by Shannon Smith, Esq, eDiscovery & Archiving Specialist for CommVault
 
As one of the newest computing frontiers, cloud technology is generating massive interest from organizations seeking substantial economies of scale by outsourcing all or portions of their computing, applications and data storage requirements. It’s true that migrating data to an external cloud can lead to sizable savings on capital and operational expenses. There are also, however, a host of potential security and privacy issues that can arise and expose organizations to unique risks.
 
It’s important to take the time upfront to determine the value of the data being placed in an external cloud, along with establishing proper Service Level Agreements (SLAs) and disaster recovery commitments to safeguard the information. Reputable cloud computing vendors should be able to articulate a sound business continuity strategy, which encompasses proven and audited data protection processes for minimizing downtime should an outage occur.
 
Ensuring data privacy also becomes more complicated in the cloud as data must be protected against unwanted access by the provider as well as the provider’s other customers or outside intruders. As a result, companies should consider keeping highly sensitive data in-house, especially if the information contains sensitive customer data, trade secrets, or could be subject to legal privilege.
 
The issue of access can be unclear in cloud computing because a third party has actual possession of, and can control access to, an organization’s data. Unlike traditional outsourcing models, where customer data is segregated and housed on separate devices, multi-tenant cloud computing environments co-mingle information from different organizations.

One striking example of the unique risks inherent to cloud computing involved Liquid Motors, a Dallas-based company that provided inventory management and Internet marketing services to auto dealers nationwide. Last year Liquid Motors was inadvertently caught up in a FBI raid when the bureau seized servers and backup tapes from the company’s service provider’s data center and co-location facility, which was under investigation for VoIP fraud. While Liquid Motors wasn’t under investigation in any way, its equipment and data were confiscated, effectively putting the company out of business and in potential breach of customer contracts.
 
While this example may be more the exception than the rule, it highlights an underlying risk when an organization’s data resides with others. Additional risks relating to data residing in the cloud occur during e-discovery because a discovery request could be made directly to the vendor. It’s crucial to build provisions to address, and possibly resist, third-party requests for data. At a minimum, cloud computing vendors should be obligated to inform their customers if a direct discovery request is received. Other areas of consideration relating to e-discovery issues include data authenticity and preservation. Companies need to ensure that migrating data to and/or from the cloud does not alter associated metadata. Additionally, organizations need to ensure that the vendor offers a means of preserving data, a la legal hold, should litigation arise.
 
Considerations for how data is moved into the cloud and accounted for:
    •    What process is used to move data?
    •    Does data migration change the metadata or content in any way?
    •    Can the chain of custody for the data be established?
    •    What is the physical location of my data and who has access?
    •    Does the data stay in one place or is it moved at all, such as when normal maintenance is performed?
    •    How is data preserved when requested and is there legal hold and review capability in event of an e-discovery request? and
    •    What other types of companies have data co-located with mine and are they subjected to federal regulations or intense auditing that could impact my data?
 
Jurisdiction over the data also needs to be addressed to ensure the cloud provider operates in accordance with laws pertinent to a particular location. For instance, if the data resides in Europe, then a US-based customer would need to know potential problems and issues that may stem from stricter European privacy laws. While access controls and privacy considerations typically are addressed contractually, it’s advisable to add provisions for auditing data access to ensure privacy procedures are maintained.
 
A plethora of cloud computing choices will continue to drive early momentum among companies that want to leverage a highly affordable shared pool of computing resources to deliver various business services. For that reason, it’s increasingly important to understand and consider these risks before entering a contractual relationship with a cloud computing vendor.