospital, 872 F.Supp.2d 369 (D.N.J. 2012) have considered the impact of a person’s reasonable expectation of privacy in the context of the invasion of privacy tort and the application of the Stored Communications Act.
Those two cases are representative of the fact that the case law is far from settled in this highly contentious, tangled, and confusing area of law.
These are just a handful of the issues that might arise when parties to litigation seek to conduct ediscovery in the cloud. It shouldn’t come as a surprise that cloud-based ediscovery raises a whole host of issues ranging from user privacy to litigation preparedness. While all of these issues can likely be effectively handled by reputable cloud providers (like Now Discovery), firms must be alive to the potential for complications in the ediscovery process created by the cloud.