This article was originally published on InsideCounsel.com.
Cloud computing continues to grow at a mind numbing pace. The growth is primarily driven by the significant cost-savings made possible by outsourcing computer resources to a third party for a fraction of the cost. Organizations of all sizes, from small start-ups to multinational companies, have moved some aspect of their business to the cloud. The cost savings are just too compelling. Early security concerns are allayed by multiple encryption layers, which often makes data in the cloud more secure than in-house. Cloud applications include Microsoft Office 365, Gmail, Google Docs, SharePoint, Facebook, Twitter and LinkedIn just to name a few. The transfer of the physical data, normally stored in-house, to third party’s resources is common among all cloud applications. Users of the cloud remotely log into the cloud provider’s servers to access, change, and manipulate data. Current generation systems enable users to access cloud resources as they log into their workstation while never being aware that they are working in the cloud! The cloud isn’t clearing soon; it is here to stay.
Learn how to successfully navigate the cloud and defensibly identify, preserve and collect ESI from the panelists featured in this recorded webinar.
The surge of cloud-based technology has transformed where potentially responsive ESI (electronically stored information) is stored. It has made conventional workflows to identify, preserve and collect ESI obsolete. When a legal hold is issued, regardless of whether a policy exists, the duty to preserve both on premise and cloud-based ESI persists. Consider the following opinion from Brown v. Tellermate Holdings, Ltd., (S.D. Ohio July 1, 2014)
“While the preservation, review, and production of ESI often involves procedures and techniques which do not have direct parallels to discovery involving paper documents, the underlying principles governing discovery do not change just because ESI is involved. Counsel still have a duty (perhaps even a heightened duty) to cooperate in the discovery process; to be transparent about what information exists, how it is maintained, and whether and how it can be retrieved; and, above all, to exercise sufficient diligence (even when venturing into unfamiliar territory like cloud based ESI) to ensure that all representations made to opposing parties and to the Court are truthful and are based upon a reasonable investigation of the facts.”
This is the first of a three-part series where we will explore best practices in working with ESI stored in the cloud. This article will focus on tips and best practices for identifying cloud based ESI. The second article will focus on legal holds in the cloud and the third will recommend best practices for cloud based collection.
Best Practices for Identifying ESI stored in the cloud
Technically speaking, data stored in the cloud isn’t different than data stored within the confines of an organization; it’s still data, but it has a lot more places to live. Just like finding the right house is all about “location, location, location”, finding data in the cloud is all about “interview, interview, interview.”
It starts with IT. Corporations use cloud-based applications for everything from collaboration, disaster recover, instant messaging, e-mailing, accounting, document storage such as SharePoint, and Office applications such as Microsoft Office 365.The IT department is your best bet for determining which business processes have been outsourced to the cloud. Your first step should be to obtain a list of company sanctioned cloud-based applications utilized by employees. In most organizations the IT department will maintain such a list along with the business use, while others may not be as organized. Organized or not, the IT personnel usually know of all the applications used by employees, whether they are sanctioned applications or not. Be prepared to explain the types of data you are looking for and more importantly why.
Just like finding the right house is all about “location, location, location”, finding data in the cloud is all about “interview, interview, interview.”
Be open and fully include the IT department in the process. The resulting benefit of openness about the process is that it will help you and the interviewees think outside the box. For example, you may share that you are interested in chat messages and during the course of the interview you find that the company uses salesforce.com as its CRM tool. If the interviewee didn’t know that you were interested in chat messages they may not mention that the company utilizes Chatter within Salesforce, an add-on that allows employees to instant message. You may not also learn that the IT department is aware of many employees using Facebook, a non-sanctioned application, to communicate with one another about business dealings.
Next, go to the end user employees. Once the list of sanctioned applications has been provided it is time to trust, but verify. We have been involved in countless interviews with IT managers who vehemently state that no one uses cloud-based file sharing utilities as they are not allowed and that their use would violate multiple security policies. We then interview the first employee who proceeds to tell us that due to the company’s draconian security policies everyone uses a browser-based file sharing application “FILE-SWAP,” to transfer files to their home computers. We have now just added another cloud-based computing application to the list!
The above scenario highlights the importance of the interview process. Once again, be open and transparent; clearly explain the litigation and issues at hand. Employees will arguably be the best resources for identifying and producing responsive material from cloud-based sources.
You should always document the interview and dig for detailed answers. Add to the list!
Ask the employee how they collaborate with their fellow employees each day and if they are using cloud-based applications, sanctioned or not. Do they use any chat programs or social media sites for work purposes? Emphasize the interview is about finding relevant data and not doling out punishment for using Facebook to talk about work projects.
Inquire about file storage and backup outside the approved protocols. Perhaps the employee is using dropbox.com as their backup solution because they find it easier to work with the official corporate solution. Find out which storage applications are being used and add them to the list!
If the interviewee states that they use Evernote to take project notes, ask for specifics. Do they also use the Evernote mobile application? Do they use Evernote to store files or voice recordings?
In our experience, interviews are best done in person. However, if this is not possible then utilize technology. We have conducted many interviews with multiple parties in disparate locations using Web-meeting technology. Don’t rely solely on email interviews, nothing beats face-to-face, even if it is over the Internet!
Interviewing and documenting is the best way to avoid finding yourself in stormy weather with cloud-based e-discovery identification. Next up in the forecast, Litigation Hold in the Cloud.