The booming popularity of cloud computing has presented new e-discovery challenges for legal and IT teams. The countless cloud repositories and social media sites make it difficult to assess the size of the data and its content. Moreover, traditional collection technologies often can't search, preserve and collect cloud data due to its technical complexities.
Besides the technical hurdles, there are legal ambiguities associated with cloud computing as well. Cloud data is stored and managed offsite by a third party, rather than under the physical control of the company producing the data. Federal Rule of Civil Procedure 34(a) requires litigants to produce electronically stored information (ESI) that is in their “possession, custody, or control" and some argue that cloud data doesn't always meet that definition.
A recent employment discrimination case serves to highlight some of the potential pitfalls of e-discovery involving cloud-based ESI. In Brown v. Tellermate Holdings, Ltd., (S.D. Ohio July 1, 2014), defendants were sanctioned for failing to produce ESI from a popular cloud-based application used for tracking sales activities (read the full ruling here). The Plaintiff's in the case, two former Tellermate employees claimed that their termination was the result of age discrimination, not work performance.
As would be expected, plaintiff's sought discovery of past sales records to show that the terminated employees' work performance was comparable to other workers. The defendants claimed that they couldn't produce the requested ESI on the basis that their contract with the cloud provider prohibited them from doing so. They also argued that since the data was hosted by a third party, any request for discovery should be sent directly to the hosting company and not the defendants themselves. Finally, defendants claimed that historical data in the application was not accessible, only data in real time.
The court found each of these statements to be untrue. To the last point, the court pointed out, somewhat sardonically, that the whole point of the application was to track sales activity over time. Therefore, accessing historical data wasn't only possible but fully essential to the product's purpose. The court also obtained a copy of the contract and found no language “prohibiting" access to the data by defendants. In fact, the contract stated very clearly that data in the application belonged to defendants and it was theirs to control and access as desired. In its ruling, the court framed the discussion in more relatable terms, “Just because, for example, emails in a Google or Outlook account might be kept on a server owned or maintained by the email provider, it does not mean that the information in those emails belongs to the provider – just the opposite."
The next set of blunders involved neglectful preservation efforts. According to the ruling, around the time the Browns were terminated one of the system administrators for the sales application cancelled the Browns' access to the system and transferred the accounts to new users. However, other employees still had access to the applicable records and retained the ability to change or delete information. Defense counsel apparently made no attempt to track down the new users and direct them not to delete or alter any of the information identified in the original preservation request. As a result, counsel couldn't verify the accuracy of the information once it was produced.
Not surprisingly, the case has received a fair amount of attention in the e-discovery community, getting widespread coverage on blogs and industry publications. It was especially nice to see the always insightful Adam Cohen, a Principal with Ernst & Young LLP and past Exterro webcast presenter, weigh in on the case in an article for InsideCounsel. He writes that despite the egregious behavior displayed by the defendants, the case does reveal some important lessons about dealing with cloud data in e-discovery.
As Cohen points out, the case underscores the importance of understanding contractual agreements with cloud providers, especially as they relate to data access, maintenance and backup policies. In the Brown example, the contract clearly stated that despite the data existing on the third party's servers, it was still very much in the possession of the defendants and therefore wholly discoverable. Some contracts, especially those associated with social media, are far more nuanced and actually may contain provisions that limit or restrict access. In these situations, courts are bound to be far more receptive to inaccessibility arguments. Either way, legal teams should familiarize themselves with cloud agreements or risk making inaccurate statements before a court, like the defendants did in this case.
A second takeaway from the case is the importance of understanding the technical requirements for preserving cloud data. Cohen points out, “The fact that the ESI is maintained on a cloud service provider's servers does not mean that it is safe from potential spoliation." In many applications, transferring an account from one user to another exposes existing data to alteration or deletion. Even when the account isn't transferred, system administrators often maintain the ability to go in and manipulate historical data, even that which is associated with terminated accounts and should be notified when data must be preserved. Had the defendants understood this reality, they could have pursued steps to ensure the integrity of the ESI requested, such as the creation of backup tapes.
Make no mistake, the spoliation sanctions handed down in Brown had as much to do with negligence and factual misrepresentations as they did with the complexities of cloud computing. However, practitioners would be wise to familiarize themselves with the facts of the case so they are adequately prepared for the inevitable influx of requests for cloud-based ESI.
To learn more about the emergence of cloud data in e-discovery, watch the recording of Exterro and Actiance's recent webcast, “Social Media's Increasingly Important Role in eDiscovery and Regulatory Compliance."