E-Discovery and the CloudE-Discovery and the Cloud

UNCC Cloud Computing SymposiumApril 25, 2012

Today’s Outline

• E-Discovery Overview and the Preservation Requirement

• E-Discovery in the Cloud• Contracts with Cloud Providers• Lawyers using the Cloud• E-Discovery Vendors using the Cloud• Q & A

Please feel free to ask questions.

Time will be reserved toward the end of the presentation to ask questions, but please raise your hand during the presentation if

you’d like to pose a question. ??

Introduction to E-Discovery

• 2006 Federal Rules Change• Discovery of Electronically Stored Information

(“ESI”)• Preservation Duties and Legal Holds• Production and Metadata lssues

Document Preservation

• Duty to preserve arises when there is a claim.• Absent claim, business reasons and

compliance laws dictate what is retained.• Preservation duty extends to all documents

within a parties’ “posession, custody or control”. Fed. R. Civ. P. 34(a)(1).

• Cloud USER, not PROVIDER, has responsibility to preserve and produce data.

Emerging Area of Concern

• 98% of new records are electronic

• Most lawsuits involve some ESI (at least e-mails)

• Deloitte 2010 survey found only 9% of companies were “well-prepared” to capture and store cloud data.

Where do we look for guidance:

• Sedona Conference, including working paper on cloud computing

• Federal and State Rules• Recent Case Law

New E-Discovery Rules in NC

• Rules Effective October 1, 2011• Either side can request a Discovery Plan• Some metadata must presumptively be

produced:– Date sent– Date received– Author– Recipients– Other metadata is presumptively out

Discovery 2.0

Early Case AssessmentPreservation Protocols Automated HoldsSamplingPredictive Coding

Tomorrow is Just a Day Away ….

E-Discovery Issues in the Cloud

• Data Storage• Retrieval• Format• Metadata• Location / Jurisdiction• Both Time and Cost are critical for each step

must be evaluated

Contract Negotiation Points• Performance measures in Service Level

Agreements (“SLAs”)• Data encryption, with algorithm / key length• Data retention and destruction• Audit rights• Retrieval• Prohibition on data use (i.e. they can’t use or

share)• Liability for theft or loss of data

Negotiating SLAs

• Tailor SLA to the application.• For legally sensitive information, SLA should include:

– Error severity definition– Minimum response time guarantees– Escalation procedures– Data return, including format & metadata– Notice before disclosure in response to subpoena

or other request

E-Discovery in the Cloud

• Rackspace.com and Amazon do not provide E-Discovery support.

• Some vendors (e.g. X1 Discovery) claim to be able to search enterprise data across an Infrastructure as a Service (“IaaS”) cloud.

• Otherwise, the cloud data may need to exported for preservation and review.

• Consider simulating an e-Discovery event before litigation arises.

E-Discovery Questions for Cloud Providers

• What analytical tools are available to search/organize the cloud data for relevance?

• How will the identified data be collected?• What metadata is available for analysis or

production?• What forms of production outside the Cloud

are available?• Costs of these steps?

What about Free Cloud Providers?

• Highest levels of use.– Gmail, YouTube, Facebook, Google Docs, Hotmail,

Windows Live, Drop Box, Evernote, Acrobat.com– 4 million businesses use Google Apps– Standard Terms of Service (TOS) are non-negotiable and

subject to change– Some effort to make collection easier (“Download my

Facebook” and Gmail export). However, not all data (and metadata) necessarily gets downloaded.

The Stored Communications Act

• Most cloud service providers are covered• Covered providers may not release

communications even when served with a subpoena

• May only do so with “lawful consent” of subscriber

• Proper course is to direct subpoena / document request to subscriber

International Concerns

• It is possible the law of current “site” of the data will apply regarding release/disclosure.

• May be difficult or impossible to determine where cloud data “resides.”

• Privacy rules vary considerably, especial for European Union countries.

• Business Software Alliance (“BSA”) published a Global Cloud Computing Scorecard this year reviewing 24 countries. Japan was #1.

The Cloud Ate My Homework !

• Do litigants face spoliation sanctions for data lost by a cloud provider?

Lost Data

• No cases yet• Test will likely turn on whether the litigant

and/or the Cloud provider too reasonable steps to prevent spoliation.

• Proof of diligence at time of decision to move to the Cloud will be important.

Cloud Case Law

• There isn’t much!• 19 federal cases mention “cloud computing”, but

none deal with discovery issues.• Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich.

2008)(“a request for production need not be confined to documents or other items in a party's possession, but instead may properly extend to items that are in that party's "control.“)

Cases

• Suzlon Energy, Ltd. v. Microsoft Corp., 671 F.3d 726 (9th Cir. 2011)– Electronic Communications Privacy Act (ECPA)

applies to production of e-mails of a non-US national if the e-mails are stored on a US server

Lawyers are in the Clouds

• As of November 2011 survey by American Lawyer, 65% of law firms use cloud computing and 47% report increased usage.

• E-Discovery and litigation support lead the way.

• E-mail, HR and storage also used.• Security is the biggest concern.

Lawyers and the Cloud

• Bar Associations are getting involved• Iowa Ethics Opinion September 9, 2011:

– Lawyers must take “reasonable precautions” to protect client data.

– Unfettered access required for SaaS data– Due Diligence on the provider, including location– Terms of end user’s licensing agreement (ELUA)

• Limitations of liability• Forum selection• Data rights

Lawyers and the Cloud

– Financial Obligations (what happens to data if there is a default)

– Termination and Retrieval– Password Protection– Data Encryption available?

E-Discovery Vendors are using the Cloud

• Huge volumes of data• Autonomy (now an HP company) has over 40

petabytes (40 million gigabytes) of data stored in the cloud, with hot site backup.

• Autonomy offers direct collection to the cloud.

VI. Q&A

Mark P. HenriquesWomble Carlyle Sandridge & Rice, LLP

301 S. College Street, Suite 3500Charlotte, NC 28262

Mhenriques@wcsr.com 704-331-4912

Bonus Material

• Negotiating Cloud Contract Terms

Legal Commonalities Between SaaS and Software Licensing

How do licensing transactions and SaaS transactions approach

overlapping issues they both face?

Quick overlap summary…

Software License Contracts Also addressed in a cloud deal?

Identification of subject matter to be provided

Yes, but distinguishable

Delivery of materials into customer possession

No delivery of software. (Exceptions apply.)

Rights to Use – license to install copy(ies), operate for internal use, etc.

Yes, but right to access only

Other affirmative grants – rights to distribute? Modify? Create derivative works?

N/A (usually)

Clarification of IP rights (reservations of rights, exclusion of implied licenses)

Yes

Contractual restrictions on use Yes

Quick Overlap Summary

Software License Contracts Also addressed in a cloud deal?

Ancillary services – installation, configuration, custom development, support, maintenance

•Yes, but differences•Custom development in multi-tenanting?•Yes, ongoing support and maintenance

Source Code escrow Not usually, often ineffective

Economic terms Yes, deal specific

Allocations of Risk: Warranties… Yes

Allocations of Risk: Indemnities Yes

Allocations of Risk: Limitations of Liability Yes

Duration of Usage; Termination Yes

Miscellaneous (governing law, etc.) Yes

Economic Terms – Software v. SaaS

• Most common economic models for enterprise software licenses also apply to SaaS models (except one-time fees for perpetual rights), including:– Fee per period of time– Fee per transaction (unit processed)– Fee per user– Revenue share

• Whenever fees are indeterminate at the time of contracting, one party will need to track relevant metrics in order to calculate amounts due. Applies to both software and SaaS models.

• Which party is in the position to track the relevant metrics? The party hosting the remote system? How measured? When? What if calculations are disputed? Record-keeping requirements?

• Must support be purchased? Because SaaS is inherently time-limited, are support and maintenance included in the access purchase?

• Implementation and other services are usually addressed independently.• Price escalation over time? Rate of increase capped?

Exclusions and Limitations of Liability: Software v. SaaS

• Commonly, limitations of liability exclude the possibility of seeking monetary damages in the nature of “indirect, incidental, or consequential” damages.

• In the cloud, certain risks predictably result in “indirect” damages, such as the damages suffered by a customer when a vendor discloses or destroys the customer’s confidential, hosted data. – What if, e.g., an individual sued a hospital after the hospital’s SaaS vendor

released some patient-specific health-related data to the world? Would the damages suffered by the hospital as a result of the lawsuit be considered “indirect”? Could the hospital recover from the vendor if the contract excluded recovery for “indirect, incidental, or consequential” damages?

– Take-away: When vendor hosts sensitive customer data, heightened attention should be paid to the customer’s available contract remedies.

• Dollar caps on liability exposure are usually addressed similarly in both software license agreement and SaaS contracts.

Duration of Contract: Software v. SaaS

• Software:– May be perpetual– Often time-limited, renewable– Support, etc. may have separate, independent term of

commitment, renewable by mutual agreement• SaaS:

– Should always be time-limited subscription, never perpetual

– From vendor perspective, auto-renewal should not be perpetual

– Many breaches are subject to liquidated damages (e.g., SLA credits) instead of termination – often the very point of service level agreements

General Terms: Software v. SaaS

• Careful attention should be paid to common boilerplate– Assignability?– Governing law? (e.g., Virginia and Maryland are

UCITA states where SaaS constitutes “Access Contracts”)

– Surviving obligations (e.g., data migration)?

IV. What’s so special aboutthe cloud?

Legal Particularities and SaaS-specific Issues in SaaS Contracts

Service Level Agreements

• The “SLA” often serves the functions traditionally served by warranties in software license contracts.

• Uptime guarantees– What percentages are acceptable?– How is it measured?– Who’s monitoring it?

• Remedies– Service Credits– Termination/Refunds– Source Code Escrow

• Performance/functionality warranties

Who’s Behind the Curtain?

• Vendor• Third Party Providers to the Vendor

– Data centers– Third-party Software (APIs, embedded tools)– Third-party content providers– Data processors– Outsourced support

Who’s behind the curtain?

CustomerVendor of

Aggregated Functionality

Vendor of Aggregated

Functionality

Sub-Vendor of

Particular Function

Sub-Vendor of

Particular Function

Sub-Vendor of

Particular Function

3rd Party Data

Source

3rd Party Data

Source

3rd Party Data Source

3rd Party Data Source Sub-Vendor

of Particular Function

Sub-Vendor of

Particular Function

Customer Data

Customer Data

Other Issues for Further Discussion

• Information Security / Privacy– HIPAA, GLB, FERPA, EU Privacy Directive

• Acceptance testing?• Disaster recovery and redundancy• Implementation challenges• Customer access to hosted data (when, how,

post-termination, transitional assistance?)

Strategies and Best Practices

• SaaS is still new enough that there’s a high degree of concern (bad) despite a low occurrence of problems (good)

• Choose your SaaS partners wisely and have a replacement vendor in your back pocket

• The best term to fight for is some sort of early termination for extreme downtime or (ideally) convenience– Term for convenience should include repayment of

sunk/unrecoverable costs but not profits (if possible)