Forensic Barriers Legal Implications of Storing and Processing Information in the Cloud

Transcription

1 Forensic Barriers Legal Implications of Storing and Processing Information in the Cloud Aaron Alva, Scott David and Barbara Endicott- Popovsky Abstract Litigation represents an out-of-the-ordinary event for organizations. A significant percentage of the costs of litigation are associated with the pre-trial processes through which facts are gathered by the parties to be presented to the judge or jury. As organizations become increasingly dependent on cloud services, they will require increasing levels of assurance that cloud services will be performed in accordance with business, legal and technical standards sufficient to enable preparation and support for litigation. This paper examines some of these issues, suggesting a framework for thinking about this problem, suggesting avenues of future exploration. Author Aaron Alva is a candidate of the Masters of Science in Information Management at the University of Washington. He will be attending the University of Washington School of Law next year to begin a joint- Juris Doctorate. He earned his Bachelor's at the University of Central Florida studying political science with a minor in digital forensics. His interests are in cybersecurity law and policy creation, particularly digital evidence admissibility in U.S. courts. Aaron is a recipient of the National Science Foundation Federal Cyber Service: Scholarship For Service, and is a member of the American Bar Association Information Security Committee. 1. Introduction For organizations, litigation represents an out-of-the-ordinary event. Unusual events typically attract little attention and few resources, with focus instead being placed on the normal operating demands of running an organization. As such, litigation is not often adequately planned. Day-to-day issues and concerns frequently take precedence. Because litigation is unusual, it is frequently costly. Some of that expense can be mitigated with better pre-planning. Fortunately, many of the techniques and approaches that can be implemented to control future litigation costs can also yield day-to-day benefits that arise from better data system hygiene. These dual use techniques and approaches can therefore be better justified as having value even in the absence of future litigation. A significant percentage of the costs of litigation are associated with the pre-trial processes through which facts are gathered by the parties to be presented to the judge or jury. These facts are discerned from information provided by parties to a lawsuit and other non-litigating parties that are called upon by the court to provide information for use by the parties in the lawsuit. Thus, discovery costs may be borne by parties whether or not they are directly involved in a lawsuit.

2 In either event, the facts are conveyed to the court through the discovery process where information in various forms (such as written materials, testimony, recordings, physical evidence, etc.) is requested for use in the proceedings. Those systems that are able to produce information most readily, upon demand, will be best able to respond to such discovery requests. Not surprisingly, they will also be those that are frequently the most comprehensively managed, which yields myriad day-to-day benefits to businesses. These are also areas in which litigation planning and good data hygiene can merge. For this reason, the term forensically ready was coined. Notwithstanding the potential benefits both within and outside of the litigation context, only 56% of organizations polled have, or are in the process of developing, a defined information retention policy. 1 For organizations storing information in the cloud, only 16% stated an Electronic Discovery, or ediscovery, plan was in place before moving data to the cloud. 2 Additionally, one study has noted that a large majority of cloud providers, and general counsel and business managers from organizations, did not understand general ediscovery requirements. 3 These numbers suggest that there are broad possible opportunities for improvement in the area of discovery, and in the management of cloud-related risks more generally. In an effort to identify areas of possible improvement in the ways that organizations handle data, and toward the greater goal of reducing organizational risks and costs associated with data and information handling, this paper will consider selected examples of such risks, using discovery requirements as a source of objective requirements from which cloud-related planning can be prompted. Among the risks that migration of data storage and processes to the cloud presents are new functional, operational, legal and administrative barriers that affect the collection and processing of electronically stored information, or ESI which resides in the cloud. These barriers in turn can result in new legal risks, particularly where there is insufficient anticipation of how the barriers might impede responsiveness to compelled requests for information. These legal risks can arise regardless of whether or not such data is compelled for a court case, since there are several related scenarios under which an organization might be called upon to provide information (including various administrative proceedings, regulatory review and investigation, contractually-defined performance audits, etc.). This article will explore some of the risks involved with processing and storing data in the cloud, particularly for Electronically Stored Information, or ESI subject to electronic discovery. We will 1) discuss legal instruments that control cloud provider/consumer relationships; 2) detail barriers that increase the legal risks of storing information in the cloud, including implications of U.S.-based ediscovery requirements; and 3) explore the balance between the potential costs of a purely reactive strategy resulting from a lack of forensic readiness and the costs incurred with respect to a planned strategy by putting a forensic- and discovery- ready system in place. 1 Symantec. Information Retention and ediscovery Survey Global Findings Accessed June 27, a54646.pdf 2 Barry Murphy, e-discovery in the Cloud is Not As Simple As You Think, Forbes, November 29, 2011, accessed June 14, 2012, 3 Results of the 2012 edsg Investigation of Cloud Service Providers and ediscovery, last modified March 7, 2012, edsg-investigation-of.html 2

3 2. Legal Control Structures Cloud services are used by organizations as part of their normal operations. Cloud services agreements are typically entered into online without the formalities (and generally without the negotiation) that might characterize more traditional service agreements that document outsourced computer services. Whether entered into online or through more traditional means, the agreements document and memorialize the respective rights and duties of the cloud provider and the party using the service. Most of these agreements purport to cover cloud provider obligations in the context of litigation and other compulsory processes; however, because they are prepared by the same service providers that offer their cloud services, the terms typically emphasize the interests of the service provider. In other words, they are typically drafted to relieve the service provider of obligation or liability to the extent possible. This is not surprising, as all parties prepare their contract offer in a manner that is to their advantage. The issue is whether any terms can be modified, and if they cannot, whether the service provider s service offering is sufficiently attractive that the risks to the service customer from any nonnegotiable, or un-negotiated terms remains acceptable to the customer. In any event, it is clear that prior to any actual legal action, there are agreements that control the duties and rights within the relationship between the cloud provider and customer. Those agreements will affect the organization s rights, duties and obligations both during its ordinary operations and in the event that the organization is involved in legal action. This paper advocates that both settings should be taken into consideration in evaluating cloud service agreements. It also posits that organizations that are not in a position to negotiate cloud service terms can still take unilateral actions to protect their interests such as structuring their data operations and their contracts with their other suppliers and customers to address issues resulting from the standard cloud service rules. The use of a third party service to store the data of an organization introduces a host of new issues that should be considered before migration to the cloud occurs, and with each successive step through which organizational dependence on cloud services increases. These issues should inform the specific arrangements through which cloud services are procured, even where a cloud customer does not have the opportunity to negotiate terms. Where possible, the issues should be addressed in the agreements through which the cloud services are received. Where those contracts cannot be negotiated, consideration should be given to limiting the manner in which the cloud services are used to protect the company against the risk of using a service that might not deliver the needed services in a given context that is important to the organization. The ability to respond to requests for information in the context of legal processes may be one of these contexts, particularly for organizations that operate in regulated industries or sectors where litigation is more common. Ensuring that cloud services used are forensically ready to the satisfaction of the organization whether by the promises of the cloud provider made in its agreement or by the unilateral internal action of the organization itself through unilateral action to protect its interests while using a service would help to mitigate the risk of the inability to produce forensic evidence. 4 4 Barbara Endicott-Popovsky and Deborah Frincke, Embedding forensic capabilities into networks: addressing inefficiencies in digital forensics investigations (paper presented at the IEEE Information Assurance Workshop, United States Military Academy, West Point, New York, 2006). 3

4 3. Service Level Agreements Service level agreement (SLA) is the term applied to those contracts that document the undertakings and control the relationship between the customer and the provider of a service, including those various services provided by cloud service providers. The terms agreed to within the SLA should typically provide guidance on how a production request for evidence will be handled; with the typical provision usually crafted to relieve the service provider of additional burdens to the extent possible. This approach is, unsurprisingly, taken by cloud providers to help control cloud provider costs and liability, which would otherwise affect the price of cloud services. It is also done in order to enable the service to achieve the benefits of scale; an ability that might be diminished if the cloud provider sought to address the various details of reporting obligations in myriad administrative processes and judicial courts in multiple jurisdictions. A large majority of cloud forensics survey participants noted that tools, techniques and other information for forensics investigations should be included in SLAs. 5 It is important and relevant to an organization s business decisions to provide the decision makers involved in strategy and contract administration with an overview on the particular legal implications of SLAs and how SLAs affect the relationship between the customer and provider in both ordinary and out-of-the-ordinary situations. Those legal provisions have business and other economic and strategic implications for the organization. SLAs can be of importance particularly when setting terms for collection of forensic data or for ediscovery. SLAs typically delineate obligations of the cloud provider with respect to uptime for the customer, and other relevant commercial terms. To the extent that they are covered at all, provisions dealing with litigation-related data requests are often given limited treatment, sometimes embedded within a general statement that the company will comply with all laws and legal process. Some commenters have suggested that a more specific treatment of the topic is appropriate, and several have advocated that agreements should include language on how evidentiary records requests will be handled, 6 including the processes for conducting investigations that respect the laws of multiple jurisdictions. 7 Like all outsourcing, cloud contracts reflect a decision that certain organization functions can be better provided with resort to non-organizational resources. This means that, ultimately, the services will be rendered by parties that are not employees of the organization and are therefore not within the direct control of the organization. As a result, the entirety of the relationship is captured by the terms of the SLA. The SLA is the source of the authority to resolve all issues and disputes between the cloud service provider and the user. If it is not in the contract, it is not part of the formal relationship. As a result, the terms of the SLA dictate the rights of the user and the duties of the service provider with respect to the availability of forensic data (such as usage logs and other information about the system 5 Keyun Ruan, Joe Carthy, and Tahar Kechadi. Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis (paper presented at the 6th ADFSL Conference on Digital Forensics, Security and Law, Richmond, Virginia, 2011). 6 Bernd Grobauer, and Thomas Schreck. Towards Incident Handling in the Cloud: Challenges and Approaches in Proceedings of the 2010 ACM Workshop on Cloud Computing Security Workshop (2010), Keyun Ruan, Joe Carthy, Tahar Kechadi and Mark Crosbie. CLOUD FORENSICS, in Advances in Digital Forensics VII, ed. Gilbert Peterson and Sujeet Shenoi. (Springer, 2011),

5 and its function) for the customer that could be among the types of data that could be required to be produced in the event of a discovery request. If the SLA does not address what type of process or system data (including metadata) will be provided for the customer, then the cloud provider has no contractual duty to provide such information. This creates at least a couple of legal implications: 1) it can result in more limited access by the organization to forensic data than is needed to respond fully to court compelled discovery; 2) it can lower the quality of evidence available to the company. Importantly, the organization that is the subject of the data request will continue to be responsible to the court to produce the data required. The obligation is not shifted to the cloud provider. As a result, organizations that do not pay sufficient attention to the SLA may find themselves to be caught between a government requirement that they produce data and a cloud service provider that is unable to adequately perform service in that context. Unless the SLA provides otherwise, the failures to adequately respond to the data production requirement can result in penalties, sanctions, and other undesirable results for organizations involved in litigation. It is important to note that an SLA is only binding between the parties and does not restrict the information that may be sought under a warrant or subpoena issued by a government authority. An SLA that denies access to forensic data requested by the customer (such as metadata) does not provide protection for the customer in the case of a subpoena or warrant from the courts. If a warrant compels production, the provider s terms from the binding SLA are not a shield for providing additional data such as metadata, log files, or other information. In these cases, if they exist they must be produced. The rights and duties of organizations under Service Level Agreements and other contracts have broad economic and strategic legal implications, as well as legal impact, if they impair an organization s ability to perform its legal obligations in a legal case and require that cloud customer to spend more money and resources on ediscovery production than they might otherwise have to. Organizations should read and review their cloud agreements in order to understand, at a minimum, the additional risks involved with storing information in the cloud. From an information management perspective, legal aspects should be included in analysis of systems to ensure compliance, but also to understand risks involved with cloud integration. 8 A more extensive discussion of these tradeoffs will be presented in a discussion on opportunity costs. 4. Barriers to Usefulness and Admissibility of Cloud- Based Evidence The field of cloud forensics is emerging to address the study of the technical, organizational, and legal issues associated with digital forensics conducted in cloud computing environments. 9 The field of cloud forensics is related to the processes of Electronic Discovery, or ediscovery. The term ediscovery refers to the legal requirements that compel organizations to make available all documents and other information relevant in a U.S. civil legal case. ediscovery refers specifically to the process of identifying, preserving, collecting, preparing, reviewing, and producing electronically stored information ( ESI ) in the context of the legal process. 10 These requirements can affect records 8 Farwick et al. Towards living landscape models: Automated integration of infrastructure cloud in enterprise architecture management (presented at the IEEE 3rd International Conference on Cloud Computing (CLOUD), 2010). 9 Ruan, Carthy, Kechadi, et. al., CLOUD FORENSICS. 10 Sharry B. Harris (Ed.). The Sedona Conference Glossary: E-Discovery & Digital Information Management (Third Edition). (The Sedona Conference, 2010). 5

6 management in various ways, since they raise the importance within the organization of ensuring an organization s records are producible, on demand, in an efficient, searchable manner. Planning for cost effective production of ESI from the cloud to respond to ediscovery requests requires analysis of how characteristics of the cloud environment create unique legal issues. In general, the ediscovery process is characterized by six stages, as described by the Electronic Discovery Reference Model (EDRM). 11 This reference model is a common framework for the development, selection, evaluation, and use of electronic discovery products and services. 12 The first two stages of ediscovery are (i) Information Management and (ii) Identification, both of which occur prior to any legal action. These two planning stages prepare an organization in the event of an ediscovery request. The third stage, Preservation (including Collection) occurs following a potential litigation hold. The Preservation stage is characterized by a requirement that the organization ensure potentially relevant ESI is preserved. Stage four, Processing/Review/Analysis, encompasses the processing of ESI and potential conversion into a reviewable format; the evaluation of the ESI for relevance; and the continual analysis of the fact-finding process for the ESI. Stage five, Production, involves the producing the ESI into an agreed-upon format to reduce costs and for use in court. Finally, stage six, the Presentation stage is, as the name suggests, the stage at which potential evidence is presented in the court to go through the relevant evidentiary tests such as admissibility, etc., and to be offered as exhibits for the case. These six stages help to describe the general steps of the ediscovery process, and for present purposes, can act as a reference model for the understanding of ediscovery, and how its requirements might be affected by the use of cloud services. The focus on examples from U.S. law are intended to be illustrative, and not comprehensive. It is recognized that the ediscovery rules will vary from one jurisdiction to another, and the issues raised are intended merely to prompt consideration of steps that can be taken by all organizations, in any country, prior to the institution of litigation or other situation in which information production is compelled, and in which an organizations data handling weaknesses can become more costly (such as through the application of penalties and sanctions) than being a mere embarrassment. In this article, emphasis is placed on the period prior to the initiation of formal legal action, when the parties, and their respective internal policies and external contracts form the basis for the parties data duties and rights. The focus is on the beginning phases of the ediscovery process in general. Particular requirements of ediscovery rules in one jurisdiction or another, are not presented. Both the Information Management phase and the Identification phase present opportunities to focus on planning that can yield significant benefits for the organization. For example, prior to the preservation phase, 13 the organization should identify all ESI sources that potentially would be required to comply with a litigation hold 14, and in particular those that are stored exclusively in cloud services. 15 The goal is to identify potential barriers presented by the use of cloud services that suggest potential legal implications 11 EDRM Framework Guides, Electronic Discovery Reference Model, accessed June 25, 2012, 12 EDRM Frequently Asked Questions, Electronic Discovery Reference Model, accessed June 23, 2012, 13 See next section, Preservation for ediscovery 14 Id. 15 Identification Stage, Electronic Discovery Reference Model, Electronic Discovery Reference Model, accessed June 25, 2012, 6

7 for future discovery. By understanding and strategizing how to deal with such barriers prior to legal action, an organization can avoid additional costs while mitigating risks. When there is a reasonable anticipation that litigation may occur, a litigation hold must be issued. 16 This means that all ESI potentially relevant to a case must be preserved in the event of a court case. 17 Care must be taken to ensure the document preserved is the same as that was originally created. 18 This raises questions regarding authenticity which are exacerbated in cloud services where there may be additional costs and burdens imposed on a cloud services user, particularly where their cloud contract is unclear, or where the litigation hold involves voluminous or complex information. This raises the question of whether the rules of evidence anticipate any relief in the cloud context. The Federal Civil Rules of Procedure provide the following exception for ESI that may be inaccessible: Specific Limitations on Electronically Stored Information. A party need not provide discovery of electronically stored information from sources that the party identifies as not reasonably accessible because of undue burden or cost. On motion to compel discovery or for a protective order, the party from whom discovery is sought must show that the information is not reasonably accessible because of undue burden or cost. If that showing is made, the court may nonetheless order discovery from such sources if the requesting party shows good cause, considering the limitations of Rule 26(b)(2)(C). The court may specify conditions for the discovery. 19 As cloud services become more familiar and ubiquitous, it may be more difficult to assert that information in the cloud is not reasonably accessible. Further, in addition to organization responsibility, legal counsel for an organization has specific duties with regards to ediscovery. Once a litigation hold is in place, legal counsel has a duty to monitor compliance of the production of relevant documents. 20 Whatever the specific arrangements entered into by an organization using cloud services, when maintaining and processing information in the cloud, there are certain issues that should be considered to minimize the potential for negative impact. These include: third-party control, jurisdictional issues, and authenticity of data questions. The following discussion highlights these barriers and the unique issues that must be considered for potential cloud-based evidence. 5. Jurisdiction and Cloud Computing In contrast to networked information systems, which apply to the global cloud, nation states are bound to geography. Since 1648, and the signing of the Peace of Westphalia, countries have enjoyed fixed geographic borders that are intended to be respected by other sovereign nations. Within their respective borders, countries are sovereigns that are able to pass their own laws. This results in a patchwork of legal regimes from a global perspective. 16 Zubulake v. UBS Warburg LLC, 2004 U.S. Dist. LEXIS 13574, (S.D.N.Y. 2004) (Zubulake V) 17 Zubulake v. UBS Warburg, 220 F.R.D. 212 (S.D.N.Y. 2003). (Zubulake IV) 18 The Sedona Conference Commentary on ESI Evidence & Admissibility The Sedona Conference. March FRCP 26(b)(2)(B) 20 Zublake V 7

8 The concept of jurisdiction in law is a quite formal consideration of whether one legal authority or another (such as a national sovereign) has auspices over a particular legal matter. The tests are varied, depending on context, but typically come down to the idea of whether there is some nexus or connection to a jurisdiction. This patchiness leaves its imprint on the cloud which is deployed on servers and devices around the globe, and more importantly which handles data relating to parties in multiple jurisdictions and subject to multiple separate legal regimes. This simple distributed architecture creates havoc as different courts and regulatory authorities untangle issues of sovereignty and jurisdiction. Disputes come in many shapes and sizes, so that it is not possible to describe the specific characteristics of a system that are needed to respond to all types of disputes. The spectrum of disputes can range from undiscovered and unasserted nascent claims through full formal legal actions in court, with each stage lending itself to different forms of dispute resolution. Where the dispute results in formal legal action, the actual case can take two forms civil or criminal: 1. Civil cases: where one person or entity brings a claim against another person or entity for a failure of a legal duty. For civil cases, the Federal Rules of Civil Procedure (Fed R. Civ. P.), or similar state jurisdictional rules are followed. Civil cases now typically rely on some aspects of ediscovery, and the discovery process in Federal courts is followed using the Fed R. Civ. P. 2. Criminal cases: which involve criminal charges the government brings under U.S. Code or other state or federal laws. For that subset of such criminal cases that involve computer systems and related systems, forensic evidence is likely to be sought to be admitted as evidence in order to prove a fact. For instance, cases involving unauthorized access to a system will require sufficient evidence to show the break in, and attribute it to a particular suspect. This article will touch on authenticity issues and other legal considerations involving cloud-based evidence in civil cases, it will not focus on criminal cases. We focus on the ediscovery process for the production of business records, which are typically produced for civil cases. In both civil and criminal cases, authenticity of evidence (including forensic evidence relating to a computer system) is critical, yet the field of cloud forensics is just emerging. There are situations in which an unauthorized access dispute may require information from systems not directly involved in the dispute. This potential reason of production may not be anticipated, which highlights the need to bake-in discovery support from the very beginning design stages of the information system. The presence of potential contacts ( nexus ) in multiple jurisdictions is consistently noted as a primary issue in cases involving cloud evidence. 21 The tests of contacts varies from one jurisdiction to another, and even from one law to another within a jurisdiction. For civil cases, when the data and entities involved in the case are in different geographic areas, the primary jurisdictional requirement is that the forum state (the state where an action is brought) should have enough connection with a problem to satisfy constitutional and statutory requirements. 22 The location of data is obscured by use of cloud services. This raises the question of whether the jurisdiction in which it is stored is even relevant as a place of connection sufficient for jurisdiction to be 21 Ruan, Carthy, and Kechadi, Survey on cloud forensics and critical criteria for cloud forensic capability: A preliminary analysis. 22 William M Richman and William L Reynolds, Understanding Conflict of Laws, 3 rd edition, (Danvers:LexisNexis, Matthew Bender, 2002). 8

9 invoked. Storage of information in the cloud is still relatively new, and the law has not caught up to cloud environments. As a result, the answers of law may differ depending on the situation. For instance, the tax law under the OECD Model Income Tax Treaty Article 5 states that a permanent establishment (an income tax treaty term for connection ) is present if a party owns a server in a jurisdiction, but not if they merely have a website (and presumably data) that is accessible from that jurisdiction. Data breach notice laws of many states, offer a contrasting example. Many of these laws differ from one state to another with the result that the choice of which law applies matters. These laws each provide that it is the law of the jurisdiction in which the affected data subject resides that is applied, not the law of the location of the data and not the location of the company operations that held the data. Thus, companies from which personal information was stolen are often obliged to send out notices that conform to the many different laws where the data that was compromised relates to people from different states. This is only the tip of the iceberg regarding the potential complexity of jurisdiction and suggest challenges for the application of the law for ESI. One significant issue occurs when the parties and evidence are located in different jurisdictions. A complex area of law called Conflict of Laws has been developed to resolve these issues. This body of law is beyond the scope of this article and will not be addressed here. Suffice it to say that there are myriad considerations in different contexts that inform the analysis. The most important point to be made regarding conflict of laws, like jurisdiction issues, is that the issues associated with the multijurisdictional nature of cloud based data storage may be new, but they are not entirely unique, and similar issues arise frequently in disputes outside the realm of cloud storage. 23 What is new in the cloud context is the broader distribution of data, and the ascendency of data in value and importance, which may in some contexts elevate it to a more significant variable in the consideration of both jurisdiction and choice of law. Stated simply, in the cloud, it is more difficult to determine the nexus of activity, and its location, and then understand the proper jurisdiction or applicable law in a case. Current case law offers little overarching direction as to how jurisdictional matters will be solved in ediscovery disputes involving cloud-based evidence. 6. Third Party Control for Cloud- Based Evidence One common feature of cloud services is that they demand reliance on one or more third parties that deliver the service. As businesses become increasingly dependent on cloud services, they will require increasing levels of assurance that third party cloud services will be performed in accordance with business, legal and technical standards sufficient to enable the cloud service recipient to engage in its business in a normalized fashion, and consistent with the expectations of both its management, its shareholders and its customers. In other words, organizations that use cloud services will depend on reliable performance of their cloud service subcontractors in order for the companies to perform satisfactorily for their own customers. Cloud providers will be relied upon to provide information-related services consistent with cloud customer needs at each level of dispute; from the very earliest stages of dispute all the way through the rare, but eventful, court case. At the earlier stages of a dispute, before a complaint is filed in court, the Federal rules of evidence and related court rules relating to formal discovery will not directly apply; but as noted above, they can 23 Aaron Alva, Ivan Orton, Barbara Endicott-Popovsky. Legal Process and Requirements for Cloud Forensic Investigations. Cybercrime and Cloud Forensic: Applications for Investigation Processes. IGI Global. (forthcoming 2012). 9

10 inform the planning phases. In addition, at those earlier stages, sources of dispute resolution rules will vary. They will typically be informed by the agreements, contracts and policies through which the parties receive the cloud services and other services. 24 It is recognized that once a formal legal action is initiated, these formal discovery and evidence rules apply, which significantly affects the manner in which the parties interact in sharing information. Because cloud service users rely on third party service providers and their contracted services, legal questions can arise regardless of any laws or regulations as to the actual possession of the data. Who is the actual custodian of the data? Issues of dominion and control of digital objects for forensic investigations have arisen prior to today s broader use of cloud computing. 25 Now, the networked, multi-tenant, multijurisdictional characteristics of cloud computing raise new questions as to which party has control over the data. If the third party retains control over necessary data (such as metadata), then the contract and SLA determine the parties obligations that inform how difficult it will be for this data to be recovered. For ediscovery, these questions arise in the procedures governing the process whereby the discovery request is for items in the responding party s possession, custody, or control. 26 The responding party in this case would be the organization in question, though the actual control of ESI may be in the hands of the third-party cloud provider. Additionally, the rules provide that parties that destroy information may be subject to spoliation penalties. The rapid provisioning of the cloud is a key characteristic that has taken place frequently without consideration of the long-term storage requirements of records management, including issues of records preservation, spoliation and disposal. The supposed exemptions on possession of ESI and on what is considered normal course of business are strongly relevant due to the nature of the cloud, and could be potentially applied to parties that store information in the cloud. Ultimately, the unique aspect of thirdparty control as a legal barrier for forensics will be strongly dependent on the legal instruments that control the relationship between the cloud provider and cloud consumer. The early identification phase gives organizations an opportunity to properly plan for and understand the ediscovery requirements prior to actual legal action. 27 By identifying key individuals involved; conducting a data mapping; identifying relevant ESI sources; and certification that all sources are valid, an organization can better understand any third-party implications that may arise. 28 This includes understanding the level of support to expect from a third-party provider consistent with the language in the contract. Additionally, knowledge of what critical ESI is stored outside of direct control stands as a cost-savings measure for future disputes This article does not seek to replicate the many articles that discuss the evolution of the rules of evidence and discovery rules to accommodate digital information processing. Readers are encouraged to review those sources for that perspective. See Federal Rules of Civil Procedure for ediscovery, particularly Fed R. Civ. P. 26. See also Federal Rules of Evidence for evidence admissibility, particularly Fed. R. Evid 901 on authenticity. 25 Michael Losavio, The Law of Possession of Digital Objects: Dominion and Control Issues for Digital Forensics Investigations and Prosecutions (paper presented at the First International Workshop on Systematic Approaches to Digital Forensic Engineering, 2005). 26 Federal Rules of Civil Procedure 34(a) 27 Ibid. 28 Ibid. 29 See Section 4 10

11 From a third-party control standpoint, preservation must be conducted for any relevant ESI that is stored in the cloud as well. The fact that ESI is stored by a third-party should not excuse the information from such requirements. Thus, an important area where cloud computing complicates the preservation requirement is with respect to third-party control. For example, an additional step must be taken to inform the third-party that a litigation hold is in place, and that certain ESI must be preserved. If this issue is anticipated in a legally binding agreement between the customer and the provider, then the contract will control such request. In the cases where the cloud provider and customer have no contractual obligations or processes for dealing with preservation, the customer takes on the additional risks and costs associated with the attempt to comply with a litigation hold. These risks and attempts at anticipating compliance challenges and solutions give rise to countless what if scenarios that will differ depending on the architecture of the organization s systems, any records retention policies that may be in place, the willingness of the third-party provider to work with the customer, and more. Further, there is difficulty for the customer in weighing potential spoliation fines against the higher burden of ensuring evidence stored in the cloud is preserved. The not reasonably acceptable 30 basis for not being able to preserve evidence would likely be tested to help determine potential spoliation disputes. 8. Authenticity Issues Authenticity is a critical gate for evidence admissibility in court to show evidence is what it purports to be. The unique aspects of cloud-based evidence present challenges in authenticity that must be considered throughout the development of processes for storing information in the cloud. A seminal court case on handling ESI advocates strongly for thoughtful advance preparation when admitting evidence to court. 31 Planning to ensure data and the processes to store data in the cloud that are forensically ready would aid in developing a clear showing of admissibility. As such, an understanding how data will be authenticated is relevant. For a U.S. trial, the prerequisite for admissibility is to show that the ESI is what it purports to be (Lorraine v. Markel, 2007). There are ten non-exclusive ways suggested by the Federal Rules of Evidence 901 to show authentication: 1. Testimony of a Witness with Knowledge 2. Nonexpert Opinion About Handwriting 3. Comparison by an Expert Witness or the Trier of Fact 4. Distinctive Characteristics and the Like 5. Opinion About a Voice 6. Evidence About a Telephone Conversation 7. Evidence About Public Records 8. Evidence About Ancient Documents or Data Compilations 9. Evidence About a Process or System 10. Methods Provided by a Statute or Rule Fed R. Civ. P. 26(b)(2)(B) 31 Lorraine v. Markel American Insurance Company, 241 F.R.D. 534 (D.Md. May 4, 2007) 32 Fed. R. Evid 901(b) 11

12 Most potentially relevant for cloud-based evidence are Testimony of a Witness with Knowledge and Evidence About a Process or System. For these two methods of authentication, an expert witness will (or most likely will for the latter) testify whether the evidence is what it purports to be. The expert witness must lay a foundation qualifying him or her as qualified. This qualification would include the following assertions: "(a) the expert s scientific, technical, or other specialized knowledge will help the trier of fact to understand the evidence or to determine a fact in issue; (b) the testimony is based on sufficient facts or data; (c) the testimony is the product of reliable principles and methods; and (d) the expert has reliably applied the principles and methods to the facts of the case". 33 Proving authenticity by evidence about a process or system is "designed for situations in which the accuracy of a result is dependent upon a process or system which produces it". 34 This may be the case for cloud-based evidence, particularly where cloud-based evidence is gathered by a third-party, the cloud provider. Questions such as attribution of data to a cloud customer (or with further granularity) may be asked in order to show the process for these determinations was well-documented and properly followed. 9. Chain of Possession Issues The party that is the subject of the information request, i.e., the cloud provider, will typically be less able to affirm that the data was treated or handled in a certain manner simply as a result of it having been held in a cloud service. In this chain of possession issue, the cloud service provider is a link in the chain that is outside of the cloud service recipient s direct control, and as such represents a potential unknown in any data production context, whether or not there was unauthorized access. Clearly organizations using cloud services need to be able to know and attest to the manner in which data for which they are responsible was collected, held, used, transferred and disposed of. In the seminal case Lorraine v. Markel, Magistrate Judge Grimm aptly noted, "the inability to get evidence admitted because of a failure to authenticate it almost always is a self-inflicted injury which can be avoided by thoughtful advance preparation." 35 Such preparation is one of the main purposes of the identification phase for ediscovery. For cloud-based evidence, admissibility is likely more challenging due to the many technical and legal barriers mentioned in this article. A strategic plan to ensure evidence preserved will contain sufficient data about data, or metadata, to properly authenticate it is recommended. Authenticity issues that arise for ediscovery will include whether there is sufficient metadata available to confirm the evidence is what it purports to be. As mentioned, the cloud presents many barriers to authenticity, from control of data (availability and chain of possession); to privacy of other tenants; and the use of reputable processes to obtain cloud-based ESI. The implications for ediscovery will touch on each of these issues, and are not particularly unique to ediscovery itself. Ensuring proper authenticity will create a structured system whereby effective records management processes will lead to a more cost-effective production in the event of a legal dispute. In summary, the cloud presents a series of unique issues that should be considered when storing relevant information in the cloud. We do not seek to be comprehensive in this article; there are additional issues that the cloud raises, such as multi-tenancy and its effect on access to shared logs or metadata. This walkthrough raises many questions regarding the particulars of each element that present potential areas 33 Fed. R. Evid Fed. R. Evid. 901(b)(9) Advisory Committee note 35 Lorraine v. Markel,

13 for additional research. We also advocate that organizations take the time to understand and plan for a preservation request. While this list is by no means comprehensive, it presents some initial important areas that warrant an understanding of risks involved. This understanding should be informed by the opportunity costs incurred if these issues are ignored. 10. Opportunity Costs There are clearly tradeoffs involved with storing information in the cloud, and in relying on the cloud for other information processing functionality. The legal implications described in this article are among the factors that should be taken into account in considering the potential costs for choices made to mitigate these problems, as well as cost of choices deferred. The former (i.e., choices made ) are direct costs associated with design, development and deployment of information systems in accordance with choices made. The latter (i.e., choices deferred ) are opportunity costs, or the relative value of the alternative choice not taken in comparison to the choice that was actually made. There has been case law setting forth precedent on how the courts will handle costs of ediscovery, which are relevant in the opportunity costs analysis. The widely used Zubulake test has arisen as a legal process for determining such costs. 36 The Zubulake test arose as an update to an earlier cost-shifting test. 37 The previous test, the Rowe test, was a standard for decisions in cost-shifting, and was updated in order to provide a more neutral analysis by the courts. 38 The Zublake test sets out the following new factors for determining costs: 1. The extent to which the request is specifically tailored to discover relevant information; 2. The availability of such information from other sources; 3. The total cost of production, compared to the amount in controversy; 4. The total cost of production, compared to the resources available to each party; 5. The relative ability of each party to control costs and its incentive to do so; 6. The importance of the issues at stake in the litigation; and 7. The relative benefits to the parties of obtaining the information 39 The judge will determine the breakdown of production costs, and will weigh in on cost-shifting. This test offers guidance for what costs may be, though the scope of this article will not consider such costs. Another potential cost exposure arises with respect to spoliation, which is defined as the destruction or significant alteration of evidence, or the failure to preserve property for another's use as evidence in pending or reasonably foreseeable litigation. 40 Penalties for avoidable spoliation can be expensive, and the court can even decide that spoliation of important evidence is grounds for ruling. The Federal common law" of spoliation creates incentives for organizations to implement systems that 36 Zubulake v. UBS Warburg, 217 F.R.D. 309 (S.D.N.Y. 2003). (Zubulake I) 37 Rowe Entertainment, Inc. v. William Morris Agency, Inc. 205 F.R.D. 421 (2002). 38 Zubulake I 39 Ibid. 40 West v. Goodyear Tire & Rubber Co., 167 F.3d 776, 779 (2d Cir.1999) 13

14 protect against loss or corruption of potential ESI. 41 Additionally, statutory or regulatory requirements may impose more requirements for the archiving of records. Legal instruments that limit ediscovery present additional risks (and corresponding costs) to an organization based on the language of the contract, and the characteristics of the cloud environment itself. From a contractual perspective, one potential cost is clear. The customer may assume greater costs of production in response to an ediscovery request if cloud service providers fail to satisfy requests for information production to the satisfaction of the relevant requesting authority. Such costs may be compounded by penalties and fines for failure to comply. Ideally, a cloud customer should negotiate inclusion of the service provider s responsibility for payment of any penalties and fees that arise as a result of the provider s failure to produce information in accordance with the terms of the agreement. Contracts clearly have direct cost implications that could affect the customer. In addition to the third-party control questions regarding who actually possesses and controls the data, 42 there are also dutyto-preserve questions that could impose costs due to the inaction of the third-party provider. 43 At least one source contends that a duty to preserve may extend to evidence entrusted to others, and in such instances a party may be held liable for spoliation committed by a third party to whom it entrusted the destroyed evidence. 44 Thus, a contract also has the potential to directly harm the customer by what it fails to address, such as in those cases where legal preservation of data by the cloud provider is not established as a contractual obligation. While a lack of explicit forensic and discovery support in a contract or SLA poses a risk to the customer, this opportunity cost is difficult to quantify. More research is required. 45 Typically, a party will be required to produce ESI even if the costs of production are prohibitive. As such, it is in a party s interest to ensure an easy, quick and reliable method for evidentiary information retrieval. 46 Organizations will be served if they view production of ESI as an ordinary and foreseeable risk associated with electronic storage John Christiansen, Discovery and admission of electronic information as evidence, in E- Health Business and Transactional Law, 2010 Cumulative Supplement, ed. J. Sullivan. (Arlington: BNA Books, 2010) G. Paul and B. Nearon, The Discovery Revolution: e-discovery in Amendments to the Federal Rules of Civil Procedure, (Chicago: American Bar Association), See also Silvestri v. General Motors Corp., Federal Reporter Third Series, vol. 271, pp , See earlier Section Third Party Control for Cloud-Based Evidence 43 Joseph A. Nicholson. Student Note: Plus Ultra: Third-Party Preservation in a Cloud Computing Paradigm, 8 Hasting Bus. L.J Winter Margaret M. Koesel & Tracey L. Turnbull, Spoliation of Evidence: Sanctions and Remedies for Destruction of Evidence in Civil Litigation 1, American Bar Association 2d ed., 2006). 45 Results of the 2012 edsg Investigation of Cloud Service Providers and ediscovery, last modified March 7, 2012, edsg-investigation-of.html 46 Kuntze, Rudolph, Alva, Endicott-Popovsky, Christiansen, Kemmerich. On the Creation of Reliable Digital Evidence. Advances in Digital Forensics VIII Also see Fed R. Civ. P. 26(b)(2) 47 In re BRAND NAME PRESCRIPTION DRUGS ANTITRUST LITIGATION. Nos. 94 C 897, MDL 997 (1995). 14

15 Organizations should understand these risks and plan accordingly. If an organization stores records electronically, then records retrieval will be part of its ordinary business activities, and compelled records retrieval can reasonably be viewed as an ordinary and foreseeable risk. Cloud storage must be viewed as a relevant factor in assessing risk and costs. The framework and discussion of legal control instruments reviewed earlier can inform organizations of these additional risks. 48 There are clearly costs involved with ensuring systems are forensically and discovery ready. These costs should be compared to those incurred from a reactive strategy where little or no planning takes place. In addition, the prevalence of litigation in a particular industry, the nature of litigation in a particular jurisdiction and other similar variables will affect any analysis of risk. Given organization reliance on predictable data systems, it may be in an organization s financial interests to accept the additional costs of digital evidence creation and retention systems. 11. Conclusion Prior planning is necessary to ensure forensic and discovery support is baked in to an organization s arrangements for cloud storage and other outsourced computing processes, especially in contexts where litigation is prevalent. Further the data system hygiene that results can also help to render information systems more effective in ordinary operations. A particular challenge for cloud service customers is providers reluctance to offer explicit or comprehensive treatment of the relative rights and responsibilities of the customer and provider in the context of litigation. As the market develops further, it is possible that explicitly detailed treatment of forensic support by cloud providers will characterize cloud service contracts, but only if cloud service customers demand such services, or if it is compelled by government authorities. This paper advocates appropriate planning to ensure one s systems are forensically-ready, and advocates broader understanding of the burdens and benefits that storage in the cloud places on the organization, as well as the third-party provider. The evolution of cloud contract forms will frame that discussion. It remains to be seen what legal recourse will be made available to customers harmed because cloud providers do not comply with customer records requests. 12. Future Work The current context for cloud computing does not provide clarity regarding an organization s discovery risks. Further study comparing the risk/benefit of a planned strategy and the reactive strategy will shed light on the value of forensic readiness. Lawyers must thoroughly understand the responding party's computer system, both with respect to active and stored data. 49 In previous articles, we have posited that there is a lack of education and knowledge by lawyers (and judges) regarding digital evidence, 50 and that the gap will grow as systems become increasingly complex. As a result, we will continue our work with legal educators to develop digital evidence education and curriculum that will explore further how to raise the technical literacy of various components of the legal system in ediscovery and the related legal issues 48 Kuntze, Rudolph, Alva, et. al, On the Creation of Reliable Digital Evidence. 49 Zubulake I, 217 F.R.D. at Aaron Alva and Barbara Endicott-Popovsky, Digital Evidence Education in Schools of Law (paper presented at the 7 th ADFSL Conference on Digital Forensics, Security and Law, Richmond, Virginia, 2012). 15

16 that arise from cloud computing. In addition, we plan to explore toward more specific knowledge in the legal processes surrounding ediscovery in order to benefit the field. 16