Worst case scenario of cloud computing: E-discovery in litigation
By Carol Ko 14-Jul-2010
For any business, what can be worse than being sued but failing to present the necessary corporate data and documents to the court to defend your company's interests in a lawsuit?
'Security' never ceased to top the watch list of CIOs about cloud computing. In IDC's latest security research report released last month, one of the top five IT security spending priorities over the next 12 to 24 months was 'cloud security;' while 'cloud services' was seen as one of the top five corporate initiatives that enterprises saw will increase the security threat for their organizations.
Apart from security, however, other equally important factors should be taken into consideration when weighing between the cost efficiency gains and the associated data security risks of cloud computing.
"If the company is sued in the US, EU data privacy directives may create obstacles for the company’s ability to access its data that is hosted in the EU."
-- Erik Laykin, managing director of Duff & Phelps LLC
One of which is data retrieval from third-party cloud computing or cloud service providers, either voluntarily or involuntarily—in the unfortunate event of litigation, where electronic discovery (e-discovery) is required.
E-discovery is a pre-trial aspect of a court case, which requires both sides of the case to present all admissible documents and evidences in electronic formats to the other side before a civil trial begins, so both sides can be well prepared without being caught by surprise.
E-discovery concerns items including email, telephone conversation logs, instant messaging chats, documents, accounting databases, Websites and any other digitally stored data—including those that your company stores at a third-party cloud computing facility.
Can data be retrieved in a forensically sound manner at a third-party cloud computing system or data center? What are the consequences of data residing outside of your jurisdiction? What additional assurances do you need apart from the vendor's technical capability to retrieve data upon request?
In this interview, Erik Laykin (pictured), managing director of Duff & Phelps LLC, will address these important issues. Laykin is the managing director and practice chair of the global e-discovery investigations practice at Duff and Phelps (D&P), a 75-year-old US-based international consulting firm with 21 offices in Europe, US, and Asia, including Tokyo, Beijing, Shanghai and Hong Kong.
Asia Cloud Forum: What are the consequences of data residing in/out of a jurisdiction from the perspectives of data preservation, e-discovery and the like?
Erik Laykin: Cloud computing will impact a company. The degree of the impact depends on the legal framework of the country where the data resides.
For example, consider data that resides in the European Union (EU) on a cloud-based computing system, but the corporate headquarters is in the US. If the company is sued in the US, EU data privacy directives may create obstacles for the company’s ability to access its data that is hosted in the EU. As a result, that company may have a hard time complying with its e-discovery obligations in the US.
Consider another example that involves an Asian company that decides to leverage a cloud computing platform that is based in the EU. The company needs to ensure they have worked out a clear agreement with the owners of that data so that they are able to produce it in the course of litigation. To be clear, from the perspective of the EU Privacy statutes the owners of the data are in many cases the individual users of that data.