This post explains five eDiscovery challenges that are specific to cloud-based email applications and discusses best practices for handling that data.
Cloud-based email was introduced to the market as an email solution for personal use. Internet search giants like Google, Microsoft and Yahoo, as well as, cable and broadband internet providers like Comcast and AT&T, have offered their customers free web-based email accounts for years.
Eventually, this technology began to take root in the business world. Email is so integral to business, and because the cloud is so cost-effective, it is no surprise. Technology service providers and their customers, who had become very comfortable using cloud platforms for their personal email, realized there are more economical ways to facilitate business email than the traditional, on premise email servers managed by a team of IT specialists.
Despite the many benefits of using cloud email, the sudden surge of ESI that has moved to the cloud has introduced new challenges for legal teams and corporations. Here is a list of five challenges that are unique to cloud-based email solutions:
1. Too Easy to Co-mingle Personal and Business Communications
Cloud email by its nature is easy to access and easy to use. Personal accounts are generally free and many people have at least one, if not multiple accounts. It is all too common for custodians to use their work email for personal use and their personal email for business use. Recent high profile revelations exemplify this notion.
The co-mingling of personal and business emails undoubtedly broadens the potential universe of discoverable ESI. It is important for counsel to understand this and take measures to ensure a proportionate discovery response. Thorough custodian interviews should be performed. Simply running through the questions on an interview template will not suffice. At this phase of discovery, it’s vital to identify all email accounts for each custodian (as well as other sources of potentially relevant data).
2. Fear of the Unknown Leads to Self-Collection and Defensibility Challenges
Custodians may be inclined to self-collect their ESI out of fear that their “personal” or “private” email data will be accessed by their employer, counsel, opposing counsel, or even a third-party service provider. What many custodians do not understand—and the attorney conducting the interview should relay— is that service providers are bound by confidentially, non-disclosure agreements and other restrictions as part of their engagement.
“…best practice dictates that ESI be collected in the state it exists with as little alteration or conversation as possible.”
These fears can also manifest in custodian self-collection efforts by which the custodian runs keyword searches in the cloud email account and copies or moves the responsive messages to a folder with a plan to produce only that folder. There is inherent risk in this methodology due to incomplete or overly narrow search parameters not vetted by counsel.
In addition, it is arguable that moving messages in this manner is not a defensible process as best practice dictates that ESI be collected in the state it exists with as little alteration or conversion as possible. Self-collection is easily challenged by opposing counsel and therefore more likely to occur; not only on the basis of personal bias (“unclean hands”), but also due to a lack of training and access to the proper tools for preservation. If the need arises to testify as to the process by which cloud email was collected, a trained, experienced ESI collection specialist is the best and most credible witness. What can a diligent outside counsel do if their client insists on performing its own search and collection? Go. Interview. Supervise.
3. Cloud Collections Are More Complicated than One May Expect
These disparate email systems also pose technical challenges when it comes to collection of ESI. After all, in the world of cloud email, one cannot simply walk up to the server, plug in a flash drive and collect mailboxes. Rather, one must first be able to connect to the remote mailbox in the cloud. In order to facilitate this connection, these systems operate by using different internet protocols (IMAP, SNMP, POP3, etc.), different server or host names and addresses, and port numbers. All of this needs to be known when attempting to attach to and collect from these mailboxes, in order to prevent delays in the discovery process.
Further complicating access are enhanced security measures that may be in place, such as two-step verification. In such a setup, an access of the mailbox requires not only the account password but also a second verification such as a unique PIN or code that is sent to the custodian’s mobile device. Attorneys must be aware of such conditions to ensure effective communication between them, their client, and the service providers involved. Experienced counsel know to adequately prepare for a collection by gathering all verification information from their client at the start of the collection process. They ensure the service provider has all required information upfront, preventing delays.
4. Synchronization Timing Must Be Handled with Care to Avoid Evidence Spoliation
Yet another challenge that arises from the ease of accessibility to a cloud email account is the accessibility by numerous devices to the same cloud email account. The potential devices include; smart phones, tablets, home computers and work computers.
One must consider a user’s synchronization practices of email messages across these disparate devices to ensure all potentially relevant email is collected. For example, unique messages may only reside on certain devices and not on others. A user with many devices may not perform regular synchronization of all his/her devices with a cloud email account, thus leaving the potential for one device to contain email that another device will not. Conversely, deleted messages may still be on an unsynchronized device while a recently synchronized device and the actual cloud email account possess less data.
As always, during a legal hold order it is imperative to be fully aware of all devices a custodian utilizes to access their cloud email account(s). Knowing about the various devices and a user’s synchronization practices should ensure all data is collected.
5. Corporate IT Departments Are No Longer Data-Omniscient
Finally, the fact that this cloud data resides outside of the corporate firewall make the creation and upkeep of an all-inclusive data map virtually impossible and increases the likelihood that potentially relevant email may be missed. Even if counsel conducts a thorough custodian interview, custodians may not remember all the email accounts they used. Corporate IT does not control the custodian’s personal email account and may not be able to access a corporate account without user intervention. This makes the preservation and collection process more involved and time-consuming.
With the surge of ESI to the cloud, there is an increasing amount of legal holds that require information from a cloud-based application. The duty to preserve and collect defensibly from the cloud is becoming an increasingly frequent challenge legal teams must face. Despite the many benefits of storing data in the cloud, the problems that arise can deter the timeliness of preparing for litigation and failing to collect ESI defensibly can result in spoliation of evidence. Understanding the possible challenges of cloud email ahead of time can help counsel prepare for potential legal holds effectively.