In the legal world, the ability to apply "legal holds" is essential to preserving data as part of an evidence management strategy. This process can become more complicated when dealing with cloud-based data and therefore requires additional due diligence before signing with a cloud service provider. Foremost, organisations need to understand if data must be restored to the customer site in order to place a legal hold or if it's possible to apply the hold while the data still resides in the cloud. Above all, ensure that no action is taken by the cloud provider that could lead to spoliation, which would likely result in sanctions or other costly legal results.
eDiscovery issues in the cloud will continue to gain ground as the inability to produce data in the manner and timeframe required by a court during any litigation proceeding can yield dire consequences, including stiff fines, negative inferences and sanctions. The best way to avoid this slippery slope is to engage legal experts and stakeholders early in the process so any potential eDiscovery pitfalls can be pinpointed.
Jurisdictional issues: Where data resides counts
Jurisdiction is an often forgotten area that needs to be addressed on two levels. For starters, companies must ensure that their cloud service provider operates in accordance with whatever laws pertain to a particular location where data might be stored. Next, consider the nature of the data, especially if a U.S. cloud provider is retaining data or e-mails that belong to foreign nationals as Europe has much stricter privacy laws.
Universities across the U.S. have been among the earliest adopters of cloud computing technology with many migrating thousands of student e-mails to the cloud to lower capital IT costs and resources. Success stories abound on how outsourcing e-mail has enabled institutions to support the increased needs for campus-wide communication and collaboration. What is less publicised, but still an unfortunate reality for some schools, is the additional risk of outsourcing e-mail for faculty and students who are European residents. The European Union (EU) has much stricter privacy laws than the U.S., which could require seeking permission from the parties prior to engaging a third-party to handle their e-mail.
Cross-border issues extend beyond the owners of the data to the physical location of a cloud provider's file servers. Since many providers house data in multiple data centres around the world, it's prudent to find out the location of each centre as privacy laws will differ. Again, the underlying goal is to minimise exposure, and jurisdiction is an area that can trigger legal, regulatory and compliance risks and concerns.
Exit strategies: Getting data back
Perhaps the most overlooked area is what happens when an organisation wants to leave the cloud or migrate to a different service provider. There are countless scenarios for why a company should develop an exit strategy upfront, including avoiding exposure if the cloud provider goes bankrupt as well as ensuring all cloud data can be returned or migrated to another provider.
Sign up for CIO Asia eNewsletters.