LEGAL ISSUES: CONTRACTS AND ELECTRONIC DISCOVERY
This domain provides an overview of selected issues and it is not a substitute for obtaining legal advice.
This domain will address the following topics:
I) Summary of specific legal issues raised by moving data to the cloud
II) Considerations for a cloud services agreement
III) Special issues raised by e-discovery
3.1 Legal Issues
In many countries throughout the world, numerous laws, regulations, and other mandates require public and private organizations to protect the privacy of personal data and the security of information and computer systems.
a) OECD - Organization for Economic Cooperation and Development
b) APEC - Asia Pacific Economic Cooperation
c) EEA - European Economic Area
d) EU Directive 95/46/EC
1) In Japan, the Personal Information Protection Act requires the private sectors to protect personal information and data securely.
Example : In the healthcare industry, profession-specific laws, such as the Medical Practitioners' Act, the Act on Public Health Nurses, Midwives and Nurses, and the Pharmacist Act, require registered health professionals for confidentiality of patient information.
2) Organizations that do business in the United States may be subject to one or more data protection laws. The laws hold organizations responsible for the acts of their subcontractors.
3) Government agencies, such as the Federal Trade Commission (FTC) or the State Attorneys General have consistently held organizations liable for the activities of their subcontractors.
4) The Payment Card Industry (PCI) Data Security Standards (DSS), which apply to credit card data anywhere in the world, including data processed by subcontractors has similar requirements.
The following sections provide examples of legal issues that may arise in connection with the transfer of personal data to the cloud or the processing of personal data in the cloud.
3.2 Contract Considerations
It is prudent, and may be legally required, that the data custodian and the cloud provider enter into a written (legal) agreement that clearly defines the roles, expectations of the parties, and allocates between them the many responsibilities that are attached to the data at stake.
3.2.1 Due Diligence
Before entering into a cloud computing arrangement, a company should evaluate its own practices, needs, and restrictions, in order to identify the legal barriers and compliance requirements, associated with a proposed cloud computing transaction
For example, it should determine whether its business model allows for the use of cloud computing services, and under which conditions.
The nature of its business might be such that any relinquishment of control over the company data is restricted by law or creates serious security concerns.
3.2.2 Contract
The parties must enter into a written contract. Depending on the nature of the services, the contract may commonly be in the form of a click-wrap agreement, which is not negotiated; or the parties may negotiate a more complex written document that is tailored to the specific situation.
1) If a click-wrap agreement is the only agreement available, the cloud service client should balance the risks from foregoing negotiations against the actual benefits, financial savings, and ease of use promised by the cloud service provider.
2) Detailed, comprehensive provisions, addressing the unique needs and risks of operating in a cloud environment, should be negotiated.
3) If issues are not addressed in the contract, the cloud service customer should consider alternate means of achieving the goal, an alternate provider, or not sending the data to the cloud.
For example, if the cloud service customer wishes to send HIPAA-covered information to the cloud, the customer will need to find a cloud service provider that will sign a HIPAA business associate agreement or else not send that data to the cloud.
3.2.3 Monitoring, Testing and Updating
Cloud Audit and Cloud Trust Protocol are two mechanisms to automate monitoring and testing of cloud supply chains. In addition, the ITU-T is working on an X.1500 Cloud Auditing specification referred to as CYBEX.
3.3 Special Issues Raised by E-Discovery
This section addresses the unique requirements of litigation in the United States.
U.S. litigants rely heavily on documents when arguing their case.
It must not only provide the documents that are favorable to its case, but also the documents that are favorable to the other litigant.
3.3.1 Possession, Custody, and Control
In most jurisdictions in the United States, a party’s obligation to produce relevant information is limited to documents and data within its possession, custody or control.
1) Hosting relevant data at a third-party, even a cloud provider, generally does not obviate a party’s obligation to produce information as it may have a legal right to access or obtain the data.
2) However, not all data hosted by a cloud provider may be in the control of a client (e.g., disaster recovery systems, certain metadata created and maintained by the cloud provider to operate its environment).
3) The obligations of the cloud service provider as cloud data handler with regard to the production of information in response to legal process is an issue left to each jurisdiction to resolve
3.3.2 Relevant Cloud Applications and Environment
In certain litigations and investigations, the actual cloud application or environment could itself be relevant to resolving the dispute in the litigation or investigation.
In these circumstances, the application and environment will likely be outside the control of the client and require a subpoena or other discovery process on the provider directly.
3.3.3 Searchability and E-Discovery Tools
Because of the cloud environment, a client may not be able to apply or use e-discovery tools that it uses in its own environment.
3.3.4 Preservation
Generally speaking, in the United States, a party is obligated to undertake reasonable steps to prevent the destruction or modification of data or information in its possession, custody, or control that it knows, or reasonably should know, is relevant to a pending or reasonably anticipated litigation or government investigation.
1) Depending on the cloud service and deployment model that a client is using, preservation in the cloud can be very similar to preservation in other IT infrastructures, or it can be significantly more complex.
2) In the European Union, information preservation is governed under Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006.
3) Japan, South Korea, and Singapore have similar data protection initiatives.
4) Within South America, Brazil and Argentina have the Azeredo Bill, and the Argentina Data Retention Law 2004, Law No. 25.873, 6 February 2004, respectively.
1) What are the ramifications of this under the service level agreement (“SLA”)?
2) What happens if the preservation requirements outlast the terms of the SLA?
3) If the client preserves the data in place, who pays for the extended storage and at what cost?
4) Does the client have the storage capacity under its SLA?
5) Can the client effectively download the data in a forensically sound manner so it can preserve it off-line or near-line?
Absent good cause or a specific need, a requesting party is only entitled to data that is hosted in the cloud that contains relevant information, not all the data in the cloud or in the application.
However, if the client does not have the ability to preserve relevant information or data in a granular way, it may be required to over-preserve in order to effect reasonable preservation, depending on the litigation or investigation.
The burden of preserving data in the cloud may be relatively modest if the client has space to hold it in place, the data is relatively static, and the people with access are limited and know to preserve it.
1) However, in a cloud environment that programmatically modifies or purges data, or one where the data is shared with people unaware of the need to preserve, preservation can be more difficult.
2) After a client determines that such data is relevant and needs to be preserved, the client may need to work with the provider to determine a reasonable way to preserve such data.
Because of the potential lack of administrative control a client has over its data in the cloud, collection from the cloud can be more difficult, more time-consuming, and more expensive than from behind a client’s firewall.
In particular, a client may not have the same level of visibility across its cloud data, and it may have more difficulty comparing the data it has collected with the data in the cloud to determine that export was reasonably complete and accurate.
In most cases, a client’s access to its data in the cloud will be determined by its SLA. This may limit its ability to collect large volumes of data quickly and in a forensically sound manner (i.e., with all reasonably relevant metadata preserved).
1) Clients and cloud providers are well served to consider this issue early and establish a protocol (and a cost) for extraordinary access in the case of litigation and investigations to allow for collection.
2) Absent these agreements, clients should consider the extra time and cost implicated by collection in the cloud when making representations to requesting parties and courts.
Related to access and bandwidth, but different.
1) Clients’ right of access may provide them access to a full range of data, but not provide them the degree of functionality that would best assist them in a given situation.
2) By way of example, a client may have access to three years of retail transactional data, but may only be able to download data two weeks at a time due to functionality constraints. Moreover, a client may not have full view into all the metadata that actually exists, but rather only a more limited degree of metadata.
Bit-by-bit imaging of a cloud data source is generally difficult or impossible
1) For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multi-tenant environment where a client could gain access to other clients’ data.
2) Even in a private cloud, forensics may be extremely difficult, and clients may need to notify opposing counsel or the courts of these limitations.
3) Luckily, forensics is rarely warranted in cloud computing, not because it is cloud computing, but because it is usually a structured data hierarchy or virtualization that does not lend itself to forensic analysis.
2) In the European Union, information preservation is governed under Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006.
3) Japan, South Korea, and Singapore have similar data protection initiatives.
4) Within South America, Brazil and Argentina have the Azeredo Bill, and the Argentina Data Retention Law 2004, Law No. 25.873, 6 February 2004, respectively.
3.3.4.1 Costs and Storage
Preservation can require that large volumes of data be retained for extended periods.1) What are the ramifications of this under the service level agreement (“SLA”)?
2) What happens if the preservation requirements outlast the terms of the SLA?
3) If the client preserves the data in place, who pays for the extended storage and at what cost?
4) Does the client have the storage capacity under its SLA?
5) Can the client effectively download the data in a forensically sound manner so it can preserve it off-line or near-line?
3.3.4.2 Scope of Preservation
Absent good cause or a specific need, a requesting party is only entitled to data that is hosted in the cloud that contains relevant information, not all the data in the cloud or in the application.
However, if the client does not have the ability to preserve relevant information or data in a granular way, it may be required to over-preserve in order to effect reasonable preservation, depending on the litigation or investigation.
3.3.4.3 Dynamic and Shared Storage
The burden of preserving data in the cloud may be relatively modest if the client has space to hold it in place, the data is relatively static, and the people with access are limited and know to preserve it.
1) However, in a cloud environment that programmatically modifies or purges data, or one where the data is shared with people unaware of the need to preserve, preservation can be more difficult.
2) After a client determines that such data is relevant and needs to be preserved, the client may need to work with the provider to determine a reasonable way to preserve such data.
3.3.5 Collection
Because of the potential lack of administrative control a client has over its data in the cloud, collection from the cloud can be more difficult, more time-consuming, and more expensive than from behind a client’s firewall.
In particular, a client may not have the same level of visibility across its cloud data, and it may have more difficulty comparing the data it has collected with the data in the cloud to determine that export was reasonably complete and accurate.
3.3.5.1 Access and Bandwidth
In most cases, a client’s access to its data in the cloud will be determined by its SLA. This may limit its ability to collect large volumes of data quickly and in a forensically sound manner (i.e., with all reasonably relevant metadata preserved).
1) Clients and cloud providers are well served to consider this issue early and establish a protocol (and a cost) for extraordinary access in the case of litigation and investigations to allow for collection.
2) Absent these agreements, clients should consider the extra time and cost implicated by collection in the cloud when making representations to requesting parties and courts.
3.3.5.2 Functionality
Related to access and bandwidth, but different.
1) Clients’ right of access may provide them access to a full range of data, but not provide them the degree of functionality that would best assist them in a given situation.
2) By way of example, a client may have access to three years of retail transactional data, but may only be able to download data two weeks at a time due to functionality constraints. Moreover, a client may not have full view into all the metadata that actually exists, but rather only a more limited degree of metadata.
3.3.5.3 Forensics
Bit-by-bit imaging of a cloud data source is generally difficult or impossible
1) For obvious security reasons, providers are reluctant to allow access to their hardware, particularly in a multi-tenant environment where a client could gain access to other clients’ data.
2) Even in a private cloud, forensics may be extremely difficult, and clients may need to notify opposing counsel or the courts of these limitations.
3) Luckily, forensics is rarely warranted in cloud computing, not because it is cloud computing, but because it is usually a structured data hierarchy or virtualization that does not lend itself to forensic analysis.
3.3.5.4 Reasonable Integrity
A client subject to a discovery request should undertake reasonable steps to validate that its collection from its cloud provider is complete and accurate, especially where ordinary business procedures are unavailable and litigation-specific measures are being used to obtain the information.
This process is separate and apart from verifying, that the data stored in the cloud is accurate, authenticated, or admissible.
3.3.5.5 Not Reasonably Accessible
Because of differences in how a client’s data is stored and the client’s access rights and privileges, not all of a client’s data in the cloud may be equally accessible.
The client (and the provider) should analyze requests for information and the pertinent data structure for relevance, materiality, proportionality and accessibility.
3.3.6 Direct Access
Outside of the cloud environment, a requesting party’s direct access to a responding party’s IT environment is not favored.
3.3.7 Native Production
Cloud service providers often store data in highly proprietary systems and applications in the cloud that clients do not control.
Production of data in this native format may be useless to requesting parties, as they will not be able to understand the information produced
In these circumstances, it may be best for all concerned – requesting party, producing party, and provider – that the relevant information be exported using standard reporting or exporting protocols that exist within the cloud environment.
3.3.8 Authentication
Authentication in this context refers to forensic authentication of data that is admitted into evidence.
1) This should not be confused with user authentication, which is a component of Identity Management.
2) Storing data in the cloud does not affect the analysis for authentication of the data to determine if it should be admitted into evidence.
3) The question is whether the document is what it purports to be.
4) An e-mail is no more or less authentic because it was stored behind a company’s firewall or was stored in the cloud.
5) The question is whether it was stored with integrity and the court can trust that it has not been altered since it was sent or received.
3.3.9 Admissibility and Credibility
Absent other evidence, such as tampering or hacking, documents should not be considered more or less admissible or credible merely because they were created or stored in the cloud.
3.3.10 Cooperation between Provider and Client in e-Discovery
It is in the best interests of both providers and clients to consider the complications caused by discovery at the beginning of their relationship and to account for it in their SLAs.
1) Providers may want to consider designing their cloud offerings to include discovery services to attract clients (“Discovery by Design”).
2) In any event, clients and providers should consider including an agreement to reasonably cooperate with each other in the event of discovery requests against either.
3.3.11 Response to a Subpoena or Search Warrant
The cloud service provider is likely to receive, from third parties, a request to provide information, in the form of a subpoena, a warrant, or court order in which access to the client data is requested.
1) The client may want to have the ability to fight the request for access in order to protect the confidentiality or secrecy of the data sought.
2) To this end, the cloud services agreement should require the cloud service provider to notify the company that a subpoena was received and give the company time to fight the request for access.
3) The cloud service provider might be tempted to reply to the request by opening its facilities and providing the requestors with whatever information is identified in the access request.
4) Before doing so, the cloud service provider should ensure that the request is in good order, and uses the appropriate legal method.
5) The cloud service provider should carefully analyze the request before disclosing information in its custody.
6) Complex laws apply depending on the specific nature of the information, its location, etc.
a) For example, different rules apply for requesting access to the content of an email, depending on whether or not the email has been opened, and how long the email has been stored.
b) Different rules apply if the information requested is the content of the email, or only the transactional data about the email (e.g., when sent, to whom, etc.).
-== || END || ==-
No comments:
Post a Comment