E-Discovery in the Cloud

E-Discovery and the Cloud
UNCC Cloud Computing Symposium
April 25, 2012
Today’s Outline
• E-Discovery Overview and the Preservation
• E-Discovery in the Cloud
• Contracts with Cloud Providers
• Lawyers using the Cloud
• E-Discovery Vendors using the Cloud
• Q&A
Please feel free to ask
Time will be reserved toward the end of the
presentation to ask questions, but please
raise your hand during the presentation if
you’d like to pose a question.
Introduction to E-Discovery
• 2006 Federal Rules Change
• Discovery of Electronically Stored Information
• Preservation Duties and Legal Holds
• Production and Metadata lssues
Document Preservation
• Duty to preserve arises when there is a claim.
• Absent claim, business reasons and
compliance laws dictate what is retained.
• Preservation duty extends to all documents
within a parties’ “posession, custody or
control”. Fed. R. Civ. P. 34(a)(1).
• Cloud USER, not PROVIDER, has responsibility
to preserve and produce data.
Emerging Area of Concern
• 98% of new records are electronic
• Most lawsuits involve some ESI (at least emails)
• Deloitte 2010 survey found only 9% of
companies were “well-prepared” to capture
and store cloud data.
Where do we look for guidance:
• Sedona Conference, including working paper
on cloud computing
• Federal and State Rules
• Recent Case Law
New E-Discovery Rules in NC
• Rules Effective October 1, 2011
• Either side can request a Discovery Plan
• Some metadata must presumptively be
– Date sent
– Date received
– Author
– Recipients
– Other metadata is presumptively out
Discovery 2.0
Early Case Assessment
Preservation Protocols
Automated Holds
Predictive Coding
Tomorrow is Just a
Day Away ….
E-Discovery Issues in the Cloud
Data Storage
Location / Jurisdiction
Both Time and Cost are critical for each step
must be evaluated
Contract Negotiation Points
• Performance measures in Service Level
Agreements (“SLAs”)
• Data encryption, with algorithm / key length
• Data retention and destruction
• Audit rights
• Retrieval
• Prohibition on data use (i.e. they can’t use or
• Liability for theft or loss of data
Negotiating SLAs
• Tailor SLA to the application.
• For legally sensitive information, SLA should include:
– Error severity definition
– Minimum response time guarantees
– Escalation procedures
– Data return, including format & metadata
– Notice before disclosure in response to subpoena
or other request
E-Discovery in the Cloud
• Rackspace.com and Amazon do not provide EDiscovery support.
• Some vendors (e.g. X1 Discovery) claim to be
able to search enterprise data across an
Infrastructure as a Service (“IaaS”) cloud.
• Otherwise, the cloud data may need to
exported for preservation and review.
• Consider simulating an e-Discovery event
before litigation arises.
E-Discovery Questions
for Cloud Providers
• What analytical tools are available to
search/organize the cloud data for relevance?
• How will the identified data be collected?
• What metadata is available for analysis or
• What forms of production outside the Cloud
are available?
• Costs of these steps?
What about Free Cloud Providers?
• Highest levels of use.
– Gmail, YouTube, Facebook, Google Docs, Hotmail,
Windows Live, Drop Box, Evernote, Acrobat.com
– 4 million businesses use Google Apps
– Standard Terms of Service (TOS) are nonnegotiable and subject to change
– Some effort to make collection easier (“Download
my Facebook” and Gmail export). However, not
all data (and metadata) necessarily gets
The Stored Communications Act
• Most cloud service providers are covered
• Covered providers may not release
communications even when served with a
• May only do so with “lawful consent” of
• Proper course is to direct subpoena /
document request to subscriber
International Concerns
• It is possible the law of current “site” of the
data will apply regarding release/disclosure.
• May be difficult or impossible to determine
where cloud data “resides.”
• Privacy rules vary considerably, especial for
European Union countries.
• Business Software Alliance (“BSA”) published a
Global Cloud Computing Scorecard this year
reviewing 24 countries. Japan was #1.
The Cloud Ate My Homework !
• Do litigants face spoliation sanctions for data
lost by a cloud provider?
Lost Data
• No cases yet
• Test will likely turn on whether the litigant
and/or the Cloud provider too reasonable
steps to prevent spoliation.
• Proof of diligence at time of decision to move
to the Cloud will be important.
Cloud Case Law
• There isn’t much!
• 19 federal cases mention “cloud computing”,
but none deal with discovery issues.
• Flagg v. City of Detroit, 252 F.R.D. 346 (E.D.
Mich. 2008)(“a request for production need
not be confined to documents or other items
in a party's possession, but instead may
properly extend to items that are in that
party's "control.“)
• Suzlon Energy, Ltd. v. Microsoft Corp., 671 F.3d
726 (9th Cir. 2011)
– Electronic Communications Privacy Act (ECPA)
applies to production of e-mails of a non-US
national if the e-mails are stored on a US server
Lawyers are in the Clouds
• As of November 2011 survey by American
Lawyer, 65% of law firms use cloud computing
and 47% report increased usage.
• E-Discovery and litigation support lead the
• E-mail, HR and storage also used.
• Security is the biggest concern.
Lawyers and the Cloud
• Bar Associations are getting involved
• Iowa Ethics Opinion September 9, 2011:
– Lawyers must take “reasonable precautions” to
protect client data.
– Unfettered access required for SaaS data
– Due Diligence on the provider, including location
– Terms of end user’s licensing agreement (ELUA)
• Limitations of liability
• Forum selection
• Data rights
Lawyers and the Cloud
– Financial Obligations (what happens to data if
there is a default)
– Termination and Retrieval
– Password Protection
– Data Encryption available?
E-Discovery Vendors
are using the Cloud
• Huge volumes of data
• Autonomy (now an HP company) has over 40
petabytes (40 million gigabytes) of data stored
in the cloud, with hot site backup.
• Autonomy offers direct collection to the cloud.
Mark P. Henriques
Womble Carlyle Sandridge & Rice, LLP
301 S. College Street, Suite 3500
Charlotte, NC 28262
[email protected]
Bonus Material
• Negotiating Cloud Contract Terms
Legal Commonalities Between
SaaS and Software Licensing
How do licensing transactions and
SaaS transactions approach
overlapping issues they both face?
Quick overlap summary…
Software License Contracts
Also addressed in a cloud deal?
Identification of subject matter to be
Yes, but distinguishable
Delivery of materials into customer
No delivery of software. (Exceptions
Rights to Use – license to install copy(ies),
operate for internal use, etc.
Yes, but right to access only
Other affirmative grants – rights to
distribute? Modify? Create derivative
N/A (usually)
Clarification of IP rights (reservations of
rights, exclusion of implied licenses)
Contractual restrictions on use
Quick Overlap Summary
Software License Contracts
Also addressed in a cloud deal?
Ancillary services – installation,
configuration, custom development,
support, maintenance
•Yes, but differences
•Custom development in multi-tenanting?
•Yes, ongoing support and maintenance
Source Code escrow
Not usually, often ineffective
Economic terms
Yes, deal specific
Allocations of Risk: Warranties…
Allocations of Risk: Indemnities
Allocations of Risk: Limitations of Liability
Duration of Usage; Termination
Miscellaneous (governing law, etc.)
Economic Terms – Software v.
• Most common economic models for enterprise software licenses also
apply to SaaS models (except one-time fees for perpetual rights),
Fee per period of time
Fee per transaction (unit processed)
Fee per user
Revenue share
• Whenever fees are indeterminate at the time of contracting, one party
will need to track relevant metrics in order to calculate amounts due.
Applies to both software and SaaS models.
• Which party is in the position to track the relevant metrics? The party
hosting the remote system? How measured? When? What if calculations
are disputed? Record-keeping requirements?
• Must support be purchased? Because SaaS is inherently time-limited, are
support and maintenance included in the access purchase?
• Implementation and other services are usually addressed independently.
• Price escalation over time? Rate of increase capped?
Exclusions and Limitations of Liability:
Software v. SaaS
• Commonly, limitations of liability exclude the possibility of seeking
monetary damages in the nature of “indirect, incidental, or
consequential” damages.
• In the cloud, certain risks predictably result in “indirect” damages, such
as the damages suffered by a customer when a vendor discloses or
destroys the customer’s confidential, hosted data.
– What if, e.g., an individual sued a hospital after the hospital’s SaaS vendor
released some patient-specific health-related data to the world? Would the
damages suffered by the hospital as a result of the lawsuit be considered
“indirect”? Could the hospital recover from the vendor if the contract
excluded recovery for “indirect, incidental, or consequential” damages?
– Take-away: When vendor hosts sensitive customer data, heightened attention
should be paid to the customer’s available contract remedies.
• Dollar caps on liability exposure are usually addressed similarly in both
software license agreement and SaaS contracts.
Duration of Contract: Software v. SaaS
• Software:
– May be perpetual
– Often time-limited, renewable
– Support, etc. may have separate, independent term of
commitment, renewable by mutual agreement
• SaaS:
– Should always be time-limited subscription, never
– From vendor perspective, auto-renewal should not be
– Many breaches are subject to liquidated damages (e.g.,
SLA credits) instead of termination – often the very point
of service level agreements
General Terms: Software v. SaaS
• Careful attention should be paid to common
– Assignability?
– Governing law? (e.g., Virginia and Maryland are
UCITA states where SaaS constitutes “Access
– Surviving obligations (e.g., data migration)?
IV. What’s so special about
the cloud?
Legal Particularities and SaaS-specific
Issues in SaaS Contracts
Service Level Agreements
• The “SLA” often serves the functions traditionally served by
warranties in software license contracts.
• Uptime guarantees
– What percentages are acceptable?
– How is it measured?
– Who’s monitoring it?
• Remedies
– Service Credits
– Termination/Refunds
– Source Code Escrow
• Performance/functionality warranties
Who’s Behind the Curtain?
• Vendor
• Third Party Providers to the Vendor
– Data centers
– Third-party Software (APIs, embedded tools)
– Third-party content providers
– Data processors
– Outsourced support
Who’s behind the curtain?
3rd Party
Data Source
Vendor of
3rd Party
Customer Data
Customer Data
Other Issues for Further
• Information Security / Privacy
– HIPAA, GLB, FERPA, EU Privacy Directive
Acceptance testing?
Disaster recovery and redundancy
Implementation challenges
Customer access to hosted data (when, how,
post-termination, transitional assistance?)
Strategies and Best Practices
• SaaS is still new enough that there’s a high degree of
concern (bad) despite a low occurrence of problems
• Choose your SaaS partners wisely and have a
replacement vendor in your back pocket
• The best term to fight for is some sort of early
termination for extreme downtime or (ideally)
– Term for convenience should include repayment of
sunk/unrecoverable costs but not profits (if possible)
Related flashcards

Sound recording

24 cards

Computer file formats

39 cards


28 cards

Data management

47 cards

File hosting

69 cards

Create Flashcards