7 min read

SaaS and E-Discovery Dangers 2

Here's how to meet your legal obligations when your data lives in the cloud.
Litigation may be the last thing on IT's mind as it evaluates software-as-a-service options for the enterprise. Unfortunately, litigation and e-discovery--the act of finding, preserving, and analyzing electronic information--are facts of life. If your company gets dragged into a lawsuit and relevant information is stored inside a provider's cloud, you need to know that information is available on demand.

That's why IT should add e-discovery criteria to its list of considerations when evaluating SaaS providers, particularly when looking at services such as hosted e-mail and e-mail archiving, PC and file-share backups, and other information sources that create a legal data trail. No company wants to find that a SaaS application it purchased to streamline operations suddenly has become a major hurdle to its e-discovery obligations.

Fortunately, many of the criteria, including storage and performance, that IT already uses to evaluate SaaS providers can be applied to e-discovery. However, there also are e-discovery-specific requirements that must be considered, such as fine-grained control over retention and disposition of data, and the ability to quickly retrieve information from the service provider's system.

We'll examine how e-discovery issues align with--and depart from--common SaaS requirements, and outline contractual issues SaaS buyers must consider to ensure they can meet their e-discovery obligations.

Beyond Storage

IT expects good service availability levels and robust, secure data storage capabilities from SaaS providers. Availability and storage also make sense for e-discovery. After all, for any company to conduct a thorough e-discovery exercise, it must have regular and reliable access to its data and be assured the provider is protecting that data.

But when it comes to e-discovery, IT should look beyond basic storage to consider more fine-grained controls over information stored in a provider's facilities.

That's because archive processes, data retention policies, and e-discovery form a virtual Gordian knot of entwined requirements and implementation details: Change one element and you invariably affect the other two. Nowhere is this more apparent than when storing data in the cloud, where a company's most carefully considered document retention strategy could be sabotaged by sloppy operational processes. When using SaaS, it's imperative that the provider be able to enforce your internal retention policies.

There are two powerful reasons for this from an e-discovery perspective. First, IT must ensure a provider can securely delete and destroy data in accordance with its document retention standards. That's because, in general, companies aren't obligated to produce electronically stored information (ESI) if it has been disposed of according to explicit and enforceable disposition policies. In-house counsel will typically advocate for the destruction of information once all legal, regulatory, and business requirements for its existence expire.

chart: How comfortable are you with the data ownership aspects of SaaS?

This is particularly true for e-mail and other electronic communications. Often, the largest, most dynamic (and potentially most damaging) data set is archived e-mail. Attorneys dread the prospect that a senior executive's sensitive or inopportune e-mail might still be spinning around on a SaaS provider's disks, waiting to be unearthed by a legal adversary.

As companies realize its inculpatory potential, they often dial back retention times, sometimes to as short a period as 90 days. Thus, service-level agreements must specify the provider's policies for securely destroying different data types in accordance with your retention standards.

Data Preservation

But there's also a flip side to deletion: It's an important legal concept known as the "litigation hold" or "legal hold." This is an obligation, dating from common law, to preserve documents and information that might be relevant to pending litigation. In the case of ESI, this means once notified of a pending suit, usually via a summons or other formal complaint, the accused has a duty to preserve relevant data from destruction under otherwise normal document retention and disposal policies.

Courts don't look favorably on litigants that have failed to preserve ESI. Thus, it's imperative that a SaaS provider have a legal hold feature that can override standard deletion policies for selected documents. IT should work with legal to ensure that the provider's capability for legal holds will meet counsel's requirements.

Performance And Availability

Other common points of concern when considering a move to the cloud are application performance and data availability. Performance and availability also will affect a customer's ability to quickly access all the required data archives in an e-discovery exercise. This is important because e-discovery projects can arise suddenly, with courts and regulators demanding information on tight schedules. Given the rate at which online archives can grow, users need guarantees as to how long it will take to make an entire data set available.

9 Steps To E-Discovery
1. Information management: Create a retention policy
2. Identification: Find relevant data
3. Preservation: Store data against loss
4. Collection: Aggregate relevant data
5. Processing: Apply metadata and tags to the data
6. Review: Examine and organize the data
7. Analysis: Cull essential data
8. Production: Prepare data in legal formats
9. Presentation: Share data in court
Data: Electronic Discovery Reference Model

The cost to recover this data also can be an issue. Mark Yacano, executive VP at the law firm Hudson Legal, cautions buyers not to assume that recovering all data is free. Contracts must specify who bears the cost of data retrieval, particularly for old and infrequently accessed information. This is particularly important for litigation that may cover a period of several years.

Data recovery considerations go beyond just cost. SaaS contracts should also cover what data formats and recovery processes are used. For example, are there means to pull the data back over the cloud or do you get a box of tapes? Whatever the scenario, clarify with the provider how long it takes to recover a set amount--say, 1 TB--of data.

Data Ownership

Given the inherently litigious and sensitive nature of e-discovery data, SaaS customers must exercise added caution around data ownership. Specifically, Yacano says, they need contractual assurance that they maintain ownership of their data and can recover it on demand. Of course, this should be part of any standard contract, but it takes on added weight if a customer finds itself fighting a lawsuit and needs fast access to the data.

Another issue concerns liability for failure to produce information due to inadvertent destruction, a legal concept known as "spoliation." There's an inherent conflict of interest here, Yacano says. The SaaS provider will seek to limit its exposure to potential legal sanctions regarding inadvertent data destruction, while customers want as broad a definition of liability as possible.

A 2006 amendment to the Federal Rules of Civil Procedure includes a safe harbor indemnification provision that states: "Absent exceptional circumstances, a court may not impose sanctions under these rules on a party for failing to provide electronically stored information lost as a result of the routine, good-faith operation of an electronic information system." Unfortunately, this provision is sufficiently ambiguous that it's far from settled law, Yacano says, so it's better to specifically address spoliation issues in a service contract.

Required By Law

The growing adoption of SaaS applications means more critical business records live outside the corporate perimeter and the direct oversight of corporate IT and legal departments. But having this data off site doesn't relieve a company of its legal obligations.

It's important to evaluate a SaaS provider to confirm that it can meet your e-discovery needs, such as legal holds, in addition to typical SaaS requirements. In many cases, the two will overlap, so a reasonable amount of foresight and planning now can ensure that if you are hit by a lawsuit, you won't regret your decision to expand into the cloud.

Kurt Marko spent 15 years as an IT engineer at Hewlett-Packard. Write to us at [email protected]