Legal Implications of Cloud Computing -- Part Four (E-Discovery and Digital Evidence)
Back by popular demand, this is Part Four in our ongoing series, Legal Implications of Cloud Computing. This installment will focus on digital evidence and e-discovery, and follows up on Part One (the Basics), Part Two (Privacy), and Part Three (Relationships). After all, what better topic than the cloud to tackle on the day after Thanksgiving, recovering from tryptophan and wine? As with many other areas previously discussed in this series, the cloud does not necessarily change the legal analysis, it just highlights the need to think through and anticipate the many areas of legal concern that could/are likely to arise when using the cloud. As a litigator, when I think about the challenges posed by the cloud, the one that seems most intuitive is e-discovery/digital evidence. It is always difficult to fully appreciate and digest the scope and volume of information that may be called for in litigation or in an investigation. The presence of corporate data in the cloud multiplies those considerations.
Some, but by no means all, of the digital evidence issues that should be considered in negotiating cloud arrangements and contracts (whether you are putting data in the cloud or designing and marketing a cloud offering), are as follows:
- preservation/retention/disposal;
- control/access/collection;
- metadata;
- admissibility; and, cutting across all of the foregoing
- cost.
As I will discuss below, like other forms of electronically stored information (ESI), one of the best ways for addressing data in the cloud in the discovery and evidentiary context is to plan ahead and discuss treatment of cloud data (a) in records retention policies well in advance of litigation; and (b) at the Rule 26 conference once litigation has commenced. And, if you read to the end, I will comment on the paucity of case law referencing the cloud (and describe the few references that have appeared in federal and state case law to date).
1. Preservation/Retention/Disposal
Organizations often have records retention policies and procedures in place to promote accessibility of information, protect sensitive information, and reduce the costs associated with storage of data that no longer serves any business or legal purpose. Those policies and procedures often call for the routine elimination of electronic information when it has outlived its business purpose and is no longer required to be retained for any legal reason. Numerous statutes and regulations, federal and state, including but not limited to tax, securities, SOX, and employment regulations, mandate that different categories of documents be maintained for certain periods of time. Making matters more complicated, numerous additional regulations require that information that is no longer needed for a business or legal purpose be destroyed such that it cannot be read or reconstructed (see, e.g., the FACTA data disposal rule).
Organizational records retention policies and procedures also address the need to suspend routine disposal and recycling of information in the event of a litigation hold requiring the ongoing preservation of certain categories of data that may be relevant to current or future litigation. These litigation holds are put in place pursuant to an organization's duty (not created by, but conveniently restated in, Zubulake IV, Zubulake v. UBS Warburg LLC, 220 F.R.D. 212 (S.D.N.Y. 2003)) to preserve relevant evidence if they are sued or reasonably anticipate litigation or an investigation. “The obligation to preserve evidence arises when the party has notice that the evidence is relevant to litigation or when a party should have known that the evidence may be relevant to future litigation.” Zubulake IV, 220 F.R.D. at 216.
Needless to say, data preservation, retention, and disposal obligations extend to data in the cloud. Data in the cloud is just one more category of discoverable ESI. One of the unique attributes of the cloud is the ability to quickly and inexpensively replicate data for backup and disaster recovery purposes. Cloud users may not even realize how many copies of their data exist in a cloud environment (or where, but we discussed that in Part Two).
Cloud users should incorporate such cloud data into records retention policies, data maps, litigation holds, and disposal procedures. Further, in the event of a litigation hold, a cloud user may need to take special steps to ensure that data in the cloud, which may be continuously replicated and/or overwritten, is preserved in a forensically sound manner. If data is already subject to a litigation hold, potential users of the cloud should evaluate whether such data should be placed in the cloud in the first instance.
2. Control/Access/Collection
Under Rule 34 of the Federal Rules of Civil Procedure, a party may serve on any other party a request within the scope of Rule 26(b): (1) to produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party's possession, custody, or control. Who has control of data in the cloud? Well, the data owner. Ordinarily, that will be the organization that is putting data in the cloud, not the cloud provider. However, both users and providers of cloud services should carefully review and negotiate the terms of service level agreements to specify who technically owns the data in the cloud.
Service level agreements should also address how the cloud user and cloud provider will cooperate in responding to party or non-party discovery requests. The agreement should address the following questions, among others: In the event of a Rule 34 request to the cloud user, how will the cloud user access the data in the cloud? Rule 34(b)(2)(A) provides 30 days to respond in writing to a document request. How quickly will the cloud user be able to access the data in order to review it for discovery purposes? In the event of a subpoena to a non-party cloud provider, how will the cloud provider respond? Will the cloud provider notify the cloud user, and how quickly? Will the cloud provider seek a protective order to prevent and/or limit the disclosure of the cloud user's data? Is the cloud provider even legally required to turn over the data under the Stored Communications Act or other statutes?
This blog post does not address itself to the even more complex considerations that arise if the EU Data Protection Directive applies to the cloud data that is the subject of the document request (e.g., if the data involves EU residents and is being transferred between the EU and the US, and who knows what other jurisdictions, while swirling around in the cloud). The mere processing of such information could very well violate the Directive and member country laws. That is the subject of past and future posts.
3. Metadata
Of course, litigants may also discover metadata. The default rule, in the absence of a stipulation or court order, is that a party must produce ESI in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms. Rule 34(b)(2)(E)(2). Almost inevitably, ESI in the form in which it is ordinarily maintained will contain metadata.
Cloud users responding to Rule 34 requests need to determine in what form they will produce ESI in the cloud. They also need to consider, in advance, the potential need for special protections and objections with respect to that cloud metadata -- it may be too late to consider such objections once the cloud data review is underway. Further, cloud providers (and users alike) need to consider the possibility that certain metadata will only reside with the cloud provider and how that affects the parties' discovery obligations (especially if the cloud provider might be considered the data owner for purposes of that metadata).
4. Admissibility
The flipside of the explosion of case law and commentary addressing e-discovery over the past several years, particularly since the amendments to the Federal Rules in late 2006, is the stunning lack of case law addressing admissibility of ESI. One of my favorite decisions, for that very reason, is United States Magistrate Judge Paul W. Grimm's treatment of these issues in Lorraine v. Markel Am. Ins. Co., 241 F.R.D. 534 (D. Md. 2007). Lorraine was an unlikely candidate to spawn a 100-page opinion on authentication of electronic evidence -- it involved a yacht struck by lightning. However, Judge Grimm, clearly disappointed by the parties' failure to authenticate even basic e-mails (they were simply attached to the parties’ motions as exhibits), took the opportunity to provide much needed guidance.
I am unaware of any case law specifically addressing admissibility of ESI in the cloud. (More on that lack of case law regarding the cloud generally below.) In the interim, Judge Grimm's guidelines, going back to basics, are well worth a read. Like any other litigant purporting to introduce ESI as evidence, a litigant introducing cloud data must be able to demonstrate that the ESI is relevant and authentic, that it is not precluded by the hearsay rule (or fits within one of its exceptions) or the best evidence rule, and that its probative value is not substantially outweighed by the danger of unfair prejudice. As noted by the court in Lorraine,
Whether ESI is admissible into evidence is determined by a collection of evidence rules that present themselves like a series of hurdles to be cleared by the proponent of the evidence. Failure to clear any of these evidentiary hurdles means that the evidence will not be admissible. Whenever ESI is offered as evidence, either at trial or in summary judgment, the following evidence rules must be considered: (1) is the ESI relevant as determined by Rule 401 (does it have any tendency to make some fact that is of consequence to the litigation more or less probable than it otherwise would be); (2) if relevant under 401, is it authentic as required by Rule 901(a) (can the proponent show that the ESI is what it purports to be); (3) if the ESI is offered for its substantive truth, is it hearsay as defined by Rule 801, and if so, is it covered by an applicable exception (Rules 803, 804 and 807); (4) is the form of the ESI that is being offered as evidence an original or duplicate under the original writing rule, of if not, is there admissible secondary evidence to prove the content of the ESI (Rules 1001-1008); and (5) is the probative value of the ESI substantially outweighed by the danger of unfair prejudice or one of the other factors identified by Rule 403, such that it should be excluded despite its relevance.
Litigants may find a number of these evidentiary hurdles particularly challenging when it comes to cloud data, especially authenticity and hearsay. The proponent of even an email, blog post, IM, tweet, or other communication that resides only in the cloud may need to secure declarations, deposition testimony, or even live testimony of the author(s), the recipient(s), the data custodian, and/or the cloud provider itself. The same analysis must be considered for each and every such communication.
5. Cost
The costs associated with any e-discovery can be substantial. In the absence of well-drafted agreements between cloud users and providers, the presence of data in the cloud can only exacerbate those e-discovery costs. The parties to a cloud services agreement must determine which party will cover the costs associated with preserving, accessing, collecting, reviewing, and establishing admissibility of data in the cloud. Parties considering use of the cloud for certain kinds of data should evaluate whether the cost savings associated with using the cloud for that particular purpose outweigh the costs associated with processing data for discovery purposes if and when that becomes necessary.
Some Final Thoughts -- Current Lack of Case Law on the "Cloud"
I sometimes get questions about existing case law regarding the cloud. There is very little case law that actually uses the terminology.
Up until late July of this year, a search of Westlaw for "cloud computing" in all federal and state cases produced only one hit, Rearden LLC v. Rearden Commerce, Inc., 597 F. Supp.2d 1006 (N.D. Cal. Jan. 27, 2009). That case did not actually involve the substance of cloud computing. It was a trademark infringement matter. As one of the arguments in support of their position that defendant's "Personal Assistant" software directly competed with plaintiffs' incubation and/or movie production services, plaintiffs maintained that both parties used "Cloud Computing" (the court's opinion used the term in quotes and initial caps). The court, referring to a party declaration, described "Cloud Computing" as "a term used to describe a software-as-a-service (SAAS) platform for the online delivery of products and services." (Compare the court's description to the NIST definition of cloud computing discussed in Part One.) It rejected plaintiffs' argument that defendant's primary business was "Cloud Computing," finding that "Cloud Computing" was merely the platform, not the end product: "plaintiffs erroneously conflate[d] a platform by which defendant launches its end service to consumers (i.e., software) with the end product itself (i.e., a web-based marketplace). Indeed, plaintiffs state that it is the technology developed on the SAAS platform that will likely compete with other SAAS/ Cloud Computing companies. Plaintiffs do not discuss the product itself, but merely the underlying platform used to create it." Rearden LLC, 597 F.Supp.2d at 1021.
There are two more recent decisions that now come up in the same Westlaw search for "cloud computing": an unpublished procedural ruling in International Business Machines Corp. v. Johnson, 2009 WL 2356430 (S.D.N.Y. July 30, 2009), and an Oregon state court opinion in a criminal matter, State v. Bellar, 231 Or.App. 80, 217 P.3d 1094 (Sept. 30, 2009).
Johnson only mentions cloud computing in passing. The court rejected IBM's second attempt to obtain a preliminary injunction that would stop a former Vice President of Corporate Development from working in any role at his new employer, Dell, that would involve mergers and acquisitions, "as well as any role that would require him to advise Dell on its strategies related to such matters as enterprise services, servers, storage, so-called ‘Cloud’ computing and business analytics." The court rejected the second preliminary injunction request on procedural grounds.
The most recent opinion mentioning cloud computing, Bellar, involved an appeal regarding a motion to suppress in a prosecution for 40 counts of encouraging child sexual abuse in the second degree. The dissent discussed the defendant's privacy rights with respect to information in the cloud:
Nor are a person's privacy rights in electronically stored personal information lost because that data is retained in a medium owned by another. Again, in a practical sense, our social norms are evolving away from the storage of personal data on computer hard drives to retention of that information in the “cloud,” on servers owned by internet service providers. That information can then be generated and accessed by hand-carried personal computing devices. I suspect that most citizens would regard that data as no less confidential or private because it was stored on a server owned by someone else.
In 2010, we will undoubtedly start to see judges using cloud terminology and analyzing the consequences of the rapid spread of different kinds of data (trade secrets, privileged information, PII) in the cloud, both in pretrial discovery, at trial, and with respect to the merits of cases involving such information. In the meantime, as always, technology races ahead of the law.