The unruly use and management of cloud services have complicated companies' e-discovery processes, since their data now sit in different third-party data centers. Organizations remain responsible for such information though, and will have to work closer with cloud service providers to ensure data compliance is kept.
Barry Murphy, co-founder and principal analyst at E-Discovery Journal (eDJ) Group, said the rising enterprise adoption of software-as-a-service (SaaS) and social media meant a lot of different corporate data are being stored on third-party data centers.
This makes e-discovery a potentially huge and complicated challenge for organizations, he added.
Rosemary Lee, counsel for technology media telecommunications (TMT) group at Pinsent Masons MPillay, agreed. She said the main reason why cloud computing complicates e-discovery processes and compliance is because customers' corporate data are being held by third-party cloud service providers (CSPs).
As such, customers may encounter difficulties in accessing or retrieving the relevant digital records if their CSP does not have the necessary backup or cannot easily facilitate the retrieval request on demand, particularly when it involves legal proceedings which have deadlines, Lee explained.
Steve Hodgkinson, IT research director at Ovum, also pointed out companies cannot assume data retrieval from cloud services will be easy and quick since these services, as with any utility service, are liable to be disrupted at any moment.
And it is not just enterprise-grade cloud services that are a worry. Corporate data hosted on consumer-grade cloud services are also a concern, particularly since the data are usually used by business users, who might not have gotten permission from the company's IT team to use the services, Hodgkinson noted.
The problem, the analyst said, is due to "unprofessional, ad-hoc or rogue cloud adoption" by business users ignorant of e-discovery requirements.
"Consumer cloud services, particularly those that are free, have terms and conditions and operational models that do not necessarily support enterprise e-discovery requirements," he said.
Furthermore, when data gets stored on services such as cloud storage provider Dropbox and there are no formal records detailing the action, there is a chance the organization may not know of this data source should the user leave the company without informing anyone. This makes the data undiscoverable, Hodgkinson added.
No excuse to shun responsibility
Industry watchers were unanimous in stating companies cannot be oblivious of their legal and compliance obligations, and absolve themselves of the responsibility once their information get stored on third-party cloud services.
As long as companies procure and manage their cloud services with proper planning, and have a system in place to keep tabs on where their data resides, they should not be too concerned over the increased use of cloud services within the organization, Hodgkinson said.
Murphy also called on companies to work closely with CSPs to work out the e-discovery details such as what the vendor's policy is for responding to the company's e-discovery needs. The requirements for defensible collection and preservation of electronically stored information (ESI) must be defined from the beginning and worked into the service level agreement (SLA), he added.
This is particularly pertinent for those which have stored data in servers outside the country, as they are still legally obliged to provide discoverable documents even if the information sits overseas, Lee noted.
The lack of focus by CSPs and companies on e-discovery for cloud-based data will have to be addressed eventually. Murphy acknowledged e-discovery and data governance are not "sexy" topics currently, as managing IT budgets and generating revenue remain their top priorities.
"There has yet to be a big story around data in the cloud being challenged and lost. Once that happens, and it will, you can be sure e-discovery in the cloud will be a sexy topic," he stated.