Keeping It Legal: Preserving Documents In The Cloud

By guest author Mark Yacano

[We first covered the legal industry’s use of the cloud in an interview with Michael Aginsky of Gibbons P.C. Today, guest author Mark Yacano of Hudson Legal offers some practical advice on what CIOs, CTOs, and other technical staff at law firms and companies in the legal field can do to help protect their data and what they should consider when evaluating cloud vendors.]

While companies moving to the cloud often focus on cost and convenience, many have overlooked an area that may leave them exposed to major legal risks: Ensuring their ability to preserve and retrieve documents when a litigation hold has been issued and the duty to preserve potential relevant documents has been triggered. Whether company data is used or stored on internal systems or those owned by cloud providers, businesses can expect courts and regulators to hold them responsible for preserving and producing documents to meet their discovery and compliance obligations.

The cost of failure would likely be high. In a number of cases, litigants’ failure to preserve or produce potentially relevant information in their possession, custody, or control has resulted in a variety of sanctions.

These legal risks should be a high priority as the cloud is quickly shaping up as the default location for both active and archived data. Gartner Inc. predicts the worldwide market for cloud services will reach $149 billion by 2014.

However, the data are on shaky ground. “Various cloud architectures lack formal technical standards governing how data are stored and manipulated in cloud environments,” according to a September, 2010 bulletin from National Archivist David Ferriero. “This threatens the long-term trustworthiness and sustainability of the data.”

By following a few key guidelines, companies can go a long way to addressing the shortcomings in cloud-based records. Companies that act now will be positioned to reap the cost benefits of moving to the cloud while still protecting their data – and thus their organizations.

Understand Your Company’s Record Retention Policy. The requirements governing documents can vary widely by industry and even among companies within an industry. Your cloud storage or hosting contract should include retention and retrieval provisions that match your internal records management guidelines.  Similarly, your agreement needs to ensure that records are maintained in accordance with any regulatory requirements that govern your industry. For example, firms that before work on public construction projects must generally keep records for a period of 10 years after completion of the project

Legal requirements also frequently differ by jurisdiction. Some nations have privacy laws that restrict what data can leave their borders, so the physical location of a cloud provider’s server can be an issue.

If You Don’t Have a Policy, Develop One. While most large companies have formal record management policies, some do not. Except for perhaps the smallest firms, moving to the cloud makes it more important than ever to formalize a records management policy.

Assess Cloud Providers’ Record Retention Policies, Practices and Capabilities. Just as with security, reliability and support, cloud providers range widely in terms of data retention policies, practices and capabilities. These factors can affect a company’s ability to obtain its relevant data at all or to do so in a cost-effective and timely manner.

Some considerations when evaluating possible providers:

• Can they and do they preserve records in such a way that maintains their functionality and integrity through the lifecycle?
• Do they/can they maintain links between the records and the records’ metadata?
• Do they co-mingle data on tapes?
• What is the recycling period for their tapes?

Make Record Retention Consistent. Data residing in the cloud must be kept in a manner consistent with the company’s records retention policy—and the way to ensure it is to write the custom policy into the cloud contract. Just as with the company’s policy, the contract needs to explicitly cover both data subject to litigation hold orders and other required retention obligations.

Data not subject to hold orders, for example, should not be kept longer than the company’s record retention policy dictates. Otherwise, it could create circumstances that could force the costly production of information that should have been purged well before the triggering of a duty to preserve that information.

The contract also needs to include protocols for preserving and retrieving data. The protocols should incorporate a mechanism for overriding both the corporate and the provider’s retention policies when a duty to preserve, triggered by a lawsuit, regulatory investigation or other legal matter, arises. Companies will be required to explain those protocols in state and federal discovery conferences.

Ensure You Own the Data. As with real estate, a company needs to have clear title to its data. Companies must make that ownership explicit in the cloud contract so no issue arises if the provider should be acquired or become insolvent.

Keep Your Data Separate. It’s harder to have a customized retention policy if the company’s archived data on tapes or other media are co-mingled with other firms’ data. Co-mingled data could adversely affect a cloud provider’s ability—and thus your company’s ability—to make sure appropriate data are preserved and protected from inadvertent destruction. It also could interfere with indexing and retrieving data quickly and efficiently when the need arises. Sometimes, companies must access relevant data within a matter of just a few days to meet electronic discovery deadlines.

Keep Your Data Safe.  Data centers should meet tough security standards to mitigate the likelihood that hackers and other intruders will compromise the data stored at that location.  Data should be backed up in real-time, and the data center should have back-up generators that keep systems operating in the event of a power outage and a “hot spare” in a different geographic location.

Legal risks, as long as they are managed appropriately, should not deter companies from pursuing the advantages of cloud computing. But companies do need to make sure they address the legal risks along with service levels and other important issues as they make decisions about which cloud providers to work with and how to structure cloud contracts.