Tom Conophy, CIO of InterContinental Hotels Group, is one executive who believes he's got his bases covered. Among the many cloud initiatives of the $18 billion hospitality company is a project to move its global reservations system, now on a mainframe, to the cloud.
IHG is in the process of choosing a cloud provider and in its contracts, the company is "very careful about making sure that our intellectual property and our content is ours, and that at any given time we have the ability to access it, export it, turn it off -- whatever we need to do with it," says Conophy. "It's no different than if it was running in our own [data center]."
Be mindful of email, social media
Potential e-discovery problems vary depending on the type of cloud provider and the contract, observers say. Because email has been subject to e-discovery for a while, many email hosting providers have this covered in their contracts. And large cloud vendors that typically serve Fortune 500 companies are likely to pay more attention to the discoverability of data.
With other cloud providers, the area can be murky. "A lot is negotiated on a vendor-by-vendor basis at this point," says Wood. (For guidance, see E-discovery questions to ask your cloud vendor] and 20 steps to an iron-clad SaaS contract.)
Some SaaS providers make it easier than others to get data out of their systems. Salesforce.com, for example, "is not an easily searchable system -- because it's not a content management system per se -- and yet people are storing information there," says Murphy.
Social media represents one of the biggest challenges. Sites like Facebook, LinkedIn and Twitter rely on standard terms of service contracts with users, including companies that use the services for marketing and connecting with customers. But what if a company needs to discover what a former employee posted on Facebook? Since it is the former employee's account, the company has no rights to access that information.
That means companies have to consider constantly collecting the content of all employees' posts as a safeguard. Certain regulated companies in financial services -- such as broker/dealers -- already do this, notes Murphy.
Companies that don't may find the going tough should they need to retrieve social data. Although social media companies say that anyone can write to their open APIs to get the data they need, "accessibility changes on a regular basis as the APIs of the vendors change," Murphy points out.
In addition, how long would it take to download all the data? Murphy points out that most sites "throttle their APIs," which could slow downloads or search results. Some e-discovery service providers, he notes, have started to target this problem. "They pay a lot of money to be in these API programs," he says. "They are essentially buying less throttling."
Sign up for CIO Asia eNewsletters.