Earlier this year, I predicted that 2016 would be a year of increased focus on e-discovery from cloud-based sources and postulated that many organizations would demand better e-discovery solutions and increased cooperation from cloud providers. Industry experts agreed. So, what can proactive companies do to ensure that their cloud providers are on board for e-discovery purposes? Much can be accomplished before the contract is even signed. For most providers, e-discovery is not their primary concern so their form agreements are unlikely to address with any degree of specificity key components that could make compliance with discovery requests smoother. While there is no one-size fits all answer, trying to get specific commitments incorporated into the provider agreement will go a long way towards streamlining compliance.
Some things to consider when negotiating cloud services include:
- Who owns the data? Although it may seem obvious, it is important to expressly identify who owns the data being hosted in the cloud.
- Where is the data stored? Even though it’s stored “in the cloud,” the data exists on a server that is physically located somewhere. And the location of that server can make a difference, particularly if it is located overseas in a country with stringent data privacy laws that make transferring data back to the U.S. cumbersome and time-consuming. Ask the questions upfront to avoid surprise later.
- How can you access the data? This is another simple point that can make a big difference—how do you go about getting your hands on your data when you need it? Is there a dedicated representative or point of contact? How long will it take? Will there be additional charges? What format will the data be in? Address these logistical concerns head on in your negotiations. And don’t be afraid to get down to the details.
- Will the provider comply with your record retention policy? As I’ve discussed before, the data you destroy (properly and in accordance with your record retention protocols) is as important as the data you keep. Consider including language requiring the provider to adhere to your data retention policies, including your litigation hold protocols. Give some additional thoughts as to whether you want to reserve the right to conduct periodic audits to ensure compliance.
- Will the provider notify you if it receives a subpoena for your data? Sometimes, providers are subpoenaed for their customer’s data directly. You’ll want to discuss with your provider how they handle this situation. Will they notify you? Within what time period? Will they cooperate with compliance or any motions to quash? Will they provider any required affidavits? Are there any additional fees?
E-discovery is never easy but proactive consideration of these issues at the outset of a relationship with a cloud provider can help remove some of the frustration from collecting data from the cloud.