5 Steps to Ensure Your Cloud Provider Is Ready for Ediscovery

Businesses need to be prepared when an ediscovery request is made pertaining to data being stored in the cloud. Here are five steps IT leaders can take to ensure that their cloud computing vendors don't get them into hot water when responding to electronic data discovery requests.

1 2 Page 2
Page 2 of 2

There are several steps IT leaders can take to make sure they don't run afoul of ediscovery requirements when storing their data in the cloud:

1. Develop a Records Management Program

Don't leave the fate of your data to the provider. "Companies need to think in advance about how they're managing their own records," Leffert says. "Where they are, how they're organized, and when--if ever--they should be discarded." That knowledge will make responding to e- discovery requests and subpoenas more efficient and also provide a potential defense to claims of improper destruction of evidence.

2. Create a Litigation Response Plan

Consider including litigation readiness provision in your cloud computing contract, requiring the vendor to develop and implement a litigation response plan. That plan could include a list of responsibilities for data preservation, regular meetings to discuss and update the strategy, and the appointment of an experienced ediscovery professional at the vendor to oversee the process.

3. Handle Priveledged Data with Care

If the cloud provider has access to information that may fall under the category of attorney-client or work-product priveleges, add a contractual clause to protect that data specifically. That might come in the form of restrictions on privileged disclosure, defining all communication to and from the legal department as privileged, or reserving the option to designate protected information at a later date.

4. Address Third-Party Requests

Opposing parties in a lawsuit or government agencies with subpoena power can demand access to a company's data directly from its cloud computing vendors, opening up the possibility that the provider might divulge information that should not be shared. Mitigate that risk by inserting a provision that the vendor immediately contact a company representative upon receipt of any data request or subpoena, forward a copy of the request or subpoena to the company (if legally allowable), and confer with the customer prior to response.

5. Tell Your Provider if You're About to be Sued

When litigation has been filed--or is expected--inform your provider immediately. Consider sending your provider a copy of the litigation hold notice that describes all items to be preserved, advises Leffert, and meet with the vendor to answer any questions or concerns.

If litigation progresses, it's time to ask more from the cloud provider, such as cost estimates for the data preservation and production and explanations of why preservation or production of certain documents is not possible or feasible. It's also a good idea to require the cloud provider to document all the steps it is taking to fulfill its obligations, says Leffert. That will help to ensure not only that they're responding in good faith to the ediscovery requests but also can serve as evidence of the customers' due diligence in complying with its obligations.

Copyright © 2012 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
Survey says! Share your insights in our 19th annual State of the CIO study