Editor: Would you please share with us your professional background?
Jacob: I have over 15 years' experience in information management, especially delivering IT managed services for mid-size and enterprise-sized organizations, and I have spent the last five years in e-discovery. I joined FTI in 2007 and have worked in a product management capacity, especially building solutions around our Ringtail software as a service (SaaS) solution.
Editor: What are the benefits of cloud computing in general, and what particular incentives are there for a firm to move its e-discovery to the cloud?
Jacob: Because cloud computing is a scalable system that harnesses shared or virtual resources, it can deliver vast computing power and storage to users only when they need it – without their having to make the considerable capital outlays associated with bringing such capacity in-house. Some of those larger budget expense items would include data center facilities, security, software, licenses, personnel, etc. With cloud computing there’s the potential for cost savings and reducing the total cost to the ownership.
As for e-discovery in particular, moving e-discovery to a cloud computing provider allows law firms and other companies to focus on what’s core to their business and not have to worry about the many IT and software challenges that come with managing e-discovery in-house.
Editor: What are the risks involved for an organization transitioning its e-discovery to the cloud?
Jacob: The risks around any e-discovery matter begin with understanding the obligations around data, preservation and overall possession of data for the e-discovery process, which don't change whether you’re collecting from the cloud or from someone’s laptop. In any context, cloud or otherwise, you must meet your obligations for preservation and collection of data. Cloud computing may add another layer to the mechanisms, but it doesn’t change the underlying obligations of any party to preserve, collect and produce electronically stored information appropriately.
A second risk more specific to moving e-discovery to the cloud arises around data security, including managing access control lists (what users can look at what data) and defending against malicious attacks on your data. A third risk to consider is data privacy, specifically the ability to secure client data – adherence to your jurisdiction’s data privacy rules and regulations is critical. Fourth and most important is maintaining and protecting client data and privileged information.
Editor: Please tell us more about information governance. To what regulations must businesses comply?
Jacob: The most important regulations to consider are the Federal Rules of Civil Procedure (FRCP), which cover discovery. There are also industry-specific regulations to which businesses must comply, for example, Sarbanes-Oxley, the Gramm-Leach-Bliley Act, HIPAA and PCI-DSS (Payment Card Industry Data Security Standard).
Editor: What are some best practices for security and data protection?
Jacob: Best practices for security and data protection really start with knowing first of all who your users are and making sure that you have an authorization policy for accessing client data. It’s wise to limit access permission to inside and outside counsel or personnel authorized to be involved in the processing, hosting, review and production of data, which may include litigation support, e-discovery specialists, and system administrators.
Furthermore, the environment that you’re utilizing must have robust security measures. Make sure that the perimeter is secure – that the network has a strict firewall; that the perimeter is scanned; that intrusion detection devices are employed. In short, leverage the best practices that you can employ with your provider for security. Finally, data storage – as well as the transmission of files – may require a certain level of encryption.
Editor: Please discuss the advantages and disadvantages of cloud storage.
Jacob: There definitely is a geo-location aspect to both private and public clouds that should be considered when choosing a provider. It is essential that an organization knows where its data is located so that it can adhere to the data privacy laws and rules of that jurisdiction. You need to really understand how your private or public cloud provider handles capacity management and data storage provisioning. Can data be moved at will between physical data centers? What about moving data cross-border? If so, is there notification involved? In a private cloud scenario, is the data at a fixed location? Clients should understand the physical location of the hardware hosting the data and the location of client data at all times.
Editor: What else should be considered when selecting a provider? Is there a difference between storage in a private cloud (unique dedicated storage area networks) versus that in a public cloud (shared pools of storage capacity)?
Jacob: The physical location of data storage is important, but so is the method by which the cloud provider allocates the storage. It’s essential to involve IT leaders when selecting a provider, as they will understand the public or private cloud provider storage architecture and whether or not it will ensure data loss prevention, which is especially important if the cloud provider is using shared resources, replication and other technologies to manage the data.
Some providers may use unique storage area networks, while others may use shared pools of storage capacity that are at times geo-dispersed; both may involve moving data between pools at the convenience of the data-hosting provider to manage capacity and storage utilization levels. While this may benefit the client from a capacity management and cost standpoint, it may leave the client exposed with unknown copies of data that could compromise the client’s ability to adhere to data privacy laws, among them, EU Data Protection Directive, and the USA Patriot Act. Geo-dispersal may also hamper a client’s ability to respond to e-discovery requests or orders to produce ESI within the client’s possession, custody or control.
In order to ensure data security and data loss prevention, in multi-tenant environments there should be secure separation of data – and not all cloud providers or e-discovery providers will handle this in the same manner. Clients want to make sure there is no access to their data by other clients or any potential for commingling of data. It's critical to understand how the data is stored to avoid any potential for inadvertent waiver of privilege or exposure to business-critical data including intellectual property.
Editor: Are there any hazards to cloud storage in the context of e-discovery review and production?
Jacob: There are potential pitfalls around acceptable formatting of files. Your ability to extract, transfer and move your data into a format that meets your production obligations depends upon your provider. If you’re in a cloud storage environment in which you don’t have the ability either to preserve metadata or to easily (and at a reasonable cost) get data out of that cloud storage system and produce it in a format that’s acceptable to the court, to the regulatory body involved or to opposing counsel’s specification, you could potentially miss your production obligations, which may lead to sanctions.
Editor: Are you saying that at this point, cloud storage really hasn’t advanced to the point where it can preserve the metadata that a user will likely need to fulfill a discovery request?
Jacob: No, the capability technology is there, but there are so many different cloud storage technologies that clients must do their homework when choosing a provider in order to head off potential hazards. Clients should choose a cloud provider with a grade or level of storage technology that will allow them to meet their e-discovery and production obligations. The provider must be able to deliver data in a format that adheres to the discovery process. Likewise, if you can’t get your data out easily, you will find yourself paying an army of people to extract the information at a high cost.
Editor: Is corporate counsel addressing these concerns with cloud storage?
Jacob: Counsel who collaborate with their IT managers or CIOs certainly are looking at different cloud storage technologies because of the cost benefit, but they’re also seeing that what comes with any savings are the risks associated with data preservation and security; with meeting discovery requests; and with complying with industry-specific regulations. For example, counsel for a bank must be sure that the provider’s retention period meets Sarbanes-Oxley requirements, while a healthcare provider must be confident that all patient information is protected per HIPAA. Again, different storage technologies offer a different level of service.
Editor: It sounds like corporate counsel should collaborate with IT on information governance policy.
Jacob: Absolutely, collaboration is key. Information governance starts with policy and procedure, and both legal and IT should be at the table when creating them. Together they should build a plan, number one, around how data will be stored, retained and classified, should it be subject to discovery or compliance obligation. Number two, they should decide what technologies they should employ to meet discovery and compliance needs. At the end of the day, the input of both general counsel and IT leadership is required to put the appropriate policies and procedures in place.
Editor: What elements should clients be sure are covered when signing a contract with a cloud service provider?
Jacob: Anyone using a cloud service should be looking at the security parameters and measures provided as part of the service level. Clients should negotiate notification compliance within the contract, especially if any third party, including a government or regulatory body, requests access to the data. Also, clients will want to make sure that there is an adequate description of how and where data will be stored, and, in some cases, they will also need a clear articulation of the retention period policy, especially for those organizations that must comply with regulations requiring long-term retention periods.
Another area of concern is business continuity. IT and legal should collaborate on this issue and together implement a contingency plan for any prolonged service disruption.
Editor: Can FTI consultants help?
Jacob: We can certainly provide consulting around litigation preparedness: we can look at the overarching systems that companies use to manage their data for e-discovery. We understand the technical intricacies and legal implications of data preservation and collection as well as the international protection and privacy issues that apply to electronic documents in these contexts. We can help design and implement defensible strategies to preserve, collect and analyze electronically stored information (ESI) regardless of format, language or location.