Should you store data on a cloud?

There was a time when looking at the formation and color of clouds was the only way to predict impending weather. And who hasn’t cloudwatched,imagining that a cloud formation resembles some object or animal? Well, in today’s everevolving technological world, people can also store data off-site on virtual clouds. But why would they do that, and should you jump on the bandwagon too?

What is cloud computing?

Gabe Acevedo, a Washington, DC-based attorney who specializes in e-discovery law, says he is bemused by the anxiety cloud computing often creates, because the system is in fact rather simplistic. ‘Documents are stored somewhere else other than in your computer,’ he explains. ‘It’s not on your hard drive and exists in some weird space.’ However, Carrie Mallen, director of e-discovery and records information management for boutique litigation law firm Bartko, Zankel, Tarrant & Miller, says there’s much more to understand about cloud computing.

First, rather than labeling it ‘cloud computing’, she says it’s probably more accurate to say you are considering the use of ‘cloud services.’ Cloud services are a cost-effective way to manage a company’s electronically stored information, which includes all electronic files or other data stored on computers, disks, tapes or other media. ‘General business and regulatory requirements, preservation of evidence for e-discovery according to the Federal Rules of Civil Procedure [FRCP] and other compliance efforts require the storage of enormous amounts of data,’ says Mallen. Cloud services provide that storage space – at a price.

There are two types of clouds: public and private.

Public data clouds are owned by a third-party vendor that creates and controls the cloud’s terms of service (TOS) as well as controlling the user’s ability to access information. Examples of public clouds are Facebook and Gmail. A private cloud is one where the user purchases data space from a third-party vendor. The user then has the ability to control the cloud’s TOS, implementing methods for accessing and distributing data from the cloud.

Deciding whether to use a public or private cloud can make a major difference when it comes to the vulnerability of the data being stored. Since the third-party vendor owns the cloud, they decide what triggers their duty to divulge the information subject to subpoena. This can be a key issue when it comes to e-discovery lawsuits.

According to Jeffrey K. Brandt, a principal with Brandt Professional Services in Ashburn, Virginia, it all boils down to control. In a private cloud, ‘you create the TOS, not someone else. With Facebook, for example, they decide the TOS and whether to give up information and so on,’ says Brandt, a strategic consultant for law firms who has a lengthy professional background managing C-level functions on e-discovery. When another entity has control over your documents, understanding what the TOS allows and does not allow is critical, and shouldn’t be taken lightly.

Pros and cons of cloud data storage

One advantage of moving selected data to a cloud is that it forces the user to get its data house in order. An intrinsic aspect of that is the ability to create a data map, a requirement under FRCP 26(a). Another benefit is that the enterprise must assess the type and volume of data it possesses, the risk level and requirements associated with storing that data and the appropriateness of the data being considered for cloud storage.

Jay Brudz, a partner and co-chair of the information governance and e-discovery practice for Washington-based Williams Mullen, says cloud computing offers other benefits. According to Brudz, who is a former senior counsel in legal technology with General Electric, storing data on a cloud can simplify electronic discovery.

‘From an e-discovery standpoint, you can go to one place to glean data,’ he says. That means the user can go to one cloud to retrieve data rather than searching through several laptops to locate information. Not only does cloud computing negate the need to mine data from several sources, because all of it can be found on one cloud, it also makes the process easier, says Acevedo. ‘You can access information quickly and all in one place,’ he notes. Despite its benefits, however, storing data on a cloud has drawbacks, too.

Cloud computing creates problems with visibility, control and life cycle management, according to Mallen. By visibility, she means ‘knowing what and where documents are’. When using cloud services, it’s important for the company to establish and adhere to a solid records management policy. When records of any kind are stored in clouds, ‘they have to be managed’, notes Mallen. She cautions publicly traded companies ‘to be aware of regulatory requirements and sensitive personal information’. Document life cycle management is another area that requires attention to detail. ‘Every record is scheduled for retention for a certain period of time,’ Mallen says. ‘Everything has a different cycle, some mandated by legal or regulatory requirements such as Sarbanes- Oxley, or by company policy and protocol on email retention and life cycle.’

Not adhering to the regulations regarding life cycle management of electronic data can lead to fines and lost lawsuits. A major disadvantage of public cloud data storage arises when the government is a party to a case. ‘A government entity can force a third-party vendor to release your data without notifying you,’ says Brudz. ‘That’s the huge concern with the cloud.’ When storing data on a public cloud, users should be especially wary because ‘the content is not in your control, but in someone else’s,’ says Acevedo. ‘The real e-discovery issues arise in social media outlets like Facebook and Twitter, because someone else
owns the site.’

Cloud considerations

The fact that data can be accessed from one source when stored on a cloud does not mean every document should be stored on it. According to Brudz, it’s wise to for an IT department to include what he calls ‘the four e-discovery use cases’ in its request for proposal when determining which third-party vendor to hire for cloud storage. These are:

• Identifying relevant data (how the vendor handles this process)
• Preserving relevant data (process for implementing a legal hold)
• How the information would be exported from the cloud to the user’s technical team so they can respond to a request for discovery
• The process for releasing the legal hold so it runs in perpetuity

There are other use cases, like how quickly emails are sent, but the four Brudz emphasizes are the most linked to e-discovery. Brandt offers his own take on the topic. ‘Before putting data into a cloud, you need to know how you will get it back out,’ he says. ‘For example, it’s important not only to know the options offered by the third-party vendor for data retrieval, but also to obtain assurances on how the data is to be stored.’

In the final analysis, a corporate board is beholden to its shareholders to ensure the safety of important proprietary data. ‘The board needs to take steps to protect its information assets and then monitor those processes,’ says Brandt.