Identifying, retrieving, and producing electronically stored information (ESI) in response to a subpoena can be a time-consuming and costly \n\nbusiness. Processing just one gigabyte of data in response to an electronic discovery (ediscovery) request can cost at least $30,000, according \n\nto the Sedona Conference Journal.It's not surprising, then, that few cloud providers have yet addressed the issue of ediscovery responsibilities in their standard contracts. But \n\nthat leaves enterprises with their ESI in the public cloud at risk. "Courts have shown little patience for companies that fail to meet their discovery \n\nobligations," says Kim Leffert, counsel in the litigation practice of Mayer Brown. "An excuse that 'the data is on an outsourcing provider's \n\nsystems' will likely fall on deaf ears." Indeed, courts have issued sanctions for failing to respond to ediscovery requests, including fines, suit \n\ndismissals, default judgments, and even potential jail time.A company that outsources its ESI to an third party has the same obligation to preserve and produce relevant data as it would if the \n\ninformation were housed on its own servers, says Leffert; they may even face more risk if the subpoena or discovery request goes directly to \n\nthe cloud provider.While ediscovery responsibilities are negotiated and written into most traditional outsourcing contracts, cloud computing providers have \n\nbeen reluctant to address the issue as it would require more customization than they say their business models are built to accommodate. And \n\nthat's unlikely to change anytime soon. "We're probably in round one or two of cloud computing, and this is a round three, four, or five [issue]," \n\nsays Leffert. "[Cloud computing] customers may not be thinking about it either. They may view cloud [offerings] as more of a storage thing--like \n\ntaking boxes of documents and putting them into a records warehouse."But smart IT leaders should be proactive about addressing the issue before the prospect of litigation or government investigation arises, \n\nespecially since the time frames for responding to ediscovery requests are often limited. "Even if the time frame is two months, that could be \n\nvery short if you're talking about producing and reviewing 2 million documents," says Leffert. "A request to get six months of emails from one \n\nperson is one thing; three years of emails from 100 people that's something else. It's all a matter of scale."There are several steps IT leaders can take to make sure they don't run afoul of ediscovery requirements when storing their data in the \n\ncloud:\n\n1. Develop a Records Management Program\nDon't leave the fate of your data to the provider. "Companies need to think in advance about how they're managing their own records," Leffert \n\nsays. "Where they are, how they're organized, and when--if ever--they should be discarded." That knowledge will make responding to e-\n\ndiscovery requests and subpoenas more efficient and also provide a potential defense to claims of improper destruction of evidence.\n\n2. Create a Litigation Response Plan\nConsider including litigation readiness provision in your cloud computing contract, requiring the vendor to develop and implement a litigation \n\nresponse plan. That plan could include a list of responsibilities for data preservation, regular meetings to discuss and update the strategy, and \n\nthe appointment of an experienced ediscovery professional at the vendor to oversee the process.\n\n3. Handle Priveledged Data with Care\nIf the cloud provider has access to information that may fall under the category of attorney-client or work-product priveleges, add a contractual \n\nclause to protect that data specifically. That might come in the form of restrictions on privileged disclosure, defining all communication to and \n\nfrom the legal department as privileged, or reserving the option to designate protected information at a later date.\n\n4. Address Third-Party Requests\nOpposing parties in a lawsuit or government agencies with subpoena power can demand access to a company's data directly from its cloud \n\ncomputing vendors, opening up the possibility that the provider might divulge information that should not be shared. Mitigate that risk by \n\ninserting a provision that the vendor immediately contact a company representative upon receipt of any data request or subpoena, forward a \n\ncopy of the request or subpoena to the company (if legally allowable), and confer with the customer prior to response.\n\n5. Tell Your Provider if You're About to be Sued\nWhen litigation has been filed--or is expected--inform your provider immediately. Consider sending your provider a copy of the litigation hold \n\nnotice that describes all items to be preserved, advises Leffert, and meet with the vendor to answer any questions or concerns.If litigation progresses, it's time to ask more from the cloud provider, such as cost estimates for the data preservation and production and \n\nexplanations of why preservation or production of certain documents is not possible or feasible. It's also a good idea to require the cloud \n\nprovider to document all the steps it is taking to fulfill its obligations, says Leffert. That will help to ensure not only that they're responding in \n\ngood faith to the ediscovery requests but also can serve as evidence of the customers' due diligence in complying with its obligations.