Discovering Cloud Data in Litigation
Posted: April 17, 2014
Your litigation in 2014 will involve requests for production of electronically stored information (“ESI”), and there is a good chance that some of that information is stored somewhere in “the cloud.” ESI stored in the cloud has unique challenges and opportunities. Determining what relevant, discoverable ESI resides in the cloud; assessing whether it is, or should be, within the scope of your discovery plan; and executing a process for preserving, collecting, and producing it all require an understanding of the legal and practical issues impacting cloud storage. Here are a few key considerations to help you navigate the process.
“The Cloud”
First, the term “cloud,” as it relates to computing, is used in a variety of ways by various people, depending on context. What we are referring to here is electronic information and computer services that are provided on computer systems that are kept in a separate physical location from the consumer/user/data controller-processor or owner, and accessed using the Internet, wide area networks (WAN), or secure point to point (P2P) connections. Moving data to the cloud can be cheaper, safer, and more efficient than storing it locally. Many new applications and software suites depend on the cloud for survival.
While the benefits are innumerable, cloud services means a third-party vendor may play a role in the discovery process. Cloud providers run the gamut from small start-ups to some of the largest and most well-established names in computing. Accordingly, cloud computing providers’ ability and willingness to participate in their customers’ lawsuits can vary greatly. As with all sources of ESI, applying resources and effort toward obtaining the data must be weighed against the substantive benefits of the information contained in the cloud source.
So what is it about ESI stored in the cloud that is so different from non-cloud ESI? The scope of discoverable electronically stored information is not limited, under discovery rules, to data stored in any particular location or format. The key considerations are whether the data is relevant, who has control and access to the data, and whether the burden and expense associated with producing the data outweighs the benefits of producing it.
Requesting Cloud Data From End Users
In the vast majority of cases, cloud data that is accessible by the end-user will meet discovery needs and obligations. Indeed, most data is available to the customer through regular application interfaces provided by the normal functionality of the cloud service. After all, the end-user is using the data in the normal course, and they would not have accepted the service if needed information was not accessible.
The most efficient process to obtain the opposing party’s cloud data in discovery is to request the data directly from them. This approach is advantageous because the court where the case is pending already has jurisdiction over the parties, and discovery disputes can be resolved directly and efficiently by that court. You should be proactive and discuss the method in which the other party should preserve, collect, and produce its cloud data early in the case. Particularly, specifying the exact metadata to be produced can assist both sophisticated and unsophisticated responding parties determine what collection methods are required.
Requesting Cloud Data from Cloud Service Providers
In certain cases, data that is uniquely accessible to the cloud provider may become relevant. This data is more difficult to obtain and adds additional legal and technical issues into the mix. More advanced information such as the specific functionality settings on the email account, when the user last logged in to check or send an email, location data, and certain message header and IP address information may not be available to the end-user for preservation, download, collection, or production in litigation. Deleted data often is also unlikely to be available to the end-user.
To request data that is uniquely in the possession of a cloud provider, a party likely will need to serve a Rule 45 subpoena on the cloud service provider directing the provider to appear and produce the designated data. Serving a subpoena and ensuring compliance can be challenging and potentially expensive. Whether such efforts are worth the expense and effort will depend on the specific needs of each case. Cloud providers are likely to resist compliance with a subpoena under provisions of Title II of the Electronic Communications Privacy Act, otherwise known as the Stored Communications Act (“SCA”). At its core, the SCA prohibits certain communication and computing service providers from disclosing the content of stored electronic communications to anyone but the owner of the communication. Where it applies, the SCA prohibits the disclosure of communication content, even where that disclosure is requested through a valid and enforceable subpoena. The SCA can be a very important shield for cloud-computing providers when faced with a non-party subpoena for documents. Alternatively, the requesting party can seek to have the owner of the data provide written permission for the disclosure of the requested data, either voluntarily or through court intervention.
The SCA is just one example of the obstacles that a party requesting cloud data directly from a cloud provider can face. Right now, there is very little law specifically addressing when and how a requesting party should or can seek a court order directing a cloud provider to produce requested data. Stay tuned – this is a fight that will happen over and over again, and there will be more guidance provided by the courts in the coming years.
Final Thoughts
A few important steps can help limit the challenges to discovering data from the cloud in litigation.
First, be proactive. The parties to the litigation should discuss, at an early stage, what data may be stored in the cloud, difficulties that may be encountered when trying to collect that data, and reasonable accommodations to deal with that data.
Second, know the law. Discovery is rapidly evolving, and rules that were originally crafted to deal with paper documents are now being interpreted to apply to digital data stored in the cloud. Courts and legislatures are continually refining and re-defining litigants’ and non-parties’ obligations in ways that impact cloud ESI.
Third, enlist technical expertise. Savvy eDiscovery providers understand the complexities involved in the discovery of cloud data and can help litigants and their counsel navigate this complex area. It is easier (and usually cheaper) to hire someone to help with cloud data at the outset of litigation than it is to try to undo the mistakes of a novice in the context of a contentious discovery battle.
Cloud computing is a boon for individuals and businesses. It allows users to leverage technological assets in ways that were inconceivable just a few years ago. But cloud computing also presents considerable challenges when a user is involved in litigation. Because cloud computing is still relatively new, at least in terms of the evolution of common law, courts are still grappling with rights and obligations associated with cloud data. Take heed – properly dealing with cloud data requires careful planning, constant review of governing law, and technical expertise.
For more information, please contact Alison Grounds.