WHOSE DATA IS IT ANYWAY? MAKING SURE YOUR CLOUD STORAGE SERVICE IS LITIGATION READY
April 23, 2019
By: Evan R. Kime and Lauren E. Snyder
In a typical computer network diagram, when a network path leaves the physical premises and goes into the internet, the internet is depicted as a cloud. This is because it is impossible to map all data traffic that leaves a private network or computer to be handled by an internet service provider. Once that data is in the internet “cloud,” it has innumerable possible destinations and paths. For that reason, the term “cloud computing” or “the cloud” seems an especially fitting bit of techie jargon. Real clouds hover above us in the sky, just out of reach. They are opaque and just a bit mysterious, but we know they are benign and even useful. “The cloud,” into which we send so much of the important data we produce today, is a lot like those real clouds. Like an airplane that disappears into a real cloud, our data is absorbed into the nebulous internet cloud. Most likely, owners of the data do not know or need to know where the data goes – we know only the data can be retrieved when needed.
Organizations use the cloud for more than just data storage. “Cloud computing” involves distributed, on-demand, software, platform, and infrastructure services hosted by the cloud service provider. “Cloud storage” on the other hand is a model of data storage in which data lives in a different physical space, accessed via the internet, rather than on a local machine within the physical control of the organization. The data is stored on someone else’s computer. Microsoft OneDrive, Google Drive, and DropBox are popular examples of cloud storage. Using a cloud storage service can save money and improve efficiency within a company because it frees up data space on the company’s in-house hard drives. Perhaps most importantly, it allows that company to outsource the hassle of dealing with their own data. The data is out of sight and out of mind.
Or is it? What happens when the company becomes involved in litigation and needs to respond to discovery requests? Rule 34 of the Federal Rules of Civil Procedure requires that a party to litigation preserve and be able to produce electronically stored information that is in its “possession, custody or control.” This means that control, and not location, determines the discovery obligation.[1] So, who “controls” the data in a cloud storage model? In almost all cases, data sent to the cloud—on someone else’s computer— is still discoverable and under the company’s control. Thus, a company’s use of a cloud storage service to house company data does not materially affect its obligations under Rule 34 where the control, or legal right to obtain documents, rests with the company. Because the risk of litigation misconduct still lies with the party to the case, and not the cloud storage vendor, the terms of vendor service agreements are critically important.
It is imperative that companies make sure that the cloud service vendor has experience with e-discovery and handling large data requests. Service agreements should spell out responsibilities carefully and specify who controls the underlying data, the metadata, and the formulas by which the data can be searched and retrieved. A good cloud storage service agreement should also expressly contemplate respective duties and steps for sequestering, collecting, and searching data sought in litigation, or an e-discovery plan. If a cloud service provider has never considered an e-discovery plan, a company should take this as a sign to move on to another vendor. E-discovery plans with the cloud service provider should define data access protocols, address documentation for chain of custody, and lay out timelines for searching and producing data sought in litigation. Cloud service providers that do provide an e-discovery plan, and the tools that go with it, can be of tremendous benefit to the company when litigation strikes. Although cloud storage can post obstacles in e-discovery, when done right, a good vendor will fulfill the cloud storage goal of eliminating hassle, even in the litigation e-discovery context.
Authors: Evan R. Kime, Counsel, Commercial Litigation, Data Privacy and Security and Lauren Snyder
© April 2019 Jackson Kelly PLLC
[1] See, e.g., Matter of Marc Rich & Co., A.G., 707 F.2d 663, 667 (2d Cir. 1983) (production of documents located abroad ordered because “[t]he test for the production of documents is control, not location.”) (emphasis added).