In the last week, I have spoken to several people regarding how to maintain/prove compliance if a company is storing data "in the cloud," so to speak. Proskauer Rose associate Nolan Goldberg says the best place to start when discussing the issue is a definition of cloud computing.
For purposes of our discussion, then, Goldberg told me cloud computing can be confusing. "There are a lot of services that fall under that umbrella. I look at it more like a marketing term than anything. It's software as a service. It's IT outsourcing ... But I'm going to generally talk about cloud computing where you're using a service, and by using that service you're putting your data in the hands of a third party."
He also said there are two levels of cloud computing, "consumer grade" and "commercial grade" (his terms). When you're using consumer-grade services -- Gmail or other Google services, for instance -- you take the terms as you find them. "The terms of service are what they are. We don't really have an opportunity to negotiate them," Goldberg says. For commercial-grade services, you will have the opportunity to negotiate terms, and you should take advantage of that opportunity.
That ability will be key when it comes to dealing with e-discovery and privacy law compliance in the cloud.
Goldberg told me there are three things that concern him about e-discovery in the cloud. First is managing discovery obligations. Between the company and the service provider, who is responsible for preserving the data for litigation purposes? And once it is preserved, who collects its and reviews it for production to the court? Second, he said that maintaining the value and protection of certain data may be difficult in the cloud. He said:
If you have a document that contains a trade secret, or a privileged communication with your lawyer and it's on your work network, generally the privilege is maintained, the trade secret is maintained...But, if we take that same trade secret or that privileged information, and put it in the custody of a third party, do we maintain that privilege and that trade secret?
Finally, e-discovery in the cloud presents privacy law questions. For those aspects, Goldberg deferred to colleague Tanya Forsheit, a partner at Proskauer Rose. Forsheit explained:
From a privacy perspective, one of the biggest issues has to do with the applicability of laws around the world, and particularly in the European Union. If you don't know where your data is, where it's actually residing -- which, frequently you're not going to know, if it's in the cloud being hosted by a third party somewhere -- you could very well be running afoul of the EU data protection directive.
But that's not to say we should avoid the cloud altogether. Both Forsheit and Goldberg point out that until the law catches up with the reality of today's technology, using the cloud just means very thorough due diligence on the part of the company looking to engage a service provider to host its data. Know where their servers reside, so you'll know which national privacy laws apply. Address data preservation, collection, and destruction processes and responsibilities in the service agreement. Talk about technology that will be used and who will do what and in what time frames. Be explicit about the regulatory and legislative requirements that apply.
That's why Goldberg said the service agreement was key.