The plan needs to provide not only for how to conduct e-discovery on data stored in the cloud, but also how to review that data alongside data residing elsewhere. "People will store information in all sorts of places," he notes. "You need to apply the same discipline on all data sources."
It's not too late to prepare for e-discovery on cloud-based data, says Murphy. "Best practices are just beginning to emerge, and the good news is that companies have the opportunity to get ahead of the curve," he wrote in a recent report.
"The key is to treat cloud-based sources of data like any other data source," Murphy concludes. "Include it in data maps, have a plan for collecting and preserving it, know how to manage the chain of custody, and understand when to dispose of the data so that it poses no e-discovery risk."
Questions to ask your cloud vendor
The key to setting successful e-discovery policies for cloud computing is knowing exactly what your cloud vendor will and will not do in the event of e-discovery. More than 70 percent of the respondents to eDJ Group's survey did not know their cloud vendor's policy in terms of responding to e-discovery needs.
Here are some questions that analysts recommend asking:
- How would information be placed on legal hold?
- How can the information be accessed by various parties?
- How would the e-discovery functions of review and analysis be executed? Can you look at the data without having to download it?
- What are the vendor's systems, data and backup procedures? Can it ensure that information is protected and redundant?
- Exactly how is information stored? Is tenancy shared or do you get your own dedicated storage?
- Where is the physical location of the stored data? Different countries have different regulations and law regarding data privacy and e-discovery.
- Who bears the responsibility and cost of information collection and preservation? Who would be held liable for a failure to collect and preserve the information?
- Will the cloud vendor agree to identify an employee to testify regarding preservation and collection? "Doing so goes a long way toward successfully managing the chain of custody of information," writes eDJ co-founder Barry Murphy.
- Exactly how can the data be searched and collected or locked down? Some cloud vendors may not have the tools to do this.
- How long would a large collection of data take? In what format would the cloud provider deliver the data? Unless these details are pinned down, your legal counsel might promise an unrealistic deadline for delivering data or, worse yet, not be able to meet the court's deadline.
- How will you get the information back if the vendor goes out of business?
- How long will the vendor retain your data? If the vendor discards it too soon, then it can "look to the plaintiff as if the defendant has found a way to shred their documents," says Much Shelist P.C. principal James Kunick.
Frequent Computerworld contributor Tam Harbert is a Washington, D.C.-based writer specializing in technology, business and public policy.
Read more about Cloud Computing in Computerworld's Cloud Computing Topic Center.