Know your data's location
Whatever type of cloud you're dealing with, it's important to know exactly where your data resides. In some cases, a cloud vendor may be storing it in a data center in a different country, where different data privacy and e-discovery rules apply.
And even if you've contracted with one cloud provider, do you know whether that company is using subcontractors? That's frequently the case, says Kunick. "It's more than likely that your data will reside in several locations." Even if you have an iron-clad contract with your cloud provider, can that provider get at the data in a prompt and defensible way from its subcontractors?
Before there was a cloud, companies would contract with large managed service providers and would spell out most of these provisions in long, detailed contracts, Kunick says. But most cloud provider contracts don't cover such details. "With cloud service providers, the contracts are seldom longer than 10 pages."
Beware renegade business units
Even if contracts cover every detail, shadow IT activities within corporations can be the source of other e-discovery problems. Charles Skamser, president and CEO of consulting firm eDiscovery Solutions Group, spent the last several months interviewing some 60 cloud service providers. Most told him that their clients are not asking about e-discovery. In fact, "some of the [cloud service providers] even said, 'What's e-discovery?'" says Skamser.
More telling, perhaps, Skamser's research indicates that a high percentage of the client base of these providers are "renegade business units" of large corporations seeking to do an end-run around what they perceive as unresponsive internal IT organizations.
This could be a recipe for disaster. When a large corporation is sued and presented with an e-discovery request, the general counsel would likely go to the IT department and ask for help. The general counsel may not ask a particular business unit manager, and even if they do, the manager won't know how to comply and probably has no e-discovery provisions in his contract with the cloud vendor, Skamser explains.
Develop a comprehensive plan
The most important thing is for a corporation to have a comprehensive information governance and discovery plan that covers all sources of data, including the cloud, says Murphy.
The plan needs to provide not only for how to conduct e-discovery on data stored in the cloud, but also how to review that data alongside data residing elsewhere. "People will store information in all sorts of places," he notes. "You need to apply the same discipline on all data sources."
It's not too late to prepare for e-discovery on cloud-based data, says Murphy. "Best practices are just beginning to emerge, and the good news is that companies have the opportunity to get ahead of the curve," he wrote in a recent report.
Sign up for CIO Asia eNewsletters.