Migrated from eDJGroupInc.com. Author: Greg Buckles. Published: 2011-12-05 04:46:32Format, images and links may no longer function correctly. In my last post, we explored the relative cost of Amazon S3 Cloud storage compared to traditional hosting provider costs. Despite the potential cost savings of servers and storage in ‘The Cloud’, I am not yet seeing many firms or corporations jumping to move their eDiscovery to the Cloud. In a recent analyst briefing on our eDJ top 2012 eDiscovery Trends, Barry Murphy posited that legal and compliance resisted the leap beyond the firewall until they had more public success stories and caselaw. So what are they worried about? Data security was the first concern of a recent law firm client. “How can I assure my client’s that their sensitive ESI is safe and that we are not inadvertently waiving privilege?” Good question. So I went looking for a good answer.
The first myth to debunk is the idea that data on Cloud storage is on some kind of giant shared drive that anyone can look at. You pay a Cloud provider to store your data and give you web access to that data, just like EDD hosting providers have been doing since the early release of iConnect and other web based review platforms. The vast majority of customers assume that all eDiscovery service providers conformed to top security, chain of custody and data handling standards. Wrong. Our industry has gotten better over time, but I recently heard stories of client data found on workbenches in garages converted to ‘server rooms’. Trust but verify every time. The very size of the largest providers like Amazon Web Services and Rackspace force them to implement better security and handling procedures. Look for a provider who has had to certify compliance with HIPPA, U.S.-EU Safe Harbor data protection or financial services consumer information protection requirements. There are no standards bodies or specific eDiscovery data security standards as yet.
Moving data to the Cloud is no different than a client sending data to the firm or the firm sending a collection to their favorite provider. It requires reasonable diligence against loss or exposure. Today, that means encryption. Now don’t be scared. Think of it as a super password in case your drive goes missing or someone decides to snoop. The difference is that your Cloud provider should support remote access to encrypted data and the proper security protocols on any processing or review software that needs to store the magic passwords. Amazon S3 supports full encryption of your data and you keep the keys to the kingdom. That means that they cannot read your smoking gun email even if they wanted to. This is a new area for most firms or non-regulated corporations. I recommend using a third party security specialist to assess your requirements and normal workflow. You need to document your encryption and access protocols, prepare how-to packages for clients and commit to regular audits to demonstrate your reasonable effort.