by Jake Frazier of the CGOC
In 2008, Gartner touted cloud computing as “an evolution of business that is no less influential than e business.” Gartner was right. 2011 has seen cloud computing begin to reshape the very idea of an enterprise IT infrastructure. Your organization is likely in the midst of either formulating a long term cloud strategy or already beginning to implement one as “on-demand IT services” and “everything as a service” promise business agility and significant cost savings.
However, if you haven’t already seen some pushback from your legal, records information management (RIM), and compliance colleagues, it’s likely to come very soon. The cloud, like any technology involving the storage and transfer of information, creates significant issues for these governance stakeholders, especially in the areas of e discovery and privacy.
This article offers insight into the perspective of these governance stakeholders, along with some practical advice for making sure everyone gets on the same page.
For IT, choosing among a public, private, and managed private cloud is about balancing cost savings against ensuring that the data is secure. For the governance stakeholders, it’s about the physical location of the data, whether it remains under the company’s possession, custody or control, and whether the company is complying with all relevant laws and regulations in all relevant jurisdictions.
In general, litigants in a civil case have the right to any information that can reasonably apply to the claims or defense of the case. The relevant rules are quite broad and apply to all electronically stored information (ESI), whether in a corporate database, a computer hard drive, or a mobile device. To date, there are few rulings that respond to the shifting degree of control over information in the cloud, so existing laws are essentially being grafted onto the new technology.
The Federal Rule of Civil Procedure (FRCP) Rule 34 (a) (1) offers the general guideline on the duty to:
“… produce and permit the requesting party or its representative to inspect, copy, test, or sample the following items in the responding party’s possession, custody, or control.”
The general nature of this rule means that there are few prohibitions on what organizations can be required to produce. So although you may have a mail server managed by a service provider, the expectation is that you can conduct e-discovery and produce relevant information in the same timely manner as if you were running Microsoft Exchange in your corporate data center.
In addition to this e-discovery challenge, there are an abundance of geographically specific laws and regulations. This is a challenge for environments that are virtualized across a global infrastructure. For example, the EU has stricter laws than the U.S. regarding the collection, processing, transport, and use of personal information. It also prohibits transporting information to countries that lack sufficient data protection laws and practices, so enterprises operating in the cloud must understand where the information is physically located and how it is moved.
Consider the following architectures:
Configuration 1: A private cloud where company owned infrastructure is virtualized in a single geography and accessed by users in the same geography. Data remains behind the company’s firewall, and the company retains complete possession, custody, and control. From the perspective of the governance stakeholders, the information stored in this cloud is treated like any other information.
Configuration 2: A private cloud where company owned infrastructure is virtualized across multiple geographies and accessed by users around the world. In this case, the information remains under the company’s possession, custody and control, but because the information moves across geographical boundaries, different regulations apply depending on where the information is stored.
The compliance team will want to ensure that IT knows and can report on exactly what information is where and that the company is complying with all relevant laws and regulations.
Configuration 3: A managed private cloud that leverages a vendor’s virtualized infrastructure. In this case, the information is no longer under the company’s possession and custody. However, it does remain under its control.
This complicates e-discovery because you still have the obligation to place legal holds and produce relevant information in the event of legal action. The issues for the governance stakeholders include:
- Does the vendor know and can it communicate exactly where the information is physically located? If the provider is a multinational firm, will it handle your data in a way that is consistent with the various jurisdictions?
- Will the vendor be able to produce required information in an appropriate format in an appropriate time frame?
- How is the data backed up? For how long is it stored? Is this consistent with your company’s record retention policies?
- Can the vendor verify data destruction and stop destruction if necessary?