Adoption of Cloud computing continues to gain momentum, impacting every segment of the technology and legal worlds. But with this high-profile trend comes high-profile risks. Transitioning all or part of your firm’s e-discovery functions to the Cloud requires navigating often complex issues with the potential to affect your firm’s security, business continuity and compliance, while potentially exposing clients to unnecessary liability.
Cloud computing is a rapidly evolving area of the technology industry that can enable legal technology practitioners and law firms to expand their capabilities and do more with fewer budgetary resources. The Cloud provides access to elastic computing and processing power that can fuel everything from traditional productivity applications, such as word processing, personnel management and presentation development, to sophisticated business applications, including data mining, sales automation and content management. With its robust capabilities, the Cloud can also serve as a platform for social media, web conferencing and video streaming.
Not surprisingly in view of its burgeoning popularity, IT industry forecasts predict strong increased growth in all segments of Cloud services in the next three years, including IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service).
Even Federal Government agencies known for a conservative approach to new technologies are seeking ways to leverage the power of the Cloud. The Federal Risk and Authorization Management Program, known as FedRAMP, will standardize the security assessments of Cloud products and services across government entities in order to avoid unnecessary duplication and deliver significant savings. Clearly, as adoption expands to every part of the legal landscape, Cloud computing moves closer to becoming a widely accepted solution in both mid- and large-sized law firms.
The promise of Cloud computing lies not only in its potential – represented by vast amounts of computing power and storage – but also the cost-efficiencies associated with a scalable system that utilizes shared or virtual resources to deliver long-term, sustainable economic benefits. In the Cloud, each user can access the capacity and processing power required to handle the peaks and valleys of demand, but without requiring the large capital outlays to address peak demand ebbs and flow.
For all its quantifiable cost- and time-saving advantages, unleashing the power of Cloud computing involves a degree of risk that should not be underestimated by anyone responsible for its management, mitigation or oversight. Due to the legal issues involved, addressing risk in the Cloud often draws in a company’s counsel and senior IT managers, all of whom must be knowledgeable about the hidden issues that can create problems – or even a crisis – at a later date.
The risks associated with Cloud computing can be especially apparent during e-discovery (identifying and securing electronic data as part of a legal action), an area of peak vulnerability for both law firms and clients. This single process can encompass security, data privacy, cross-border legality, compliance and business continuity.
Any discussion of the Cloud needs to begin with information governance policies; the procedures used for the classification of data, data retention, legal holds and data collections. As a result, traditional IT practices now must address the new information landscape and the obligations associated with being the ultimate custodians of electronically stored information (ESI). Under the Federal Rules of Civil Procedure (FRCP), a party to litigation is expected to preserve and be able to produce electronically-stored information that is “in its possession, custody or control.” Cloud computing may well add a layer to the mechanisms used to preserve, collect and produce ESI, but these complexities do not absolve any party of its responsibilities.
The capability to use the provider’s applications running on a Cloud infrastructure.
The capability to deploy end-user-created or acquired applications using programming languages and tools supported by the provider.
The capability to provision processing, storage, networks, and other fundamental computing resources where the end user is able to deploy and run arbitrary software, which can include operating systems and applications.
As such, IT department managers and compliance officers need to work together with counsel to ensure the technology, policy and procedures in place will consistently safeguard any confidential or privileged information. Additionally, Security and IT department managers should involve counsel in fine-tuning IT policies and procedures. This allows counsel to formulate a plan should they need to preserve ESI; issue legal holds during discovery; or collect data to respond to an investigation, litigation, dispute or inquiry that demands protection of confidential or privileged information.
However, enforcing business policies and procedures to achieve compliance across these offerings varies by industry requirements i.e., Sarbanes- Oxley, HIPAA (Health Insurance Portability and Accountability Act), and PCI-DSS (Payment Card Industry Data Security Standard). Sound information governance policies and procedures, user education and other measures are critical for managing the costs of achieving key compliance measures and allowing a law firm and its clients to effectively respond to e-discovery requests.
With news headlines announcing breaches of online security with stunning regularity, it’s not surprising that security is perceived as the number one barrier to Cloud computing’s wider adoption. Yet, according to one research study, while 78% of business and organization leaders recognize that security and data privacy are part of their responsibilities, 22% are unaware this is part of their role.
One way to bridge this gulf is to enforce a robust security program that includes strict firewall and access controls, data encryption, perimeter scanning, and intrusion detection. Best practices involve limiting access permissions to inside and outside counsel or authorized personnel involved in the processing, hosting, review and production of the data. This may also extend to paralegals, litigation support or e-discovery specialists, as well as database or system administrators.
Where the data actually resides can significantly affect eventual e-discovery, and the physical location of data storage is fundamental to evaluating Cloud providers. The first question to ask is whether the Cloud will involve unique dedicated storage area networks (private cloud) or shared pools of storage capacity (public cloud) that may be dispersed to different geographical locations throughout the world. The latter approach can mean that a law firm’s client data is shifted to various parts of the globe at the convenience of the data-hosting provider to manage their own internal capacity.
While this may benefit a law firm’s client from a capacity-management standpoint, it may also expose them to needless liability due to previously unknown copies of data. That, in turn, can compromise the client’s ability to adhere to data privacy laws, respond to e-discovery requests or orders to produce ESI within the client’s possession, custody or control.
Once data security and storage are addressed, Cloud computing must then be viewed from the perspective of data integrity – the identification, preservation, collection and destruction of the data itself. These discussions often begin with the underlying source of the electronically stored information (ESI).
At times, this ESI will be viewed through the lens of more traditional or well-understood forms, such as email and e-files stored on the company’s servers, file shares, laptops or mass storage devices. But ESI can also refer to Cloud data storage, SaaS applications, Cloud email, social media, personal mobile devices and other systems hosted by the Cloud provider. It is important to remember that Cloud data sources will be viewed as identical to client data during e-discovery, regardless of the fact that the data is stored on third-party systems.
The latter sources represent a higher level of complexity, risk and technology hurdles. Take, for example, online messaging, like Twitter, Facebook or blog posts – or Extensible Mark-up Language (XML)based documents or emails that are in a constant dynamic state and subject to change via continuous user interaction. These are far different challenges, and a client may be asked to defensibly testify the data and underlying metadata was not subject to spoliation (i.e., the willful destruction or failure to preserve evidence) at any point in time.
Clients may also need to be able to assure data integrity of social media and other Cloud sources during an order to preserve, collect and produce data. To do so, the evidence must be authenticated and, in the majority of cases, that means the files, emails and underlying metadata must be kept intact.
The ability to load data and metadata intact is vital to transferring data from the initial collection point to the destination system being used for e-discovery review and production.
Typical e-discovery data loads involve using what are referred to as load files that contain metadata and “tagging” information (i.e., field value coded by user to provide additional context or categorization). There’s been an industry-wide effort to create a standard XML format for e-discovery review and production can be accessed at http://www.edrm.net/projects/xml.
Unfortunately, technical snafus or issues in the Cloud such as systemic failures, DNS incidents or security breaches don’t result in a free pass when meeting regulatory or opposing counsel’s request for data to be produced in accordance with a systematic process. In the Cloud--as elsewhere--it is always best to protect privileged information proactively, as an ounce of prevention can significantly protect your client.
However, like any legal contract, the language should be reviewed thoroughly as certain aspects of “the fine print” can surprise even veteran IT and legal professionals. As a baseline, your Cloud service provider should communicate in clear, concise terms what will occur in the event of a security or contact breach or data-loss incident. The Cloud service provider must offer a mechanism and/or specific assistance that can help you extract and transfer the data (and metadata) in a format that is useful for e-discovery at an acceptable cost.
The two areas of greatest concern in your provider agreement are getting the data and getting back online. Common industry terms that refer to business continuity planning include Recovery Point Objective (RPO) and Recovery Time Objective (RTO). RPO is the time necessary to restore the client data or address the data loss, while RTO is the time it will take to restore the service after an outage. IT and Legal need to work together to implement a contingency plan for any potential prolonged service disruption.
When leveraged properly, the Cloud can deliver significant business and efficiency benefits to law firms and their clients. Best practices and standards are emerging that will further increase Cloud computing adoption in the legal industry as well as in others. To learn more about the full scope of issues and implications involved in Cloud computing – including collection and preservation of data in the Cloud and cutting-edge solutions for evaluating hybrid (part traditional server/part Cloud) approaches to implementation – please contact FTI Technology at FTITechSales@fticonsulting.com.