E-discovery (abbreviation for electronic discovery)
|“||refers to the process of identifying and producing relevant electronically stored information (ESI), including metadata and electronic backup materials, in response to civil and criminal litigations.||”|
Once such litigation is reasonably anticipated (e.g., receipt of a letter threatening a lawsuit), a party has a legal obligation to suspend destruction of such ESI, by issuing a “litigation hold” to all individuals and entities maintaining ESI on the party’s behalf. Failure to take proper and adequate steps to preserve such ESI can result in serious legal sanctions against a party. These risks may be significantly greater when using a cloud computing service, since the service provider may be unable or unwilling for technical, cost, legal or other reasons to halt routine destruction of responsive ESI, which may be maintained or commingled with data of other clients of that service for records management and disposal purposes.
Cloud computing Edit
In a cloud computing ecosystem, there is a significantly increased risk of failing to obey the legal e-discovery obligations, since the service provider may be unable or unwilling to halt routine destruction of responsive ESI, due to technical, cost, legal or other reasons, or may be incapable of preventing data commingling. For example, a cloud provider’s archival capabilities may not preserve the original metadata as expected, causing spoliation (i.e., the intentional, reckless, or negligent destruction, loss, material alteration, or obstruction of evidence that is relevant to litigation), which could negatively impact litigation. Likewise, the nature of cloud storage (e.g., widely dispersed servers or databases located domestically or even overseas) may complicate the ability to identify, preserve, and retrieve responsive ESI in a timely fashion, further jeopardizing the agency's ability to meet its legal e-discovery obligations.
Responsibilities of cloud computing consumer Edit
The cloud consumer is responsible for preserving evidence and for the issuance of litigation hold notices to cloud providers who have any pertinent ESI. If required evidence is lost or damaged, the customer may be fined and/or sanctioned by the court despite any fault or failure on the part of the cloud provider, thus it is incumbent upon the cloud customer to verify that robust processes are in place to ensure preservation and facilitate ESI collection. Additionally, failure to understand where pertinent ESI is located could result in exposure of data beyond the scope of the electronic discovery request, or data belonging to customers who are not parties to the specific discovery request — possibly violating their privacy.
Responsibilities of cloud provider Edit
The cloud provider is responsible for identifying and producing relevant ESI to lawful authority when presented with a lawful demand for such information. This may be a one-time request for stored information or it may be a request for dynamic access to data akin to a wiretap. These requests often include a specific deadline for cooperation or surrendering of the information and the provider may face penalties if they are unable or unwilling to comply.
- Challenging Security Requirements for US Government Cloud Computing Adoption. ("Cloud computing" section)
- Privacy Recommendations for the Use of Cloud Computing by Federal Departments and Agencies, at footnote 9. ("Overview" section)