e-discovery and the cloud
DESCRIPTION
E-Discovery and the Cloud. UNCC Cloud Computing Symposium April 25, 2012. Today’s Outline. E-Discovery Overview and the Preservation Requirement E-Discovery in the Cloud Contracts with Cloud Providers Lawyers using the Cloud E-Discovery Vendors using the Cloud Q & A. - PowerPoint PPT PresentationTRANSCRIPT
E-Discovery and the CloudE-Discovery and the Cloud
UNCC Cloud Computing SymposiumApril 25, 2012
Today’s Outline
• E-Discovery Overview and the Preservation Requirement
• E-Discovery in the Cloud• Contracts with Cloud Providers• Lawyers using the Cloud• E-Discovery Vendors using the Cloud• Q & A
Please feel free to ask questions.
Time will be reserved toward the end of the presentation to ask questions, but please raise your hand during the presentation if
you’d like to pose a question. ??
Introduction to E-Discovery
• 2006 Federal Rules Change• Discovery of Electronically Stored Information
(“ESI”)• Preservation Duties and Legal Holds• Production and Metadata lssues
Document Preservation
• Duty to preserve arises when there is a claim.• Absent claim, business reasons and
compliance laws dictate what is retained.• Preservation duty extends to all documents
within a parties’ “posession, custody or control”. Fed. R. Civ. P. 34(a)(1).
• Cloud USER, not PROVIDER, has responsibility to preserve and produce data.
Emerging Area of Concern
• 98% of new records are electronic
• Most lawsuits involve some ESI (at least e-mails)
• Deloitte 2010 survey found only 9% of companies were “well-prepared” to capture and store cloud data.
Where do we look for guidance:
• Sedona Conference, including working paper on cloud computing
• Federal and State Rules• Recent Case Law
New E-Discovery Rules in NC
• Rules Effective October 1, 2011• Either side can request a Discovery Plan• Some metadata must presumptively be
produced:– Date sent– Date received– Author– Recipients– Other metadata is presumptively out
Discovery 2.0
Early Case AssessmentPreservation Protocols Automated HoldsSamplingPredictive Coding
Tomorrow is Just a Day Away ….
E-Discovery Issues in the Cloud
• Data Storage• Retrieval• Format• Metadata• Location / Jurisdiction• Both Time and Cost are critical for each step
must be evaluated
Contract Negotiation Points• Performance measures in Service Level
Agreements (“SLAs”)• Data encryption, with algorithm / key length• Data retention and destruction• Audit rights• Retrieval• Prohibition on data use (i.e. they can’t use or
share)• Liability for theft or loss of data
Negotiating SLAs
• Tailor SLA to the application.• For legally sensitive information, SLA should include:
– Error severity definition– Minimum response time guarantees– Escalation procedures– Data return, including format & metadata– Notice before disclosure in response to subpoena
or other request
E-Discovery in the Cloud
• Rackspace.com and Amazon do not provide E-Discovery support.
• Some vendors (e.g. X1 Discovery) claim to be able to search enterprise data across an Infrastructure as a Service (“IaaS”) cloud.
• Otherwise, the cloud data may need to exported for preservation and review.
• Consider simulating an e-Discovery event before litigation arises.
E-Discovery Questions for Cloud Providers
• What analytical tools are available to search/organize the cloud data for relevance?
• How will the identified data be collected?• What metadata is available for analysis or
production?• What forms of production outside the Cloud
are available?• Costs of these steps?
What about Free Cloud Providers?
• Highest levels of use.– Gmail, YouTube, Facebook, Google Docs, Hotmail,
Windows Live, Drop Box, Evernote, Acrobat.com– 4 million businesses use Google Apps– Standard Terms of Service (TOS) are non-negotiable and
subject to change– Some effort to make collection easier (“Download my
Facebook” and Gmail export). However, not all data (and metadata) necessarily gets downloaded.
The Stored Communications Act
• Most cloud service providers are covered• Covered providers may not release
communications even when served with a subpoena
• May only do so with “lawful consent” of subscriber
• Proper course is to direct subpoena / document request to subscriber
International Concerns
• It is possible the law of current “site” of the data will apply regarding release/disclosure.
• May be difficult or impossible to determine where cloud data “resides.”
• Privacy rules vary considerably, especial for European Union countries.
• Business Software Alliance (“BSA”) published a Global Cloud Computing Scorecard this year reviewing 24 countries. Japan was #1.
The Cloud Ate My Homework !
• Do litigants face spoliation sanctions for data lost by a cloud provider?
Lost Data
• No cases yet• Test will likely turn on whether the litigant
and/or the Cloud provider too reasonable steps to prevent spoliation.
• Proof of diligence at time of decision to move to the Cloud will be important.
Cloud Case Law
• There isn’t much!• 19 federal cases mention “cloud computing”, but
none deal with discovery issues.• Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich.
2008)(“a request for production need not be confined to documents or other items in a party's possession, but instead may properly extend to items that are in that party's "control.“)
Cases
• Suzlon Energy, Ltd. v. Microsoft Corp., 671 F.3d 726 (9th Cir. 2011)– Electronic Communications Privacy Act (ECPA)
applies to production of e-mails of a non-US national if the e-mails are stored on a US server
Lawyers are in the Clouds
• As of November 2011 survey by American Lawyer, 65% of law firms use cloud computing and 47% report increased usage.
• E-Discovery and litigation support lead the way.
• E-mail, HR and storage also used.• Security is the biggest concern.
Lawyers and the Cloud
• Bar Associations are getting involved• Iowa Ethics Opinion September 9, 2011:
– Lawyers must take “reasonable precautions” to protect client data.
– Unfettered access required for SaaS data– Due Diligence on the provider, including location– Terms of end user’s licensing agreement (ELUA)
• Limitations of liability• Forum selection• Data rights
Lawyers and the Cloud
– Financial Obligations (what happens to data if there is a default)
– Termination and Retrieval– Password Protection– Data Encryption available?
E-Discovery Vendors are using the Cloud
• Huge volumes of data• Autonomy (now an HP company) has over 40
petabytes (40 million gigabytes) of data stored in the cloud, with hot site backup.
• Autonomy offers direct collection to the cloud.
VI. Q&A
Mark P. HenriquesWomble Carlyle Sandridge & Rice, LLP
301 S. College Street, Suite 3500Charlotte, NC 28262
[email protected] 704-331-4912
Bonus Material
• Negotiating Cloud Contract Terms
Legal Commonalities Between SaaS and Software Licensing
How do licensing transactions and SaaS transactions approach
overlapping issues they both face?
Quick overlap summary…
Software License Contracts Also addressed in a cloud deal?
Identification of subject matter to be provided
Yes, but distinguishable
Delivery of materials into customer possession
No delivery of software. (Exceptions apply.)
Rights to Use – license to install copy(ies), operate for internal use, etc.
Yes, but right to access only
Other affirmative grants – rights to distribute? Modify? Create derivative works?
N/A (usually)
Clarification of IP rights (reservations of rights, exclusion of implied licenses)
Yes
Contractual restrictions on use Yes
Quick Overlap Summary
Software License Contracts Also addressed in a cloud deal?
Ancillary services – installation, configuration, custom development, support, maintenance
•Yes, but differences•Custom development in multi-tenanting?•Yes, ongoing support and maintenance
Source Code escrow Not usually, often ineffective
Economic terms Yes, deal specific
Allocations of Risk: Warranties… Yes
Allocations of Risk: Indemnities Yes
Allocations of Risk: Limitations of Liability Yes
Duration of Usage; Termination Yes
Miscellaneous (governing law, etc.) Yes
Economic Terms – Software v. SaaS
• Most common economic models for enterprise software licenses also apply to SaaS models (except one-time fees for perpetual rights), including:– Fee per period of time– Fee per transaction (unit processed)– Fee per user– Revenue share
• Whenever fees are indeterminate at the time of contracting, one party will need to track relevant metrics in order to calculate amounts due. Applies to both software and SaaS models.
• Which party is in the position to track the relevant metrics? The party hosting the remote system? How measured? When? What if calculations are disputed? Record-keeping requirements?
• Must support be purchased? Because SaaS is inherently time-limited, are support and maintenance included in the access purchase?
• Implementation and other services are usually addressed independently.• Price escalation over time? Rate of increase capped?
Exclusions and Limitations of Liability: Software v. SaaS
• Commonly, limitations of liability exclude the possibility of seeking monetary damages in the nature of “indirect, incidental, or consequential” damages.
• In the cloud, certain risks predictably result in “indirect” damages, such as the damages suffered by a customer when a vendor discloses or destroys the customer’s confidential, hosted data. – What if, e.g., an individual sued a hospital after the hospital’s SaaS vendor
released some patient-specific health-related data to the world? Would the damages suffered by the hospital as a result of the lawsuit be considered “indirect”? Could the hospital recover from the vendor if the contract excluded recovery for “indirect, incidental, or consequential” damages?
– Take-away: When vendor hosts sensitive customer data, heightened attention should be paid to the customer’s available contract remedies.
• Dollar caps on liability exposure are usually addressed similarly in both software license agreement and SaaS contracts.
Duration of Contract: Software v. SaaS
• Software:– May be perpetual– Often time-limited, renewable– Support, etc. may have separate, independent term of
commitment, renewable by mutual agreement• SaaS:
– Should always be time-limited subscription, never perpetual
– From vendor perspective, auto-renewal should not be perpetual
– Many breaches are subject to liquidated damages (e.g., SLA credits) instead of termination – often the very point of service level agreements
General Terms: Software v. SaaS
• Careful attention should be paid to common boilerplate– Assignability?– Governing law? (e.g., Virginia and Maryland are
UCITA states where SaaS constitutes “Access Contracts”)
– Surviving obligations (e.g., data migration)?
IV. What’s so special aboutthe cloud?
Legal Particularities and SaaS-specific Issues in SaaS Contracts
Service Level Agreements
• The “SLA” often serves the functions traditionally served by warranties in software license contracts.
• Uptime guarantees– What percentages are acceptable?– How is it measured?– Who’s monitoring it?
• Remedies– Service Credits– Termination/Refunds– Source Code Escrow
• Performance/functionality warranties
Who’s Behind the Curtain?
• Vendor• Third Party Providers to the Vendor
– Data centers– Third-party Software (APIs, embedded tools)– Third-party content providers– Data processors– Outsourced support
Who’s behind the curtain?
CustomerVendor of
Aggregated Functionality
Vendor of Aggregated
Functionality
Sub-Vendor of
Particular Function
Sub-Vendor of
Particular Function
Sub-Vendor of
Particular Function
3rd Party Data
Source
3rd Party Data
Source
3rd Party Data Source
3rd Party Data Source Sub-Vendor
of Particular Function
Sub-Vendor of
Particular Function
Customer Data
Customer Data
Other Issues for Further Discussion
• Information Security / Privacy– HIPAA, GLB, FERPA, EU Privacy Directive
• Acceptance testing?• Disaster recovery and redundancy• Implementation challenges• Customer access to hosted data (when, how,
post-termination, transitional assistance?)
Strategies and Best Practices
• SaaS is still new enough that there’s a high degree of concern (bad) despite a low occurrence of problems (good)
• Choose your SaaS partners wisely and have a replacement vendor in your back pocket
• The best term to fight for is some sort of early termination for extreme downtime or (ideally) convenience– Term for convenience should include repayment of
sunk/unrecoverable costs but not profits (if possible)