James D. Shook, Esq., CIPP EMC eDiscovery Expert

By James D. Shook, Esq., EMC eDiscovery Expert

Regardless of your definition of Cloud Computing — and there are many — the concept of “The Cloud” is compelling to many enterprises.  In particular, many of our customers have recently asked us whether it’s a good idea to move their email to the cloud with a third party provider.

As with most other strategic decisions, there’s no one-size-fits-all type of answer.  Instead, a sound decision will involve a risk-reward analysis that is based on many factors.  For email in the cloud, the potential reward side includes the possibility of cutting infrastructure and staffing costs, reducing energy consumption, eliminating logistical complexity and enabling rapid rollout and expansion.  On the risk side, there are concerns about security, privacy and the loss of control over a critical service like email.  Most of our customers are diligent in looking into these issues, and expert in weighing their point of balance (or imbalance).

However, many customers completely miss evaluating risks related to compliance, especially in the area of electronic discovery.  In part, this seems to be related to the fact that IT typically drives the Cloud decision-making process, frequently with the CFO, and Legal is seldom involved in the process (until the contracts need to be reviewed).  Even when IT considers eDiscovery, it may just be a cursory examination of issues that do not really get to the heart of potential risks.

If your company is making a decision about moving email to the Cloud, you should factor in Compliance concerns, particularly about eDiscovery.  Here are a few basic issues to consider with your legal department or outside counsel:

- How will you locate and put a legal hold on email — are there self-help tools or will you need to contact the Cloud provider’s staff?  With self-help tools, what type of criteria can be used to search, and how quickly will you have responses?  If the vendor’s team is involved, what is the process, and are there SLAs in place to insure that your needs (which are frequently based upon important legal obligations) will be met?

- Once email has been identified to be placed on hold, how will the hold be put into operation?  Can the messages be collected and returned to you, and if so what formats are available?  For example, will someone need to put the data onto physical media and mail it to you?  Alternatively, if data can be downloaded, are the connections sufficient if you are collecting a terabyte or more of data (and do your cases make this scenario a possibility)?

- What are the costs associated with these processes?  Will it be a “pay-as-you go” basis or is there a per seat or per GB charge for these tools?

- What type of additional support — such as authenticating the data and the process used to collect data — can be provided if questions arise during the legal process?  What will it cost for this support?

- If things go wrong and data that was supposed to be retained is lost or deleted, whether accidentally or negligently, can you expect to be reimbursed for costs and/or legal fees?  If so, to what extent?

Many cloud email vendors have become more aware of requirements for eDiscovery functionality or services, and are doing a better job of supporting customers’ needs.  In addition, for companies with minimal eDiscovery requirements, even “bad” responses from Cloud vendors on these questions may not sway their decision to move to the Cloud.  Remember, this is a risk-reward analysis, and if the risk is perceived as very low, the perceived reward may carry the day.  But any good analysis should include a solid review of these and related eDiscovery factors.

Discover More with Kazeon