C lo u d
B E S T OF B R E E D
In general, litigants in a civil case have the right to any information that can reasonably apply to the claims or defense of the case a computer hard drive, or a mobile device. To date, there are few rulings that respond to the shifting degree of control over data in the cloud, so existing laws are essentially being grafted onto the new technology. The Federal Rule of Civil Procedure offers the general guideline on the duty to: “… produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control.” The general nature of this rule means that there are few prohibitions on what organisations can be required to produce. So although you may have a mail server managed by a service provider, the expectation is that you can conduct e-discovery and produce relevant information in the same timely manner as if you were running Microsoft Exchange in your corporate data center. In addition to this e-discovery challenge, there are an abundance of geographically specific laws and regulations. This is a challenge for environments that are virtualised across a global infrastructure. For example, the EU has stricter laws than the U.S. regarding the collection, processing, transport, and use of personal data. It also prohibits transporting data to countries that lack sufficient data protection laws and practices, so enterprises operating in the cloud must understand where the data is physically located and how it is moved.
The relevance of cloud architectures Consider the following architectures: Configuration 1: A private cloud where company owned infrastructure is virtualised in a single geography and accessed by users in the same geography. Data remains behind the company’s firewall, and the company retains complete possession, custody, and control. From the perspective of the governance stakeholders, the information stored in this cloud is treated like any other information.
Configuration 2: A private cloud where company owned infrastructure is virtualised across multiple geographies and accessed by users around the world. In this case, the information remains under the company’s possession, custody and control, but because the information moves across geographical boundaries, different regulations apply depending on where it is stored. The compliance team will want to ensure that IT knows and can report on exactly what information is where and that the company is complying with all relevant laws and regulations. Configuration 3: A managed private cloud that leverages a vendor’s virtualised infrastructure. In this case, the information is no longer under the company’s possession and custody. However, it does remain under its control. This complicates e-discovery because you still have the obligation to place legal holds and produce relevant information in the event of legal action. The issues for the governance stakeholders include: Does the vendor know and can it communicate exactly where the information is physically located? If the provider is a multinational firm, will it handle your data in a way that is consistent with the various jurisdictions? Will the vendor be able to produce required information in an appropriate format in an appropriate time frame? How is the data backed up? For how long is it stored? Is this consistent with your company’s record retention policies? Can the vendor verify data destruction and stop destruction if necessary? Configuration 4: A public cloud, such as Amazon, Google, Salesforce.com, and Facebook. While from a governance perspective these are similar to a managed private cloud -- no possession or custody, but still a degree of control -- there are additional wrinkles. First, it may be even more difficult to find out exactly where the information is being
physically located. Second, if employees are password protecting their individual accounts, it may compromise the company’s level of control, especially when employees leave the company. For example, if your company is using Facebook for marketing and locks horns with a competitor over a marketing issue, you’ll be expected to produce all relevant information. However, Facebook is not e-discovery friendly, and you won’t have access to information in a former employee’s password protected account. But you may have had a duty to preserve or a duty to produce when you did have control. Since Facebook will fight to quash a subpoena in civil litigation, your company would need to subpoena the former employee directly. As a result, it’s extremely important for organisations to understand a public cloud vendor’s contractual obligations (and not just click to accept a user agreement without reading it) before using the service. The company should also have strict controls over the types of information and communications that are permitted on and across the cloud service. Here’s another real world example. A software company used a cloud vendor to store the requirements for its customised software projects. A client sued the company claiming that the delivered software did not meet requirements. It soon became clear that the software company would need to produce all the relevant planning and design documents that were stored on the online system. The company had “control” over this information and therefore a clear duty under FRCP to produce it. First, the company looked for a way to export the tens of thousands of germane entries. The only way to do this, however, was to export one document at a time. Next, the software company contacted the cloud vendor. Although the vendor had no contractual obligation to cooperate, it eventually The Chief Technology Officer Forum
cto forum 21 november 2011