Navigating Risk Inside the Cloud

Grazed from Credit Union Times.  Author: Jason Ray.

Companies are quick to incorporate cloud computing into their business functions, and with all the benefits the cloud offers, it's easy to understand why.

Software-as-a-Service (SaaS) platforms, like, allow employees to conduct their work more efficiently and at a reduced cost to the company. Meanwhile, personal cloud-computing networks, such as LinkedIn, have become important marketing and recruiting tools.  

Yet, despite all the good that cloud computing has to offer, the potential risk exposure it presents is enough to keep in-house counsel up at night.

Legal departments are just beginning to understand how cloud computing may impact e-discovery, and the initial reaction of many corporate counsel is to exert extensive control over the flow of electronic information. However, as the landscape of cloud-based apps and social media changes on a daily basis, attempting to control the actions of employees is becoming an impossible task...

The key then is not to control information in the cloud, but to concentrate on risk mitigation and defensibility. The way to do this is to understand the technology, develop proactive policies and establish management and audit procedures.

Understanding the tech

No one expects in-house counsel to become tech experts. However, corporate lawyers should at least have an awareness of the technology that exists. Without a basic understanding of the spectrum of solutions available, it is impossible for legal to develop effective policies.    

Attending tech-oriented CLE events and seminars is a good way to stay in the know about developments in business and personal technology that may affect your company. You also should have an open dialogue with your IT department to understand the type of cloud-based applications that your company uses. In addition, IT can help you determine what information lives where, whether on the corporate network or one held by a third-party provider.

Developing the policies

Once you know the technology your employees use and the types of data stored, you can begin to develop proactive policies around application usage that will help mitigate your risk should a matter arise. The purpose of these policies is to minimize the scope of potential e-discovery collection efforts in advance of litigation by establishing a list of company-approved applications. What should remain off this list is any technology that does not provide some means of oversight.   

For example, regardless of what tactics a company employs, it is nearly impossible to prevent employees from sending personal emails while at work. Thus, the key is not to quash the behavior, but rather to set some guidelines. One way to do this is to implement a policy that states your corporate email system is the only email system employees can use, whether for work-related or personal emails.

The point is that you can't stop employees from acting. There is a high likelihood that they will not consistently adhere to policy. Instead, in-house counsel should enact policies that limit the scope of company-approved technology, thereby minimizing data collection efforts in the event of a discovery request.

Managing, auditing and updating

Of course, no policy is worth the paper it is written on if you cannot adequately manage and audit it. To ensure the defensibility of your directives, you will need to establish a procedure that informs and reminds employees of your technology policies, especially if it is discovered that an employee has run afoul of them.

You will also need to develop a means to audit this process. By maintaining records that reflect your continual commitment to your policies, you can increase defensibility should your opponent raise any objections. For example, if opposing counsel makes a broad request for all information that may be potentially relevant to a case, you can argue that you only need to search the data stores identified on your company-approved list, granted you have the audit trail to prove proper policy management.

Finally, technology is rapidly evolving. Each day, dozens of new mobile applications go public while companies like Facebook and LinkedIn are constantly tweaking their social media platform. It is important to keep abreast of the market and to regularly update your policies and procedures to reflect any new technology.

Best practices for the cloud

The following are some best practices that you should consider incorporating into your cloud-computing policies and procedures. Understand that the purpose is not to curb behavior but to proactively limit the scope of your collection efforts by identifying approved cloud-based platforms.

  • Before investing in a SaaS application, do your due diligence. Understand what information is accessible and what reporting functions are included. Many of these applications were not intended for e-discovery, so you will need to know if the technology has the functionality to comply with a discovery request. Include your IT department in the conversation with your prospective vendor.
  • After a matter arises, determine the relevant custodians and question them to understand what technology they use and what data they store where. Doing so will increase the defensibility of your actions.  
  • Don't automatically assume you need to search social networks like Twitter and LinkedIn for potentially responsive information. Social media relevance is case-specific —just because information is available there does not mean it is relevant. Concerns about IP theft? Social media may be critical. Patent infringement? Not so much. Question your custodians first to determine how they use such sites, verify if the case requires expanding to these sources, and then determine if collection is necessary.
  • If you must exert some control over your employees, consider logging their Internet activity to keep records of what cloud-based technology they use. In addition, you may want to instruct IT to put a hold on a custodian's Internet cache once litigation arises.