Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2011-06-21 14:10:04 I recently had the opportunity and privilege to give my perspective to the international working group of the Commission on the Leadership Opportunity in U.S. Deployment of the Cloud (CLOUD2). The commission has a three month mandate to provide the Obama Administration with recommendations to support our growing cloud industry. Many of my global corporate clients have struggled to reconcile their eDiscovery, regulatory and storage requirements across their diverse business units in various countries. Preparing for my presentation brought me the realization that we really are moving to the cloud, dragging the luddites along kicking and screaming. I gave a bit of background on the challenges I saw facing global corporations and moved on to why even large enterprises are exploring migrating their systems and data to cloud or hosted services.Many years back, it made sense for a large corporation to invest in top-line IT infrastructure to maximize their competitive advantages and minimize the outsourced cost. That equation does not always hold up now. After all, a manufacturing company is not in the business of IT or Litigation, even if both are a fact of corporate life.Below are a few causation factors:
- Storage is cheap, but infrastructure is not. Economies of scale drive centralization, virtualization and finally migration of digital assets to the cloud
- The 2006 FRCP amendments, Zubalake vs. UBS Warburg and the financial malfeasance of 2000-2002 drove corporations to open ended preservation, creating digital landfills
- EU data privacy policies challenge U.S. assumption of corporate ownership of all ESI
- 1995 EU Data Protection Directive
- Blocking statutes – transfer protocols and barriers to moving ESI across borders
- China, Switzerland, Australia, South Africa
- Personal identified information vs. personal email/documents
- Users must have access to personal info/email – sensitive data classifications
- Huge potential remediation costs for data breaches
- Cost/risk shifting to cloud providers – unproven at present
- Limits to employer access to even view email
- France, Germany (Works Council/Data Protection Officer)
- Privilege concerns regarding U.S. Patriot Act –
- Much ado about nothing
- Carnivore monitoring does not waive privilege
Trends and adaptive practices:
- Technology policies and enforcement are critical
- Keep personal data out of corporate system
- Geographic virtual segregation – internal firewalls and rights management
- Drive to automated categorization to eliminate the storage of non-records
- Outsourcing IT to service providers and storage to the cloud
- Discovery from the cloud still immature
- Critical concerns with accelerated discovery deadlines and burst capacity to transfer data
- Specialized review offerings for onsite categorization
“So what do you think is the primary issue or concern for a foreign country that is looking to put their ESI into a U.S. based cloud provider?” This question really focused the conversation. I believe that we need to redefine the legal phrase “care, custody and control” in regards to cloud providers to make it clear that the customers are the ESI owners and to provide some protections to the cloud providers against third party subpoenas and discovery end runs by sharp plaintiff counsel. Foreign corporations must be comfortable that their sensitive ESI cannot be raided without their consent. Some of these companies could theoretically face criminal charges (France) if they fail to protect their user’s personal ESI, though this threat has not manifested itself thus far. Cloud providers can proactively join the U.S.-Swiss Safe Harbor program and provide customers with clear discovery response policies. This is a good start, but I believe that we need fundamental changes to our laws/regulations that remove the cloud provider from the middle of any discovery dispute. What do you think?