As Bulging Client Data Heads for the Cloud, Law Firms Ready for a Storm
Posted Apr 01, 2011 09:50 am CDT
Perhaps no case could be a more monumental example of the reality of modern e-discovery than the ongoing Viacom copyright infringement lawsuit against YouTube filed back in 2008. In that dispute, the judge ordered that 12 terabytes of data be turned over, according to Matthew Knouff.
“People often say that one terabyte equals 50,000 trees, and 10 terabytes would be the equivalent of all the printed collections of the Library of Congress,” says Knouff, who is general counsel of Complete Discovery Source, a New York City-based electronic discovery services provider. For the Viacom/YouTube case then, the demand was for the printed equivalent of the entire Library of Congress. And then some.
Experiences like these have left law firms and in-house attorneys scrambling to make sense of the new risks associated with the seemingly endless data produced by emerging technologies like cloud computing and social media—first as a way to get their own house in order and second as a sorely needed service for the vulnerable corporations employing them.
Last year a study by the Deloitte Forensic Center—a think tank that explores ways to mitigate the effects of illegal and unethical business practices—found plenty of concern over corporations’ ability to handle the e-discovery demands of social media. (See “More Discovery Woes from Web 2.0.”)
Even more disturbing was Deloitte’s finding that only 9 percent of businesses surveyed believed they were well-prepared to electronically capture and store digital information generated on cloud computing programs or on software-as-a-service applications such as those found at Salesforce.com.
Meanwhile new technologies are forcing law firms to wrestle with previously unimagined concerns, including improbable imponderables such as: “If someone sends a disappearing e-mail and no one reads it, have any codes of ethics been violated?”
Essentially, technology’s inexorable drive to permeate every pore of our existence in ever more complex, far-reaching ways seems destined—at least to some who follow e-discovery most closely—to forever change the nature of the law.
One of the greatest worries associated with data created within or ported from outside the walls of the workplace is the loss of control that comes with the package. Sure, in many ways cloud computing seems neat. With mobile phones, everyone gets to feel a bit more like Capt. Kirk, and technologies like disappearing e-mail possess an inarguable panache.
But with each step forward, the sense that the data generated by these devices can quickly become your enemy grows ever more immediate.
And yet even as it seems that technology presents more ways to suffocate litigation or spill secrets, e-discovery firms and analysts are developing ways to collect, organize and protect sensitive data no matter where it is created or by whom.
IN PURSUIT OF PRIVACY
Indeed, data generated by cloud computing is especially rife with risk given that cloud data is stored off-site and under the control of a third-party vendor who may not be as dedicated to the importance of privacy demands as lawyers are.
“The significantly lower cost of using the cloud is driving the data’s migration beyond the firewall,” says Nick Brestoff, Western regional director of discovery strategy and management at International Litigation Services of Aliso Viejo, Calif. “The data is leaving the building.”
E-discovery experts say grilling a prospective cloud service provider, or CSP, regarding its policies and practices for managing and protecting your data is pretty much job one if you plan on getting any sleep after your firm leaps into the cloud. And according to Knouff, being crystal clear on who’s liable for stolen data is key. Incredibly, many cloud providers now limit or simply disclaim any liability for data that is stolen.
“To the extent that you are unable to negotiate a CSP’s standard terms and conditions,” Knouff says, “you may just have to make an informed risk assessment and then take your chances if you want to benefit from the cloud.”
Adds Debora Motyka Jones, client services manager at Seattle-based Lighthouse Document Technologies: “Ultimately it is the firm’s data, so the firm is liable. This is an important area to address in the contract between the firm and cloud provider. If possible, the firm should include an indemnification provision for losses that are the fault of the cloud provider.”
Ensuring your data remains in a form that can be used by your in-house computer applications is also critical. “Many CSPs reserve the right to modify any content that you put in the cloud,” Knouff says. “Understanding how you might lose control over data through proprietary data formats is an important consideration. The ability to modify or alter content can impact your ability to remove data from a cloud or switch to another CSP.”
Cloud newbies are also often dismayed to learn that when officials in a government lawsuit come calling for your data, current law allows cloud providers to simply roll over and release it.
“A service provider cannot be held liable for disclosing information pursuant to a legitimate government order, and a civil suit cannot be brought against the U.S. government for anything less than willful disclosure violations,” Knouff says. “To make the cloud environment even more risky, in many cases disclosure of sensitive data occurs without the cloud service subscriber receiving advance, or even prompt, notice.”
A law firm’s only recourse in this case is to negotiate a notice provision with the cloud provider—triggered when any entity, including the government, is seeking release of your private information, Knouff says.
Moreover, while any reputable cloud provider makes continual backups of your data, law firms should also negotiate for additional, physical copies to be provided for storage either at the law firm or with another third party. “Backing up your data should not be viewed as a best practice,” Knouff says, “but as a requirement.”
Firms also need to be proactive about the prospect that a cloud provider could go bankrupt, especially given that the boom-bust cycle in cloud computing is only now just ramping up. A bit of upfront planning can avoid a lot of red faces later when a cloud provider’s doors are locked and the remote servers storing your data start popping up for sale on eBay.
For best results, companies will want to create a visually rendered data map of how all information travels through the firm’s network and how that data would interact with the systems of a cloud provider.
“When addressing these issues, make sure to form a cross-functional team, including members from IT, legal, human resources and various business units to achieve the most comprehensive and cohesive results,” Knouff says. “Ultimately, the elements of your data security plan are going to be based on a thorough enterprise-level risk assessment.”
Adds Jamie Kinsler, an independent consultant in Seattle who holds a JD, “Without an updated data map of an organization’s storage and processes, an e-discovery processing and review may cost many times over what the vendor invoice could have and should have been with proper data management.”
Jack Newton, co-founder and CEO of Themis Solutions Inc., the Vancouver, British Columbia-based provider of the Clio practice management suite, also believes law firms need to cut cloud providers some slack. “In many ways there is more risk associated with a law firm attempting to secure and protect its own computing infrastructure,” he says, “as compared to leveraging the expertise of a cloud computing provider.”
Meanwhile, law firms and clients looking to mitigate risk associated with mobile phone data may want to investigate a raft of vendors who specialize in backing up those bits and bytes.
V Cast Media Manager from Verizon Wireless will do the trick, as will “third-party service providers that offer mobile phone management on and off the cloud,” says Knouff. “Bloove and Memotoo are examples of cloud-based mobile phone/desktop synchronization tools.”
And if you’re looking to collect a forensic image of a mobile phone, you’ll find tools available for that. “Guidance Software’s EnCase Neutrino is one of the most widely used and accepted tools to forensically collect data from mobile devices,” Knouff says. “Other tools include AccessData’s Mobile Phone Examiner (PDF), Paraben [Corp.’s] Device Seizure and Logicube Inc.’s CellDEK and CellDEK TEK.”
Firms with deeper pockets may also want to consider the more costly solution of an in-house enterprise server. “For example, with a BlackBerry Enterprise Server the server sits behind your company firewall and all the security and control you have over your internal IT functions now extends to your company e-mail,” Knouff says.
There are even solutions for lost or stolen cellphones. “One such product, Lookout, is a third-party application that allows users to locate a missing or stolen phone and wipe it remotely, prevent viruses and outside intrusion, manage content and back up data,” Knouff says.
More adventurous technologies—like disappearing e-mail messages that automatically delete themselves from computers of both senders and recipients once read—also have firms doing double time to develop policies to ensure the associated risk is mitigated.
Indisputably, disappearing e-mail, like Vaporstream Inc.’s Electronic Conversation Software, does have clear advantages.
“For example, if I send an e-mail to a colleague confirming a lunch appointment, my employer may incur needless costs associated with recording and storing this communication,” says Cathy Duplissa-Lopez, project manager of electronic data and e-discovery at the Phoenix office of law firm Fennemore Craig. It makes more sense to simply make such e-mails disappear, she says.
But the important point to remember is that provisions must be in place to ensure employees are well-trained to recognize when it’s appropriate to use disappearing e-mail, and to realize that the technology may have limitations.
“I have learned that through the issuance of a government subpoena or similar request, at least one form of disappearing e-mail may be susceptible to a ‘wiretap’ in a manner similar to a phone call,” says Duplissa-Lopez, a paralegal.
DOING THE RIGHT THING
Embracing a new way of computing brings with it a new set of ethical considerations. Some firms, for example, may worry that venturing into the cloud may engender an ethical responsibility to quote chapter and verse to clients about the special data vulnerabilities inherent in the cloud.
Newton of Themis Solutions doesn’t see it that way. “There are currently no requirements for law firms working in the cloud to disclose the vulnerabilities of working in the cloud, and I don’t believe such a requirement should be put in place,” he says. “The risks to a law firm’s data—including potential data loss, security breaches or government disclosure demands—exist whether the firm uses cloud computing or on-premise computing.”
No matter where computing is being conducted, there needs to be a party who is responsible for mitigating and protecting against risk, Newton says. And in the case of cloud computing, that responsibility rests squarely on the shoulders of the cloud provider, he says.
“A law firm shouldn’t have to disclose the fact they are using a cloud computing provider for their computing needs any more than they should have to disclose they are using an off-site document storage provider, third-party document shredding company or any other outsourced service provider,” Newton says.
Indeed, use of some of the newer computing technologies like disappearing e-mail may in fact be perceived as preferable.
“There are situations,” Newton says, “where using such a technology—for example, when discussing trade secrets, sending passwords or exchanging credit card information—could be both prudent and ethical.”
Some uses, but not all.
“It would not surprise me,” Duplissa-Lopez says, “if some courts did not view the use of disappearing e-mail favorably, especially if the purpose of using the protocol is to prevent disclosure of communications rather than eliminate the costs of storing unnecessary e-mails.”
The ethics of using newer technology could simply turn on the appearance of how the technology is used, such as during the course of a litigation hold. “Specifically, if a party is precluded from destroying e-mails ad- dressing particular topics relevant to litigation, using disappearing e-mail to address such topics—knowing such communications will not be preserved—certainly seems to give rise to ethical questions,” Duplissa-Lopez says.
he ethical issues arising from new technologies, including cloud computing and the increasingly mobile practice of law, have drawn the interest of the ABA. In September its Commission on Ethics 20/20 Working Group on the Implications of New Technologies released a paper (PDF) seeking guidance from lawyers on confidentiality issues involved in using these technologies.
The paper ends with seven questions seeking opinions on a range of options, from creating an online resource of emerging practices and standards to amending the ABA?Model Rules of Professional Conduct, and even whether lawyers should buy cyberinsurance to protect against losses from disclosure of confidential client data. The comment period closed in mid-December.
“We will be discussing the feedback we received at our commission meeting,” says Jamie S. Gorelick, commission co-chair and a Washington, D.C.-based partner at Wilmer Cutler Pickering Hale and Dorr. “Eventually the commission will come up with recommendations that will be distributed widely for comment within the ABA and elsewhere within the legal profession.”
BRAVE NEW LAWYER
looking ahead, many of those closest to e-discovery see the relentless creation of new innovations that spawn ever more data streams as presaging a new kind of law, and a new kind of lawyer.
“Lawyers and law firms will be forced into re-engineering themselves,” says International Litigation’s Brestoff. “They will need a law/tech binocular vision because the facts are in the data.
“You can find the law,” he says, “but if you can’t find the facts, what good is the law “
Dara Scott, senior project manager for Atlanta-based Excelerate Discovery, agrees. Instead of viewing an e-discovery request as a five-alarm fire that has to be handled on the fly, e-discovery programs and best practices will need to be integrated into a law firm’s day-to-day operations.
“Legal teams will utilize workflow-based project management technology and practices to move from a reactive approach to e-discovery to a measurable, repeatable business process,” Scott says. “This effort will be driven by e-discovery legal practitioners with broad knowledge bases in both law and technology.”
Attorneys will also need to advise clients that their employees’ blissful ignorance will come with a heavy price. “If people must use social media, they should first know their employer’s privacy protocols cold, and realize that they are at risk of losing their privacy if and when they mix their use of personal, social media into their workspaces,” Brestoff says.
Indeed, increasing numbers of lawyers are expected to find themselves embracing and endorsing the same computing technologies they now view as risky once they decide the risk is worth it.
“Law firms are likely to outsource their data to the cloud themselves after thinking about disaster recovery and worrying about preserving the attorney-client privilege, just as some of them have outsourced review to teams of supervised foreign attorneys in other countries,” Brestoff says.
Those who make the move will also find that some of the same technologies creating a heavier e-discovery workload will at least relieve some of the tedium associated with document review.
“For instance, a large document review of perhaps 15 million pages may be further shortened or rendered redundant by more precise search and text-recognition software,” says New York City e-discovery attorney and consultant Alex Bates. “Attorneys will still have a role in the analysis of the data, but the grunt work of placing it into issue categories will have been performed.”
Moreover, the sheer volume of data being created by all these technologies may have another, albeit unintended, positive: more cooperation by opposing attorneys, at least while in the midst of battle. The Federal Rules of Civil Procedure already lay out the process for cooperation in determining e-discovery parameters, and litigants have been sanctioned for not following that process.
“I do not think that the large volume of data will force more settlements,” says client services manager Jones of Lighthouse Document Technologies. “Instead, I believe parties and their counsel will be forced to work more cooperatively with the opposing party. The desire to reduce production will force both sides to work together to limit the scope of discovery.”
Still, whatever developments work out, it seems Star Trek’s Borg were right after all: When it comes to the increasing demands of e-discovery, your resistance is futile.
You will be assimilated.
CorrectionIn print versions of “The Trouble with Terabytes,” several words were dropped from a quotation from e-discovery general counsel Matthew Knouff. The full quotation should have read: “A service provider cannot be held liable for disclosing information pursuant to a legitimate government order, and a civil suit cannot be brought against the U.S. government for anything less than willful disclosure violations.”
In print and early Web versions of "The Trouble with Terabytes," Jamie Kinsler identified herself as a principal at EDRM Consultants in Seattle. Kinsler failed to disclose that she had not registered her company with the Washington secretary of state, and she has since abandoned plans to do so. Kinsler is an independent consultant, not a principal of a firm. Due to an editing error, the article identifies her as a lawyer. Kinsler has a law degree, but has not claimed to be a lawyer or to practice law.
The ABA Journal regrets the errors.
Joe Dysart is a freelance writer in Holbrook, N.Y.
Joe Dysart is a freelance writer in Holbrook, N.Y.