As more people and businesses use the cloud, discovery of cloud data will become an important part of litigation. To prevent discovery problems, users should consider the following practices regarding their cloud use.
Identify Security Needs Before Utilizing the Cloud
Choosing to operate a private cloud will increase the security of private or confidential information. If users select public or community clouds, they should consider leaving private and confidential information on local servers or hard drives while taking advantage of the benefits of cloud computing.
Take Time Choosing a Service Provider
When a user engages a cloud provider with locations in many different regions, the user should take steps to restrict the location of its information to prevent data from entering or exiting regions with data protection laws. Users should insist that providers disclose the locations of their server facilities, including those used for overflow capacity and backup.
Utilize the Permissible Cross-Border Transfer Programs
If a company needs to avail itself of cloud service providers that store data in foreign jurisdiction, that company should take steps to protect itself from potential liability. To ensure compliance with foreign data privacy law while at the same time preserving the benefits of the cloud, organizations should avail themselves of the available crossborder data transfer programs: the Federal Trade Commission-administered Safe Harbor program, model contract clause agreements, and binding corporate rules.
Negotiate and Understand Service Agreements
The service agreement defines the provider’s and the user’s legal rights. A 2010 survey of 30 standard agreements used by cloud providers found that they were weighted toward the provider and often violated foreign data protection laws. Terms of service are more likely to be negotiable for large users of private clouds, which offer increased customization. Whether negotiating a cloud service agreement, or shopping around for favorable terms, users should understand what services are offered. Services such as comprehensive search options, instant suspension of the auto-delete function, and preservation of metadata and embedded data will prove useful when responding to discovery requests.
Create a Preparedness Plan
Develop a strategy for putting a litigation hold on cloud data into place. Know who to contact on the cloud provider team and how to suspend auto-deletion and preserve all potentially relevant data. Understand how the provider’s system works, what types of data it creates that might not be apparent to the user, how long data lives beyond its stated, required life, and how preservation and collection can be accomplished if and when it is needed.
Confer With Opposing Counsel
Once litigation has begun, confer with opposing counsel to limit the extent of cloud preservation and production. If you discuss the discovery difficulties related to cloudstored data, you may be able to limit discovery requests to easily produced data rather than metadata and embedded data. This discussion may also demonstrate to the court reasonable efforts to satisfy foreign privacy laws while navigating discovery requirements.