While cloud vendors trumpet the savings and flexibility they can provide compared to on-premise IT, they don't, as a matter of course, address key e-discovery issues. Before signing any tempting deals, experts say, CIOs must hold vendors' feet to the fire about how–and how quickly–the vendor will help meet data requests in the face of lawsuits, compliance audits, data breaches and other legal situations.
Even without the cloud factor, many companies admit they aren't well-prepared for e-discovery. Eighty-seven percent of companies have a policy to manage electronically stored information, but less than half–46 percent–have a policy that specifically addresses e-discovery, according to a recent survey of 461 corporate IT and legal executives conducted by Kroll Ontrack, an e-discovery consultancy.
“When a company cedes control over its data and a vendor, in turn, stores that data on servers that are virtualized and shared with other clients, that adds an enormous amount of complexity to the preservation of evidence,” says Jason Straight, a senior managing director at Kroll Ontrack.
Part of what makes cloud offerings from vendors such as Amazon and Google so enticingly affordable is that they typically run your data and applications on the same virtualized servers they use for other customers. Discovery, meanwhile, involves finding, pulling, preserving and collecting often huge volumes of data. Does processing stop for the companies that share your servers while this goes on? Would your operations stop, or slow, if some other customer were dealing with such an issue? Will the cloud vendor allow your legal team on site to collect data? What documentation does the cloud vendor provide about who has access to its systems–and your data–when you need to show a chain of custody in court?
John Green, executive vice president of information services at investment banking firm Stephens, estimates he's two years away from any substantive cloud computing, but he's already trying to think through the whys and wherefores of e-discovery. “Those are all questions we're wondering about,” he says. “How do you verify to any kind of auditor that everything is secure in a virtual world?”
What CIOs Need to Know
CIOs should be sure to grill potential vendors on at least two critical areas: security and access. Spelling out exactly where your data is at any given time is a challenge for cloud providers because they may distribute the processing across virtual servers and even across virtualized data centers, says Mark White, a principal at Deloitte Consulting. Still, he says CIOs should press vendors for specifics about how they protect and monitor one company's data as it moves around their data centers with the data of other customers.
Judges issue fines to companies claiming computer problems during a lawsuit or investigation. Press the vendor to commit to service-level agreements for how quickly it will retrieve the data requested in the right format, Straight says
Although there are no best practices yet for e-discovery in cloud computing because the method is new, the salient point experts make is to ask questions to see how the vendor reacts. “You want to know they've thought about these things,” Straight says. “If the answer is, 'We deal with this on a case-by-case basis,' watch out.”