Managing eDiscovery: Cloud and Social Media Considerations

By Joel Wuesthoff, Esq. and Sunny Sanghani

Social media and cloud computing are making eDiscovery increasingly challenging for law firms, their clients and corporate legal departments -- and it’s unlikely to get any easier in the years ahead.

Consider the rapidly expanding usage of cloud services and social networking: Global cloud-based security services are projected to grow more than 45 percent to $3.1 billion by 2015; LinkedIn reported in April that it now has 300 million members, having added 23 million members since December 2013; Facebook today has more than one billion users, including some 25 million businesses with active Facebook pages; as of January, Twitter reported that it has more than 640 million active registered users, with an average of more than nine thousand tweets going out every second.

Companies recognize that it’s not sufficient to passively delegate management of in-house and externally-stored (i.e., in the cloud) data (otherwise known as electronically stored information or "ESI") in the event they’re hit with an eDiscovery request, whether stemming from an internal investigation or civil or criminal litigation. Many are becoming increasingly aware they need to take additional action to manage the discovery issues, obligations, risks, and liabilities resulting from data stored in the cloud and their employees’ and clients' online conduct on social media sites. This is particularly true as data is increasingly being transferred cross border, thus implicating various privacy obligations.

Know the potential “storms” that come with the cloud

Some firms and companies, however, do not even realize that turning to the cloud for data storage could complicate a potential request for ESI. But the fact is that information in the cloud is constantly changing, and metadata can be lost or altered during information transfers or retrievals, making it difficult to accurately preserve and produce. Data stored in the cloud also raises the issue of ownership. While a company may “own” the data, it does not necessarily control how the external cloud systems operate; and many users and cloud providers have not considered a plan to meet eDiscovery requirements relating to that data. While the legal standard or duty (custody, control or possession) is fairly broad, in practice it is much less clear and requires significant effort to craft and memorialize obligations and responsibilities.

These circumstances certainly do not mean that organizations should dismiss outright any consideration of utilizing cloud services. But it does mean that you should enter contracts and service agreements with cloud vendors by proactively addressing issues around preserving, segregating (where possible) and collecting electronic data.

Increasingly, legal professionals and in-house legal teams are working closely with their IT colleagues and third-party vendors to avoid glitches when software is upgraded or replaced. If legal organizations employ cloud services, it’s critical they thoroughly understand not only where their own cloud-based information and their clients' is located but the capabilities of their service providers if the data needs to be accessed.

Closely related to -- and arguably a subset of -- cloud computing is social media.

Use of social networks by law firms and their clients to attract customers and recruit talent has mushroomed in recent years. Yet in a company’s effort to more closely engage with customers, it opens itself to a public who can make comments that live on its site. In addition, individuals can create blogs or other sites that discuss a company without that company’s knowledge or control.

Add to this the increasing likelihood that a firm’s employees are using these sites at work for both business and personal reasons and unintentionally, creating discoverable electronic information. This can become particularly troublesome if, during the eDiscovery process, a firm finds it needs to access an employee’s social media account and then learns the employee has deactivated the account. Even if the data can be retrieved from the social media vendor, the organization could possibly face a sanction due to its failure to preserve this data. Efforts to request or compel the production of electronic information from social media vendors has been extremely challenging.

What law firms and corporate clients are doing

Due to the associated risks of cloud and electronic discovery from compliance requests and litigation, companies are beginning to more closely identify all data that may become relevant in eDiscovery and preserving all potentially responsive accounts, usernames and other necessary components. In addition, they’re setting guidelines to ensure employees are aware of the organization’s data management and preservation goals. They are educating employees as to how to save data and documents that may become relevant in future litigation. And they’re taking steps to ensure employees are clearly aware of the information they’re storing on company and personal platforms.

There’s no doubt that the use of social media and the cloud by companies and individuals will continue to increase. The most basic safeguard -- both now and in the future -- is for organizations to ensure their employees understand that all information relating to the company is discoverable and must be preserved -- no matter where it resides -- upon notice of suit or in the course of investigations. That, together with clearly written information governance practices and protocols that are consistently enforced, reduces risks associated with the exponential growth of electronically stored information.

Share your cloud computing and social media–related discovery experiences and tips in the comment section below.