The cloud has made it easier than ever to store and share information. So it’s no wonder that the vast majority of organizations are using cloud-based applications, such as Office 365, Dropbox, and Box, among many others, for their business data. But chances are, they’ve given little, if any thought, to how they’re going to get that data back out for eDiscovery.
Here are just two of the challenges you’re likely to face if you take advantage of the convenience of the cloud for storage, as well as our suggestions for handling them.
Where is your data being stored?
If you live in Nebraska and use a cloud application, it doesn’t mean that your data is assigned to a specific Nebraska-only cloud. Rather, your data might be in one location in Italy, or it might be dispersed across many countries—and keep in mind that your cloud provider may subcontract out your data, further extending your data circumference. If you’ve got data in the European Union or Asia-Pacific, there are a host of data privacy and cybersecurity laws that may affect your data—particularly if it includes personally identifiable information—not least among them the General Data Protection Regulation (GDPR).
Before signing up for a new cloud service, figure out where your data will be stored and the types of data you plan to store in the cloud, and ensure you aren’t triggering any international laws that may cost you a pretty penny in civil or criminal fines.
How hard is it to put data on legal hold and export your data?
The more data you store in the cloud, the happier your cloud providers are. Therefore, they probably aren’t going to make it easy for you to preserve or export your data—after all, eDiscovery is your problem, not theirs.
So, before you upload even a byte of information, check with the provider to determine whether it uses subcontractors and what the protocols are for extracting information from the provider and any other related companies. Make sure you have spelled out the details in your service-level agreement.
Next steps for building a defensible cloud collection process
Before you migrate any data to the cloud, create a plan to obtain that data—well in advance of any discovery request—so you won’t be left scrambling to pick up the pieces if you receive a surprise request for production. Your plan should ensure that you have taken the requisite steps to protect the integrity of the file itself as well as its metadata. To establish the defensibility of your process for the court, you should be able to create an audit trail of who touched every file and when, so you can document a chain of custody. Keep in mind that although Office 365 offers some data collection tools, they’re ill-suited for large data sets; you’ll need to discuss a better, more defensible toolset and workflow with your eDiscovery provider.
Given the ease and ubiquity of the cloud, it’s all too easy to leap before you look. But it’s essential to keep the potential pitfalls of cloud-based discovery in mind before you do. By taking preparatory steps when you’re considering a cloud solution, you can ensure that you aren’t scrambling for a solution or putting your organization at risk of discovery sanctions.
To learn more about the discovery burdens of cloud-based eDiscovery, please get in touch.