Our examination of common legal concerns in cloud transactions most recently focused on the broad range of government regulation of data that may constrain or alter the relationship between the company and its service providers. Additional legal issues in the cloud computing relationship often involve the rules of e-discovery and electronic evidence.
A company involved in litigation has a duty to comply with information requests, including government and private party subpoenas and discovery rules for anticipated, pending, or active litigation. As in the first two areas of legal concern – contractual issues and regulatory complications – such compliance is complicated by the delegation of control over outsourced data and the potential for multijurisdictional data storage and transfer.
In e-discovery, companies often face a preliminary consideration: whether placing information in an external cloud eliminates the obligation to identify it or produce it under the relevant rules of civil procedure. Recent case law suggests that it does not, and vendors providing cloud services might structure their offerings so that the data is not legally in their “care, custody, or control.” Similarly, cloud providers may attempt to invoke privacy or related laws to limit discovery requests and other legal processes more properly directed at their customers.
Because electronic evidence in litigation may be treated like any other evidence, parties can be penalized for failing to turn over such information. Safe harbor does exist for companies that destroy electronic data in the “good-faith” and “routine” operation of an electronic system. A company should consider either examining the cloud vendor’s document retention and discovery response policies to ensure they conform with the company’s requirements, or negotiating compliance with the company’s policies into the service contract. Because of these requirements, cloud vendors often only delete data expressly on the instruction of their customers.
A company’s legal obligation to preserve data and maintain access to it may trump the contract with a cloud computing vendor. A company outsourcing its data processing should understand its duty to maintain records, regardless of the contract or the service provider’s ability to supply the records. Therefore, companies should contemplate agreements for the return or transfer of the data for transitional and future use by the customer.
As in any litigation involving electronic evidence, data authentication could arise in cloud computing disputes. Like other cloud computing issues, the core authentication concern for electronic evidence stored in the cloud is the company’s loss of direct control over the information. Both the terms, and management, of the service contract are ways to control this.
In planning for, negotiating, and managing the contract with a cloud vendor, the company and the vendor should have a clear understanding of the distribution of responsibilities in connection with discovery obligations. Standard document-retention and e-discovery procedures should be complemented, not hindered, by cloud services. A final practical challenge is that many small businesses may be unable to negotiate the terms of their contract with a cloud provider. In that situation, it may be advisable to look at various cloud providers in order to find acceptable contract terms. Awareness of, and processes for, complying with discovery and data retention obligations will often be of critical importance to both buyers and sellers of cloud computing services.