Social media represents one of the biggest challenges. Sites like Facebook, LinkedIn, and Twitter rely on standard terms of service contracts with users, including companies that use the services for marketing and connecting with customers. But what if a company needs to discover what a former employee posted on Facebook? Since it is the former employee's account, the company has no rights to access that information.
That means companies have to consider constantly collecting the content of all employees' posts as a safeguard. Certain regulated companies in financial services -- such as broker/dealers -- already do this, notes Murphy.
Companies that don't may find the going tough should they need to retrieve social data. Although social media companies say that anyone can write to their open APIs to get the data they need, "accessibility changes on a regular basis as the APIs of the vendors change," Murphy points out.
In addition, how long would it take to download all the data? Murphy points out that most sites "throttle their APIs," which could slow downloads or search results. Some e-discovery service providers, he notes, have started to target this problem. "They pay a lot of money to be in these API programs," he says. "They are essentially buying less throttling."
Know your data's location
Whatever type of cloud you're dealing with, it's important to know exactly where your data resides. In some cases, a cloud vendor may be storing it in a data center in a different country, where different data privacy and e-discovery rules apply.
And even if you've contracted with one cloud provider, do you know whether that company is using subcontractors? That's frequently the case, says Kunick. "It's more than likely that your data will reside in several locations." Even if you have an iron-clad contract with your cloud provider, can that provider get at the data in a prompt and defensible way from its subcontractors?
Before there was a cloud, companies would contract with large managed service providers and would spell out most of these provisions in long, detailed contracts, Kunick says. But most cloud provider contracts don't cover such details. "With cloud service providers, the contracts are seldom longer than 10 pages."
Beware renegade business units
Even if contracts cover every detail, shadow IT activities within corporations can be the source of other e-discovery problems. Charles Skamser, president and CEO of consulting firm eDiscovery Solutions Group, spent the last several months interviewing some 60 cloud service providers. Most told him that their clients are not asking about e-discovery. In fact, "some of the [cloud service providers] even said, 'What's e-discovery?'" says Skamser.
More telling, perhaps, Skamser's research indicates that a high percentage of the client base of these providers are "renegade business units" of large corporations seeking to do an end-run around what they perceive as unresponsive internal IT organizations.
This could be a recipe for disaster. When a large corporation is sued and presented with an e-discovery request, the general counsel would likely go to the IT department and ask for help. The general counsel may not ask a particular business unit manager, and even if they do, the manager won't know how to comply and probably has no e-discovery provisions in his contract with the cloud vendor, Skamser explains.
Develop a comprehensive plan
The most important thing is for a corporation to have a comprehensive information governance and discovery plan that covers all sources of data, including the cloud, says Murphy.