By Punam Tiwari
We may not realize we’re doing so, but we all use the “cloud”. E-mail services, such as Hotmail, are cloud-based, as is the data storage tool Dropbox. Corporates in a variety of industries are adopting cloud-based software and data storage, for example Salesforce, for both mainstream and specialist applications. In addition, law firm applications are increasingly moving toward the cloud with case management tools being used more frequently. I spoke to a former colleague of mine recently who told me that all of her hardcopy files are in the process of being dispensed with and stored on an electronic case management system. Times are changing!
An important aspect of using the cloud that is frequently overlooked, often until it is too late, is what happens in the event of an eDisclosure exercise during litigation or an information request from a regulator. Whether data is on a corporate’s own servers, or in the cloud, the obligation to comply with the demands of the court or regulator remain the same. However, the difficulties faced in doing so can be very different. I am not arguing against storing data in the cloud. Far from it – the cloud offers technical and cost-effective advantages over traditional forms of data storage. I am simply highlighting the concerns that I have, while hopefully providing IT practitioners with what I feel are some useful tips on how to store in the cloud sensibly.
As corporates become increasingly global, the distinction between where a user sits and where that user’s data is kept is becoming blurred. For example, emails for an employee in one country may be stored on a server located in another jurisdiction. Working out which jurisdiction the data is stored in can have significant implications for a corporate’s obligations to comply with their users’ data privacy rights. It is important when planning to use a third-party service provider to ensure that there is clarity on where data will be stored and that the jurisdiction in which it will reside has a legal and regulatory framework that provides the same degree of protection as that afforded to individuals in the jurisdiction from which the data originates. So know your jurisdictions and the legislative obligations that they afford.
A key part of being ready for any litigation or disclosure request is “data mapping”. To us lawyers, this means, quite simply, knowing where your data is! This task is far more difficult when that data is stored in the cloud because it might be spread over many servers all over the world. While distributing data in this way has its positive aspects (speed), it can present a number of challenges for eDisclosure.
Locating data and bringing it together within the timescales imposed by the court or by a regulator is always incredibly challenging, even without the challenges imposed by the cloud. Sometimes, a litigator finds themselves having to deal with difficult witnesses who have reams of data, the existence of which they have forgotten. Specifically, if a cloud service provider is in a jurisdiction that does not recognize the authority of a court or regulator that is ordering the disclosure exercise, it may not feel obliged to assist at all, and that coupled with a witness’ own difficulties may mean that significant costs are incurred.
The key challenges with cloud-based data have been confirmed to be “access and control”. Access to data is very much in the hands of the service provider and the speed at which a corporate can get control of its own cloud-based data is very much dependent on the efficiency of the provider’s systems and staff.
Actually obtaining cloud data can also be greatly limited by the interface made available by the cloud provider. It may only be possible to access data via a web browser and even if the service provides direct access to the data there may be additional fees charged for doing so. For eDisclosure purposes, this can be particularly frustrating as corporates will usually need to access large quantities of data very quickly and will need it in a standardized format that can be prepared for disclosure. If you are preparing seven bundles of documentation for a court case, the last thing you want to have to deal with is formatting issues.
Processes through which data is obtained for eDisclosure purposes may also differ to those that are usually followed for handling the data on a day-to-day basis. Corporates should ensure that their cloud providers are prepared and practiced in applying those procedures, and when carrying out due diligence of a cloud-based service provider this is the first question corporates should ask. It is also important for corporates to produce an audit trail of where their data was stored and how it was obtained, as it may be necessary to demonstrate that the process was methodical and comprehensive if challenged in court or by a regulator.
Another due diligence question that corporates should ask is what happens to data when it is uploaded to the cloud? Some cloud providers apparently convert a corporate’s data into a format that best suits their systems or reduces its storage footprint. In the context of disclosure, information might be lost through this process and that information might be critical to the piece of litigation that the corporate is dealing with.
As mentioned at the outset of this post, my own view is that there are commercial benefits to using cloud-based services. With an increasingly mobile workforce, with employees working within customer offices or from home, without coming into the corporate’s office, there is a pressing need for fast access to data, tools and software. Cloud-based solutions are an effective way of providing that and, typically, offer a far greater degree of flexibility than can be achieved with the more traditional clunky forms of remote access to corporate networks.
The move toward the cloud is still fairly new. Many of the potential pitfalls of eDisclosure in the cloud have yet to be tested through case law and there is very little guidance from judicial decisions relating to the disclosure of cloud-based data. However, with the increasing adoption of cloud services, working practices will be developed and policies and procedures will be refined. For now, corporates should create processes internally and in partnership with their cloud providers, to better prepare them for eDisclosure requests. Corporates should get to know their cloud providers and have a strong understanding of their own processes and procedures.
Corporates should address potential issues with a cloud provider at the beginning of a relationship rather than during a piece of litigation, which often proves cumbersome and far from cost effective.
Some of the key questions that corporates could ask include, but are not limited to, the following:
- Where will you keep my company's data?
- How will you store it and manage it?
- How will I access the data?
- What tools do you have to enable me to access our data in an eDisclosure situation?
- How quickly can you let me have access to our data?
- Which jurisdictions will the data be kept in and where is the documentation confirming this?
- What do the laws in those countries say about data protection?
- How is the data formatted when uploaded and will I be able to retrieve our documents in their native formats?
- Will our data be permanently deleted when it is no longer required?
- Is my company's services provider going to use my company's data for any other purposes?
- Who is the data controller of my company's data?
To conclude, the benefits of an effective cloud-based solution include flexibility of access and the cloud is more suited to supporting a mobile workplace. The cost and efficiency advantages of the cloud are such that the scale and diversity of its use will only grow in future years. In spite of these commercial advantages, corporates should remember that the cloud industry is still young and risks can be posed in their abundance unless a clear and concise relationship with the provider is created from the outset.
Punam Tiwari is IRM’s Legal Counsel. She is an eight-year qualified lawyer and focuses primarily on commercial practice areas. Having worked previously in private practice, Tiwari now specializes in technology and commercial law, and helps many of IRM’s clients manage their risks from a legal standpoint by presenting interactive seminars, running an ‘Information Security and the Law’ training course and reviewing key information security contracts.