How mobile devices and the cloud change e-discovery

In recent months, Apple and Samsung have engaged in an epic transnational (and trans-jurisdictional) patent battle. As the two companies embark on a protracted legal fight that sees no sign of early let-up, one thing is clear: the mobile arena is becoming increasingly important for business. Given the proliferation of mobile devices in the corporate space, the financial stakes are high.

The Apple-Samsung cases also highlight another important concern for businesses: the impact of mobile devices and cloud services on the e-discovery process.

Smartphones, iPads and other tablet devices – as well as their attendant mobile applications – are no longer solely the province of the consumer. Indeed, as more professionals adopt a ‘bring your own device’ (BYOD) approach, and as more companies support those devices, they can create challenges for the enterprise in terms of securing data as well as ensuring the integrity of that data for e-discovery.

‘What we are seeing with corporate clients is that increasingly, key decision-makers are adopting the BYOD policy, and that is breaking the corporate shell,’ says Greg Buckles, an independent e-discovery consultant with eDJ Group. ‘But this trend is happening without consideration of the impact on compliance and e-discovery.’ Companies, Buckles notes, are just beginning to ask, ‘What does it take to collect all this stuff if executives are using apps to record meetings, edit documents, examine financial documents, and even potentially sign documents?'

Mobile devices present particular concerns for e-discovery, including processing and the cost of data retrieval. Although much of the data generated from smartphones and tablets could be accessed via company servers, some data might reside in the cloud or live solely on the device. Additionally, with regard to employee-owned devices, geo-location data and other ‘descriptive information’ such as frequency of texts might involve the carrier on whose network the device operates.

But Jonathan Sablone, partner at Nixon Peabody, says that although the devices and applications are new, the e-discovery issues are not. ‘We’ve had e-discovery challenges with regard to mobile devices for years,’ he states, noting the ways in which email, and later text messaging, have created data-retention headaches for companies. Some companies simply turn off the texting feature or institute tracking policies that allow them to maintain a level of control over the data. Other companies might agree to support a manager’s personal mobile device, provided the company can track and access client-related data. ‘What’s changed in the last couple of years is the proliferation of iPhones and i-devices, and the advent of the cloud,’ explains Sablone, who chairs Nixon Peabody’s electronic discovery and evidence team.
 
Combing through the clouds

Edwin Larkin, a partner at law firm Venable, recently slipped into a quagmire of e-discovery when a client was sued by a governmental entity. The government had requested ‘detailed information about how the client conducted business’, but there was just one problem: the client’s entire business was in the cloud.

‘The client had numerous accounts with a variety of web-based service providers and kept almost no information in hard-copy documents or on his servers,’ Larkin recalls. Larkin contacted the multiple providers, who offered his client a range of options: one provided the client with a test server so the government could securely access the data while another provider canceled the client’s account and deleted all the data. Others provided options which essentially allowed for a limited capacity for data retrieval. There were more than 80 web-service providers involved in the e-discovery process, and ultimately they were able to recover the data deleted by the cloud provider from other sources.

Larkin’s experience on this case offers valuable insights into the vagaries of cloud computing. The e-discovery process for his client was ‘difficult and expensive’, and because of the company’s small size, there was very little leverage it could have applied to negotiate the service-level agreements (SLAs), if it even considered that a possibility. Although the cloud services provided cost savings on the front end, those savings were essentially eaten up by the prohibitively high costs of e-discovery and data loss later.
 
Retrieval costs

Buckles says companies need to be aware of the costs of retrieving data not only from the cloud, but also from smartphones and other mobile devices. Although an average case has roughly 12 custodians, counsel for larger public corporations might have to perform e-discovery for between 50 and 60 custodians per case. ‘At $800 apiece, that’s $40,000 just to collect the iPhone data, for example,’ says Dean Gonsowski, Symantec’s e-discovery counsel. ‘As the cost of e-discovery from mobile devices and the cloud rises, counsel and the courts are looking at the idea of proportionality.’

Proportionality allows the courts to consider whether the cost of discovery of electronically stored information in a particular case is in proportion to the value of the case. If the burden on opposing counsel is out of proportion to the value of the case, the judge may decide to reduce the scope of the discovery to limit those costs.

Counsel are also discovering that as more clients begin to support personal mobile devices, much of that data is residing elsewhere. ‘A lot of mobile data is not on a company server – it’s already in the cloud somewhere,’ says Robin Stewart, who chairs Lathrop & Gage’s e-discovery data, records and information group. ‘For example, Facebook posts, tweets, Yahoo! email and Google Docs, as well as items downloaded to a mobile device, do not exist on business servers. Businesses need to take a closer look at mobile devices, examine whether and how they should be integrated into company systems, and consider how the cloud factors into all of this.

‘Today an increasing number of companies are debating whether or not to move their company data to the cloud, but before doing so, several issues must be considered,’ Stewart continues. These include how providers ensure data security and confidentiality, and who owns and can access the data. ‘You need to go through the cloud provider’s master service agreement [MSA] with a fine-toothed comb to make sure you are protected,’ advises Stewart.
 
Examining MSAs/SLAs

While Stewart says it might make sense for certain companies to move their data onto the cloud, they should do so only after carefully weighing all their options. While moving data to the cloud can provide cost savings, it doesn’t come without risks. These risks are often found, although seldom appreciated, by reading the MSA.

‘I took a very reputable company’s MSA and highlighted language that concerned me,’ Stewart says. ‘One of the issues related to what happened when a cloud provider receives a document subpoena to turn over your company data. If they receive a subpoena, how much notice are they required to give you? If your price is based on a set document retention schedule and you find yourself in litigation, does the MSA allow for the ability to keep certain data longer than originally intended? How is the data searched and reviewed? While you will lose some control when moving your data to the cloud, there are ways to manage this loss.’

Sablone cites other important issues that most companies don’t consider when moving to the cloud – for example, what happens if a provider’s servers go down? ‘Some provisions in the stock SLA look very reasonable, like We guarantee that we’ll have your data available 90 percent of the time,’ he notes. ‘Well, if your data is unavailable 10 percent of the year, you have a big problem.’

Sablone says a guarantee that the data and service will be available forces the provider to have redundancies and back-up procedures in place – and it shows that the provider has invested in its infrastructure. Still, as James Nelson, partner at Venable, observes, ‘It depends on what you are buying and if there are enough dollars at stake to get those terms.’

Gonsowski notes that there is also the question of who really owns the data stored on the cloud. What happens if a cloud company goes out of business and sells your data assets to another provider? ‘You need contractual provisions that say, I can do all the things with a cloud provider that I can do myself,’ Gonsowski explains. ‘If I can’t govern the information the way I would ordinarily, the benefits of the cloud only narrowly outweigh the risks.’ This goes back to the need to establish policies for data management on mobile devices and in the cloud. ‘If you get your house in order, e-discovery is a lot easier than if you’re a hoarder and your house is filled to the rafters with a lot of junk,’ Gonsowski concludes.
 
Overcoming mobile e-discovery challenges

Many of the e-discovery challenges that come with the use of mobile devices can be mitigated, say industry experts. Here we present a few of the significant challenges and some advice for handling them.

· Mixing business with the personal. The co-mingling of business and personal data presents challenges, to be sure, but there is also the opportunity for companies to develop acceptable use policies that accommodate the practice, says Symantec’s Dean Gonsowski. So what happens when a custodian’s family photos, personal finance data and health records reside on the same device as work documents? ‘Companies can attack it via policy,’ states Gonsowski. ‘They could say, BYOD is fine, but we are going to make you sign this policy agreement to have that device supported.’

· SLAs and subpoenas. As much as possible, negotiate issues that are essential to ensuring data access and integrity. If the provider isn’t willing to do so, the cloud might not be the best option, despite the up-front cost savings. Understand that ‘terms of service agreements are generally drafted to favor the provider over the customer,’ according to Venable’s Ed Larkin.

· Understand what ‘the cloud’ means. Having corporate data in the cloud raises jurisdictional issues because of the way providers store data. This means that their servers might not be in the state or country in which your company operates, which could create jurisdictional headaches. ‘You think of it as the cloud, but it might be a server in Belgium,’ says Gonsowski. This could affect how subpoenas are handled, how e-discovery takes place and whether or not the client even owns or controls the data.