eDiscovery and The Cloud: Things to Focus On

Information governance policies cover procedures used for classifying, retaining, and collecting data. As per the Federal Rules of Civil Procedure (FRCP), a party to litigation is expected to preserve and be able to produce electronically-stored information that is “in its possession, custody or control.” With cloud computing, you will be able to add an additional layer to the process involved in preserving, collecting, and producing ESI. 

Your IT team and compliance officers must work together to ensure that all the procedures, policies, and technologies in place safeguard any privileged or confidential information. You must formulate a plan that outlines the policies to preserve ESI, especially when legal holds are issued during eDiscovery. All the data pertaining to the litigation, investigation, inquiry, or dispute must be protected. 

It is important to note that procedures you must comply with might vary per the industry requirements, for example, PCI-DSS (Payment Card Industry Data Security Standard), HIPAA (Health Insurance Portability and Accountability Act), and Sarbanes-Oxley. 

In order to manage the costs associated with achieving compliance measures, it is imperative to develop sound information governance policies, user education, and other key measures. It will allow your law firm as well as your clients to respond to eDiscovery requests effectively.

Instances of online security breaches have become a common occurrence. And even though security is considered to be a key barrier to cloud computing adoption, not many leaders recognize cloud security and eDiscovery as one of their responsibilities. It is crucial to bridge this gap through a robust security program. It will include data encryption, firewall, access controls, intrusion detection, perimeter scanning, and more. In order to facilitate this, you must limit access permissions to users and systems involved in the production, processing, review, and hosting of the data. This restriction of access extends to eDiscovery specialists, litigation support, paralegals, and system or database administrators.

The location of stored data significantly impacts the eDiscovery process. While you evaluate different cloud providers, you must consider the physical location of the data. You have to figure out whether the cloud involves shared pools of storage capacity or dedicated storage area networks. Private cloud storage is usually dispersed throughout the world in different geographical locations. So, in order to manage their internal capacity, the data-hosting provider might shift your data to anywhere in the world. 

This might be advantageous for capacity management but also exposes you to liability because you won’t know about the unknown data copies. It compromises your ability and your client’s ability to respond to eDiscovery requests, adhere to data security laws and produce ESI.

After addressing the data storage and security issues, you should focus on data integrity, which involves identifying, preserving, collecting, and destructing the data. The first thing you have to focus on is the electronically stored information (ESI) source. 

It’s important to note that ESI isn’t just some e-files stored on your servers. It can also refer to cloud emails, cloud data storage, social media, SaaS applications, personal devices, and any system that the cloud provider hosts. Now, this adds another level of complexity and technology hurdles. Data sources like online messaging or extensible mark-up language (XML) based documents are in a dynamic state and change via continuous user interaction. This presents quite a challenge as your client might have to testify defensibly that the data and metadata weren’t subjected to spoliation at any given point in time. Spoliation here refers to the failure to preserve evidence or its willful destruction. 

You or your clients might also have to assure the data integrity of their cloud-based data sources. All the evidence must be kept intact, including the emails, files, and underlying metadata. With a cloud based eDiscovery software such as Casepoint, you can collaborate safely and reduce data transfers. You will be able to preserve data to avoid spoliation and not be liable.

In order to transfer data from its collection point to the stage where it is used for eDiscovery review, it’s crucial that data and metadata remain intact. In typical eDiscovery data loads, load files containing “tagging” information and metadata are used. Tagging information is the field value coded to provide categorization and additional context. However, technical issues in the cloud, such as security breaches, DNS incidents, or security failures, won’t give you a free pass when opposing counsel or regulatory bodies request data production in accordance with the guidelines. When looking for a cloud provider, make sure that it protects privileged information proactively. A single preventative step that you take today can protect your client in the future.

This is another crucial factor to consider. When taking a look at the written contract with the cloud service provider, make sure that it contains provisions protecting you and your clients in key areas—data integrity, security, business continuity, and data integration. 

Just like it is with any legal contract, you must review the language as thoroughly as you can. Don’t forget to take a look at the “fine print”, as it can surprise legal and IT professionals as well. Make sure that your cloud service provider has communicated everything in clear and concise terms, especially what will happen in the event of a data-loss incident or security or contact breach. It should provide assistance and a system to transfer and extract the information in a format that can be used for the eDiscovery process.

 Another area to focus on is business continuity, which includes getting back online and getting the data back after a security breach. You should also take a look at the Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO refers to the time taken to restore the operations after an outage, while RPO refers to the time taken to address the data loss or restore the client data. Your legal and IT team must work together to create a contingency plan in case there is a prolonged service disruption.