Law Technology News noted that the National Institute of Standards and Technology has released the long-awaited “Cloud Computing Synopsis and Recommendations.”
The document is meant to provide guidelines for using cloud computing platforms so that organizations and government agencies can feel comfortable migrating data to these platforms. Most of the recommendations are common sense and practical, such as, “Organizations should understand the terms of the service agreements that define the legal relationships between cloud customers and cloud providers.”
However, the 81-page document only briefly addresses eDiscovery from cloud and social media sources. As the document notes, consumers should ask, “whether a provider can support ad hoc legal requests for: (1) eDiscovery, such as litigation freezes, and (2) preservation of data and metadata.”
In our experience, the answer is often (1) No, and (2) No.
Cloud computing providers are not interested in handling or managing your data in any way. Their business is hosting data and leaving the messy details of managing, retaining, and deleting data to you, the user. Cloud computing companies want none of the legal liabilities or complications that come with handling data, and provide only the basic mechanisms for obtaining copies of your data when necessary for litigation. eDiscovery is not a primary concern. (For example, consider the quality of produced data Facebook has provided for litigation.)
Recovering data from a cloud source is never going to guarantee a forensically complete preservation of data. Data is always changing, especially online, and creating an archive only after a litigation hold is in place means a lot of hard work, and headaches, and, too often, results in an incomplete or inaccurate archive of evidence. NIST covered a lot of ground in this important document, but eDiscovery in the cloud is an issue that takes forethought and planning.