E-Discovery and the Cloud
UNCC Cloud Computing Symposium
April 25, 2012
Today’s Outline
• E-Discovery Overview and the Preservation
Requirement
• E-Discovery in the Cloud
• Contracts with Cloud Providers
• Lawyers using the Cloud
• E-Discovery Vendors using the Cloud
• Q&A
Please feel free to ask
questions.
Time will be reserved toward the end of the
presentation to ask questions, but please
raise your hand during the presentation if
you’d like to pose a question.
??
Introduction to E-Discovery
• 2006 Federal Rules Change
• Discovery of Electronically Stored Information
(“ESI”)
• Preservation Duties and Legal Holds
• Production and Metadata lssues
Document Preservation
• Duty to preserve arises when there is a claim.
• Absent claim, business reasons and
compliance laws dictate what is retained.
• Preservation duty extends to all documents
within a parties’ “posession, custody or
control”. Fed. R. Civ. P. 34(a)(1).
• Cloud USER, not PROVIDER, has responsibility
to preserve and produce data.
Emerging Area of Concern
• 98% of new records are electronic
• Most lawsuits involve some ESI (at least emails)
• Deloitte 2010 survey found only 9% of
companies were “well-prepared” to capture
and store cloud data.
Where do we look for guidance:
• Sedona Conference, including working paper
on cloud computing
• Federal and State Rules
• Recent Case Law
New E-Discovery Rules in NC
• Rules Effective October 1, 2011
• Either side can request a Discovery Plan
• Some metadata must presumptively be
produced:
– Date sent
– Date received
– Author
– Recipients
– Other metadata is presumptively out
Discovery 2.0
Early Case Assessment
Preservation Protocols
Automated Holds
Sampling
Predictive Coding
Tomorrow is Just a
Day Away ….
E-Discovery Issues in the Cloud
•
•
•
•
•
•
Data Storage
Retrieval
Format
Metadata
Location / Jurisdiction
Both Time and Cost are critical for each step
must be evaluated
Contract Negotiation Points
• Performance measures in Service Level
Agreements (“SLAs”)
• Data encryption, with algorithm / key length
• Data retention and destruction
• Audit rights
• Retrieval
• Prohibition on data use (i.e. they can’t use or
share)
• Liability for theft or loss of data
Negotiating SLAs
• Tailor SLA to the application.
• For legally sensitive information, SLA should include:
– Error severity definition
– Minimum response time guarantees
– Escalation procedures
– Data return, including format & metadata
– Notice before disclosure in response to subpoena
or other request
E-Discovery in the Cloud
• Rackspace.com and Amazon do not provide EDiscovery support.
• Some vendors (e.g. X1 Discovery) claim to be
able to search enterprise data across an
Infrastructure as a Service (“IaaS”) cloud.
• Otherwise, the cloud data may need to
exported for preservation and review.
• Consider simulating an e-Discovery event
before litigation arises.
E-Discovery Questions
for Cloud Providers
• What analytical tools are available to
search/organize the cloud data for relevance?
• How will the identified data be collected?
• What metadata is available for analysis or
production?
• What forms of production outside the Cloud
are available?
• Costs of these steps?
What about Free Cloud Providers?
• Highest levels of use.
– Gmail, YouTube, Facebook, Google Docs, Hotmail,
Windows Live, Drop Box, Evernote, Acrobat.com
– 4 million businesses use Google Apps
– Standard Terms of Service (TOS) are nonnegotiable and subject to change
– Some effort to make collection easier (“Download
my Facebook” and Gmail export). However, not
all data (and metadata) necessarily gets
downloaded.
The Stored Communications Act
• Most cloud service providers are covered
• Covered providers may not release
communications even when served with a
subpoena
• May only do so with “lawful consent” of
subscriber
• Proper course is to direct subpoena /
document request to subscriber
International Concerns
• It is possible the law of current “site” of the
data will apply regarding release/disclosure.
• May be difficult or impossible to determine
where cloud data “resides.”
• Privacy rules vary considerably, especial for
European Union countries.
• Business Software Alliance (“BSA”) published a
Global Cloud Computing Scorecard this year
reviewing 24 countries. Japan was #1.
The Cloud Ate My Homework !
• Do litigants face spoliation sanctions for data
lost by a cloud provider?
Lost Data
• No cases yet
• Test will likely turn on whether the litigant
and/or the Cloud provider too reasonable
steps to prevent spoliation.
• Proof of diligence at time of decision to move
to the Cloud will be important.
Cloud Case Law
• There isn’t much!
• 19 federal cases mention “cloud computing”,
but none deal with discovery issues.
• Flagg v. City of Detroit, 252 F.R.D. 346 (E.D.
Mich. 2008)(“a request for production need
not be confined to documents or other items
in a party's possession, but instead may
properly extend to items that are in that
party's "control.“)
Cases
• Suzlon Energy, Ltd. v. Microsoft Corp., 671 F.3d
726 (9th Cir. 2011)
– Electronic Communications Privacy Act (ECPA)
applies to production of e-mails of a non-US
national if the e-mails are stored on a US server
Lawyers are in the Clouds
• As of November 2011 survey by American
Lawyer, 65% of law firms use cloud computing
and 47% report increased usage.
• E-Discovery and litigation support lead the
way.
• E-mail, HR and storage also used.
• Security is the biggest concern.
Lawyers and the Cloud
• Bar Associations are getting involved
• Iowa Ethics Opinion September 9, 2011:
– Lawyers must take “reasonable precautions” to
protect client data.
– Unfettered access required for SaaS data
– Due Diligence on the provider, including location
– Terms of end user’s licensing agreement (ELUA)
• Limitations of liability
• Forum selection
• Data rights
Lawyers and the Cloud
– Financial Obligations (what happens to data if
there is a default)
– Termination and Retrieval
– Password Protection
– Data Encryption available?
E-Discovery Vendors
are using the Cloud
• Huge volumes of data
• Autonomy (now an HP company) has over 40
petabytes (40 million gigabytes) of data stored
in the cloud, with hot site backup.
• Autonomy offers direct collection to the cloud.
VI. Q&A
Mark P. Henriques
Womble Carlyle Sandridge & Rice, LLP
301 S. College Street, Suite 3500
Charlotte, NC 28262
Mhenriques@wcsr.com
704-331-4912
Bonus Material
• Negotiating Cloud Contract Terms
Legal Commonalities Between
SaaS and Software Licensing
How do licensing transactions and
SaaS transactions approach
overlapping issues they both face?
Quick overlap summary…
Software License Contracts
Also addressed in a cloud deal?
Identification of subject matter to be
provided
Yes, but distinguishable
Delivery of materials into customer
possession
No delivery of software. (Exceptions
apply.)
Rights to Use – license to install copy(ies),
operate for internal use, etc.
Yes, but right to access only
Other affirmative grants – rights to
distribute? Modify? Create derivative
works?
N/A (usually)
Clarification of IP rights (reservations of
rights, exclusion of implied licenses)
Yes
Contractual restrictions on use
Yes
Quick Overlap Summary
Software License Contracts
Also addressed in a cloud deal?
Ancillary services – installation,
configuration, custom development,
support, maintenance
•Yes, but differences
•Custom development in multi-tenanting?
•Yes, ongoing support and maintenance
Source Code escrow
Not usually, often ineffective
Economic terms
Yes, deal specific
Allocations of Risk: Warranties…
Yes
Allocations of Risk: Indemnities
Yes
Allocations of Risk: Limitations of Liability
Yes
Duration of Usage; Termination
Yes
Miscellaneous (governing law, etc.)
Yes
Economic Terms – Software v.
SaaS
• Most common economic models for enterprise software licenses also
apply to SaaS models (except one-time fees for perpetual rights),
including:
–
–
–
–
Fee per period of time
Fee per transaction (unit processed)
Fee per user
Revenue share
• Whenever fees are indeterminate at the time of contracting, one party
will need to track relevant metrics in order to calculate amounts due.
Applies to both software and SaaS models.
• Which party is in the position to track the relevant metrics? The party
hosting the remote system? How measured? When? What if calculations
are disputed? Record-keeping requirements?
• Must support be purchased? Because SaaS is inherently time-limited, are
support and maintenance included in the access purchase?
• Implementation and other services are usually addressed independently.
• Price escalation over time? Rate of increase capped?
Exclusions and Limitations of Liability:
Software v. SaaS
• Commonly, limitations of liability exclude the possibility of seeking
monetary damages in the nature of “indirect, incidental, or
consequential” damages.
• In the cloud, certain risks predictably result in “indirect” damages, such
as the damages suffered by a customer when a vendor discloses or
destroys the customer’s confidential, hosted data.
– What if, e.g., an individual sued a hospital after the hospital’s SaaS vendor
released some patient-specific health-related data to the world? Would the
damages suffered by the hospital as a result of the lawsuit be considered
“indirect”? Could the hospital recover from the vendor if the contract
excluded recovery for “indirect, incidental, or consequential” damages?
– Take-away: When vendor hosts sensitive customer data, heightened attention
should be paid to the customer’s available contract remedies.
• Dollar caps on liability exposure are usually addressed similarly in both
software license agreement and SaaS contracts.
Duration of Contract: Software v. SaaS
• Software:
– May be perpetual
– Often time-limited, renewable
– Support, etc. may have separate, independent term of
commitment, renewable by mutual agreement
• SaaS:
– Should always be time-limited subscription, never
perpetual
– From vendor perspective, auto-renewal should not be
perpetual
– Many breaches are subject to liquidated damages (e.g.,
SLA credits) instead of termination – often the very point
of service level agreements
General Terms: Software v. SaaS
• Careful attention should be paid to common
boilerplate
– Assignability?
– Governing law? (e.g., Virginia and Maryland are
UCITA states where SaaS constitutes “Access
Contracts”)
– Surviving obligations (e.g., data migration)?
IV. What’s so special about
the cloud?
Legal Particularities and SaaS-specific
Issues in SaaS Contracts
Service Level Agreements
• The “SLA” often serves the functions traditionally served by
warranties in software license contracts.
• Uptime guarantees
– What percentages are acceptable?
– How is it measured?
– Who’s monitoring it?
• Remedies
– Service Credits
– Termination/Refunds
– Source Code Escrow
• Performance/functionality warranties
Who’s Behind the Curtain?
• Vendor
• Third Party Providers to the Vendor
– Data centers
– Third-party Software (APIs, embedded tools)
– Third-party content providers
– Data processors
– Outsourced support
Who’s behind the curtain?
3rd Party
Data Source
Customer
Vendor of
Aggregated
Functionality
Sub-Vendor
of
Particular
Function
3rd Party
Data
Source
Customer Data
Sub-Vendor
of
Particular
Function
Customer Data
Sub-Vendor
of
Particular
Function
Other Issues for Further
Discussion
• Information Security / Privacy
– HIPAA, GLB, FERPA, EU Privacy Directive
•
•
•
•
Acceptance testing?
Disaster recovery and redundancy
Implementation challenges
Customer access to hosted data (when, how,
post-termination, transitional assistance?)
Strategies and Best Practices
• SaaS is still new enough that there’s a high degree of
concern (bad) despite a low occurrence of problems
(good)
• Choose your SaaS partners wisely and have a
replacement vendor in your back pocket
• The best term to fight for is some sort of early
termination for extreme downtime or (ideally)
convenience
– Term for convenience should include repayment of
sunk/unrecoverable costs but not profits (if possible)