E-Discovery and the Cloud UNCC Cloud Computing Symposium April 25, 2012 Today’s Outline • E-Discovery Overview and the Preservation Requirement • E-Discovery in the Cloud • Contracts with Cloud Providers • Lawyers using the Cloud • E-Discovery Vendors using the Cloud • Q&A Please feel free to ask questions. Time will be reserved toward the end of the presentation to ask questions, but please raise your hand during the presentation if you’d like to pose a question. ?? Introduction to E-Discovery • 2006 Federal Rules Change • Discovery of Electronically Stored Information (“ESI”) • Preservation Duties and Legal Holds • Production and Metadata lssues Document Preservation • Duty to preserve arises when there is a claim. • Absent claim, business reasons and compliance laws dictate what is retained. • Preservation duty extends to all documents within a parties’ “posession, custody or control”. Fed. R. Civ. P. 34(a)(1). • Cloud USER, not PROVIDER, has responsibility to preserve and produce data. Emerging Area of Concern • 98% of new records are electronic • Most lawsuits involve some ESI (at least emails) • Deloitte 2010 survey found only 9% of companies were “well-prepared” to capture and store cloud data. Where do we look for guidance: • Sedona Conference, including working paper on cloud computing • Federal and State Rules • Recent Case Law New E-Discovery Rules in NC • Rules Effective October 1, 2011 • Either side can request a Discovery Plan • Some metadata must presumptively be produced: – Date sent – Date received – Author – Recipients – Other metadata is presumptively out Discovery 2.0 Early Case Assessment Preservation Protocols Automated Holds Sampling Predictive Coding Tomorrow is Just a Day Away …. E-Discovery Issues in the Cloud • • • • • • Data Storage Retrieval Format Metadata Location / Jurisdiction Both Time and Cost are critical for each step must be evaluated Contract Negotiation Points • Performance measures in Service Level Agreements (“SLAs”) • Data encryption, with algorithm / key length • Data retention and destruction • Audit rights • Retrieval • Prohibition on data use (i.e. they can’t use or share) • Liability for theft or loss of data Negotiating SLAs • Tailor SLA to the application. • For legally sensitive information, SLA should include: – Error severity definition – Minimum response time guarantees – Escalation procedures – Data return, including format & metadata – Notice before disclosure in response to subpoena or other request E-Discovery in the Cloud • Rackspace.com and Amazon do not provide EDiscovery support. • Some vendors (e.g. X1 Discovery) claim to be able to search enterprise data across an Infrastructure as a Service (“IaaS”) cloud. • Otherwise, the cloud data may need to exported for preservation and review. • Consider simulating an e-Discovery event before litigation arises. E-Discovery Questions for Cloud Providers • What analytical tools are available to search/organize the cloud data for relevance? • How will the identified data be collected? • What metadata is available for analysis or production? • What forms of production outside the Cloud are available? • Costs of these steps? What about Free Cloud Providers? • Highest levels of use. – Gmail, YouTube, Facebook, Google Docs, Hotmail, Windows Live, Drop Box, Evernote, Acrobat.com – 4 million businesses use Google Apps – Standard Terms of Service (TOS) are nonnegotiable and subject to change – Some effort to make collection easier (“Download my Facebook” and Gmail export). However, not all data (and metadata) necessarily gets downloaded. The Stored Communications Act • Most cloud service providers are covered • Covered providers may not release communications even when served with a subpoena • May only do so with “lawful consent” of subscriber • Proper course is to direct subpoena / document request to subscriber International Concerns • It is possible the law of current “site” of the data will apply regarding release/disclosure. • May be difficult or impossible to determine where cloud data “resides.” • Privacy rules vary considerably, especial for European Union countries. • Business Software Alliance (“BSA”) published a Global Cloud Computing Scorecard this year reviewing 24 countries. Japan was #1. The Cloud Ate My Homework ! • Do litigants face spoliation sanctions for data lost by a cloud provider? Lost Data • No cases yet • Test will likely turn on whether the litigant and/or the Cloud provider too reasonable steps to prevent spoliation. • Proof of diligence at time of decision to move to the Cloud will be important. Cloud Case Law • There isn’t much! • 19 federal cases mention “cloud computing”, but none deal with discovery issues. • Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008)(“a request for production need not be confined to documents or other items in a party's possession, but instead may properly extend to items that are in that party's "control.“) Cases • Suzlon Energy, Ltd. v. Microsoft Corp., 671 F.3d 726 (9th Cir. 2011) – Electronic Communications Privacy Act (ECPA) applies to production of e-mails of a non-US national if the e-mails are stored on a US server Lawyers are in the Clouds • As of November 2011 survey by American Lawyer, 65% of law firms use cloud computing and 47% report increased usage. • E-Discovery and litigation support lead the way. • E-mail, HR and storage also used. • Security is the biggest concern. Lawyers and the Cloud • Bar Associations are getting involved • Iowa Ethics Opinion September 9, 2011: – Lawyers must take “reasonable precautions” to protect client data. – Unfettered access required for SaaS data – Due Diligence on the provider, including location – Terms of end user’s licensing agreement (ELUA) • Limitations of liability • Forum selection • Data rights Lawyers and the Cloud – Financial Obligations (what happens to data if there is a default) – Termination and Retrieval – Password Protection – Data Encryption available? E-Discovery Vendors are using the Cloud • Huge volumes of data • Autonomy (now an HP company) has over 40 petabytes (40 million gigabytes) of data stored in the cloud, with hot site backup. • Autonomy offers direct collection to the cloud. VI. Q&A Mark P. Henriques Womble Carlyle Sandridge & Rice, LLP 301 S. College Street, Suite 3500 Charlotte, NC 28262 Mhenriques@wcsr.com 704-331-4912 Bonus Material • Negotiating Cloud Contract Terms Legal Commonalities Between SaaS and Software Licensing How do licensing transactions and SaaS transactions approach overlapping issues they both face? Quick overlap summary… Software License Contracts Also addressed in a cloud deal? Identification of subject matter to be provided Yes, but distinguishable Delivery of materials into customer possession No delivery of software. (Exceptions apply.) Rights to Use – license to install copy(ies), operate for internal use, etc. Yes, but right to access only Other affirmative grants – rights to distribute? Modify? Create derivative works? N/A (usually) Clarification of IP rights (reservations of rights, exclusion of implied licenses) Yes Contractual restrictions on use Yes Quick Overlap Summary Software License Contracts Also addressed in a cloud deal? Ancillary services – installation, configuration, custom development, support, maintenance •Yes, but differences •Custom development in multi-tenanting? •Yes, ongoing support and maintenance Source Code escrow Not usually, often ineffective Economic terms Yes, deal specific Allocations of Risk: Warranties… Yes Allocations of Risk: Indemnities Yes Allocations of Risk: Limitations of Liability Yes Duration of Usage; Termination Yes Miscellaneous (governing law, etc.) Yes Economic Terms – Software v. SaaS • Most common economic models for enterprise software licenses also apply to SaaS models (except one-time fees for perpetual rights), including: – – – – Fee per period of time Fee per transaction (unit processed) Fee per user Revenue share • Whenever fees are indeterminate at the time of contracting, one party will need to track relevant metrics in order to calculate amounts due. Applies to both software and SaaS models. • Which party is in the position to track the relevant metrics? The party hosting the remote system? How measured? When? What if calculations are disputed? Record-keeping requirements? • Must support be purchased? Because SaaS is inherently time-limited, are support and maintenance included in the access purchase? • Implementation and other services are usually addressed independently. • Price escalation over time? Rate of increase capped? Exclusions and Limitations of Liability: Software v. SaaS • Commonly, limitations of liability exclude the possibility of seeking monetary damages in the nature of “indirect, incidental, or consequential” damages. • In the cloud, certain risks predictably result in “indirect” damages, such as the damages suffered by a customer when a vendor discloses or destroys the customer’s confidential, hosted data. – What if, e.g., an individual sued a hospital after the hospital’s SaaS vendor released some patient-specific health-related data to the world? Would the damages suffered by the hospital as a result of the lawsuit be considered “indirect”? Could the hospital recover from the vendor if the contract excluded recovery for “indirect, incidental, or consequential” damages? – Take-away: When vendor hosts sensitive customer data, heightened attention should be paid to the customer’s available contract remedies. • Dollar caps on liability exposure are usually addressed similarly in both software license agreement and SaaS contracts. Duration of Contract: Software v. SaaS • Software: – May be perpetual – Often time-limited, renewable – Support, etc. may have separate, independent term of commitment, renewable by mutual agreement • SaaS: – Should always be time-limited subscription, never perpetual – From vendor perspective, auto-renewal should not be perpetual – Many breaches are subject to liquidated damages (e.g., SLA credits) instead of termination – often the very point of service level agreements General Terms: Software v. SaaS • Careful attention should be paid to common boilerplate – Assignability? – Governing law? (e.g., Virginia and Maryland are UCITA states where SaaS constitutes “Access Contracts”) – Surviving obligations (e.g., data migration)? IV. What’s so special about the cloud? Legal Particularities and SaaS-specific Issues in SaaS Contracts Service Level Agreements • The “SLA” often serves the functions traditionally served by warranties in software license contracts. • Uptime guarantees – What percentages are acceptable? – How is it measured? – Who’s monitoring it? • Remedies – Service Credits – Termination/Refunds – Source Code Escrow • Performance/functionality warranties Who’s Behind the Curtain? • Vendor • Third Party Providers to the Vendor – Data centers – Third-party Software (APIs, embedded tools) – Third-party content providers – Data processors – Outsourced support Who’s behind the curtain? 3rd Party Data Source Customer Vendor of Aggregated Functionality Sub-Vendor of Particular Function 3rd Party Data Source Customer Data Sub-Vendor of Particular Function Customer Data Sub-Vendor of Particular Function Other Issues for Further Discussion • Information Security / Privacy – HIPAA, GLB, FERPA, EU Privacy Directive • • • • Acceptance testing? Disaster recovery and redundancy Implementation challenges Customer access to hosted data (when, how, post-termination, transitional assistance?) Strategies and Best Practices • SaaS is still new enough that there’s a high degree of concern (bad) despite a low occurrence of problems (good) • Choose your SaaS partners wisely and have a replacement vendor in your back pocket • The best term to fight for is some sort of early termination for extreme downtime or (ideally) convenience – Term for convenience should include repayment of sunk/unrecoverable costs but not profits (if possible)