The Cloud, Server Consolidation, Ephemeral Data, and Information Security: (Manageable) E-Discovery Challenges Facing CIOs and InfoSec
I. Issues Facing CIOs and CISOs That May Impact E-Discovery
Today’s CIOs and CISOs face challenges with a wide range of technological issues: cloud storage, server consolidation, retention of ephemeral data, data security, and privacy laws, to name a few. On top of that, electronic discovery (E-Discovery)1 invades nearly every aspect of these issues.
Why are CIOs and CISOs asked to balance the sometimes competing interests of cost-effective technological solutions for business needs against legal preservation and collection requirements (a.k.a. E-Discovery)? Simply: Because they have to.
Today’s CIOs are storing more data in more places than ever before. In 2011, 90.9 percent of data center sites surveyed by the Association for Computer Operations Management (AFCOM) used more storage space than they did three years ago.2 During that same three-year period, 37 percent were able to reduce their staff, and 29 percent kept their staffing levels the same.3 According to AFCOM CEO Jill Yaoz, this trend is in large part due to the development and implementation of new tools and processes that have allowed IT departments and data centers to store massive amounts of data efficiently and inexpensively. Specifically, IT departments and data centers are increasingly relying on cloud-based systems for the storage of big data.
The advent of cloud-based storage systems has had a profound impact on the way businesses collect and store their information. By offering the ability to store large amounts of data remotely, cloud storage not only enables CIOs to drastically reduce their IT budgets, but also allows IT departments the freedom to concentrate on matters more central to business growth, such as high-value activities and innovation. The number of data centers implementing cloud-based storage is only expected to increase. According to Yaoz, “[o]ur prediction is that 80 percent to 90 percent of all data centers will be adopting some form of cloud computing in the next five years.”4
Yet, E-Discovery concerns may require businesses to maintain comprehensive records on what data is stored in the cloud and where, precisely, that cloud exists. This information may become important in the context of E-Discovery if data is located in a foreign jurisdiction with privacy laws restricting or “blocking” the transfer and/or storage of data.5
In addition, some cloud service providers employ subcontractors to store data. This may be problematic for businesses ordered to produce data in a timely manner, especially if the requested data is located in more than one place with more than one subcontractor. In other words, compared to pre-cloud storage, businesses may lose control over the timing and execution of the “extraction” of data.
At a recent conference in Palo Alto, Google CIO Ben Fried addressed the importance of streamlining various cloud storage providers tapped by the same company to ensure easy and efficient integration—and to prevent what he characterized as a widespread lack of good corporate practices in the context of remote data storage.6 Bask Iyer, CIO of Juniper Networks, added that businesses must be mindful of employee use habits so as to ensure that employees utilize the company’s chosen storage service providers.7
Simply put, because of the ease associated with storing data in the cloud, businesses might assume the same is true for producing data from the cloud. This assumption, if untrue, might complicate a company’s attempt to comply with E-Discovery demands: Data may be in a foreign location with privacy laws, manpower, and technology that impede the search, storage and extraction of data in the method or time required. Also, data for one custodian may not necessarily be grouped together on one server, and a group of custodians might be dispersed amongst many servers.
Moreover, issues can arise with respect to the notification and imposition of a company’s preservation obligations when information is stored in the cloud as opposed to on a company’s own servers.
Admissibility issues can also be triggered if the chain of custody for the various document sources is not accurately tracked and documented. In other words, the data is quite simply not all in one room; it may be in many shifting rooms, which brings us to our next topic: server consolidation.
At the same time that CIOs are looking to reduce spending by outsourcing data management and retention to the cloud, they may also be looking to consolidate internal servers to one location, or if it is a world-wide company, to one or several “regions.”8
The analysis a CIO might consider may typically include the following factors:
1. Cost savings with consolidation—will we reap them?
2. Business continuity—is there a risk of consolidating i.e. if the servers in one location experience an interruption, how (and how long) will that impact the company? (Think power loss, storms/natural disaster, war/civil unrest.)
3. Data privacy laws—how might they be impacted by consolidation? How can and should I align disparate laws and regulations?
4. Security—how can I ensure it?
It is difficult to answer these questions in a vacuum, especially because no two companies’ needs are the same and because local counsel in differing jurisdictions are usually required for full analysis. While no U.S. court is known to have directly weighed in on the pros and cons of server consolidation, one court did recently refer to server consolidation in the context of a larger E-Discovery dispute.
In the patent infringement action, Apple v. Samsung,9 the parties sought adverse inference jury instructions regarding spoliation of evidence. Responding to Apple’s motion, the court considered whether Samsung took adequate steps to prevent the spoliation of relevant data after it should have reasonably anticipated litigation. At issue was Samsung’s default email system, called mySingle, which automatically deletes all emails after a two-week period, unless otherwise specified by the employee user.
According to Samsung, it relied on the automated deletion feature for several business reasons. First, automated deletion can help to prevent the misappropriation of confidential business information in the event a computer is lost or stolen. Second, a two-week deletion period is less expensive to implement than a 30-day deletion period. Third, the shorter window means that confidential business information is less likely to be disclosed to a third-party via email or unauthorized access. Fourth, a two-week automated deletion period best complies with Korean privacy laws.
Apple argued that Samsung’s continued use of its bi-weekly email destruction policy without any methodology for verifying whether Samsung employees complied with Samsung’s litigation hold instructions demonstrated inadequate data retention methods resulting in spoliation of relevant evidence. The court agreed with Apple, and directed that an adverse inference instruction be used at trial against Samsung.10
Although the opinion does not directly address the issue of server consolidation, the court does refer to the fact that all of Samsung’s email was consolidated on servers in Korea. “[Samsung's email] contains a ‘general guideline [that] calls for all emails to be automatically deleted after the passage of two weeks.’ This functionality operates and stores email company-wide in Korea [and] has no exceptions ….”11 Without elaborating on its opinion of the server consolidation, the Court did take the time to make this further statement: “[Samsung's email platform] stores received and sent employee emails on company-wide servers, as opposed to dividing the servers by business unit ….”12
From these references, some might wonder whether the court intended to imply that a company might better manage its preservation duties by not consolidating all functionality in one location. In other words, is the court asking whether Samsung could have lifted the 14-day deletion policy for certain relevant business units and thereby complied with its preservation duties and also not had the burden of storing all emails, company-wide?13
Ephemeral Data and Data Security
The management of cloud-based data and server consolidation is not the only consideration for a company in litigation. Ephemeral data—such as temporary Internet files, frequently overwritten or automatically updated metadata (such as last-opened files), log files (such as firewall or other security related log data), RAM, and fragments of deleted files in unallocated (slack) computer space—may be possible sources of responsive data.
Two recent cases address the issue of ephemeral data in the context of E-Discovery. In Nacco Materials Handling Group v. Lilly Company,14 a lift truck manufacturer brought an action against a former dealer alleging that the dealer improperly accessed the manufacturer’s secure website.
The court held that the dealer had an obligation to initiate the preservation of relevant ESI—including ephemeral data such as Internet browsing histories —immediately upon receiving the manufacturer’s complaint. Because the dealer failed to preserve the relevant data, the court imposed sanctions, specifically ordering the reimbursement of plaintiff’s costs for forensic examination, as well as the cost of imaging and analysis of the manufacturer’s hard drives.
In Tener v. Cremer,15 the court considered whether a non-party should be compelled to produce temporary user logs, which were deleted through the course of normal business operations. After finding that defendant posted defamatory statements using a computer owned and operated by New York University (NYU), plaintiff served the school with a subpoena seeking the names of all of the individuals who accessed the Internet on the date the statement originated.
Plaintiff argued that NYU could use special software to retrieve the data, despite NYU’s claim that the data had been overwritten numerous times and therefore could not be retrieved, at least not without undue burden or cost.
The court articulated a two-pronged inquiry to determine whether NYU would be compelled to produce the requested data. First, the court considered whether the data sought is recoverable. Second, the court engaged in a cost-benefit analysis to determine if the needs of the case warrant the data sought. Here, the court remanded the case to determine whether the data sought was accessible and whether it could be produced without undue burden or cost.
Although ephemeral data is certainly not necessary in most cases, considering the high costs associated with these forensic discovery methods, parties should consider whether ephemeral data is a source of information that might be responsive to a given litigation.16
Another nuance in the preservation of ephemeral data is the need to sometimes preserve firewall, anti-virus, intrusion prevention and/or detection, network activity, and other logs of information that might show the path a hacker might have taken. The preservation, of course, might be for a forensic investigation or litigation needs, but may very well be different from the normal course of business.
Parties faced with this type of preservation request are often asked if they have centralized logging, and if not, how quickly the overwriting of logging can be disabled. Any CISO concerned with being prepared for investigating security incidents might want to consider how to respond to an urgent request to preserve this type of data.17
II. What Is the Legal Department Faced With?
As noted in the discussion of the Samsung case above, several courts have held that it is counsel’s duty to affirm that a party has complied with its applicable discovery obligations; several note that counsel’s duty does not end with the issuance of a litigation hold.18
Courts have also held that counsel cannot rely on a client’s assertions that all relevant information has been preserved and collected. Therefore, counsel may seek to work directly with IT personnel, many times below the rank of CIO, CISO, manager or director, who have direct responsibility for and knowledge of relevant data sources, both on site and in the cloud.
For example, in a data security matter, counsel may wish to speak directly with the person who manages the firewall logs. Then, Counsel and IT professionals might work in tandem to assist with the implementation of the litigation hold by identifying the appropriate custodians and other data sources.
In the seminal case on this subject, Zubulake v. UBS Warburg,19 Judge Shira Scheindlin imposed sanctions on UBS for failing to guarantee that relevant data was both preserved and produced. Accordingly, she granted plaintiff’s motions for sanctions in the form of an adverse inference instruction with respect to deleted emails and the imposition of certain costs.
In reaching this conclusion, the Zubulake court discussed counsel’s role in ensuring the identification, preservation, and production of relevant information:
A party’s discovery obligations do not end with the implementation of a “litigation hold”—to the contrary, that’s only the beginning. Counsel must oversee compliance with the litigation hold, monitoring the party’s efforts to retain and produce the relevant documents. Proper communication between a party and her lawyer will ensure (1) that all relevant information (or at least all sources of relevant information) is discovered, (2) that relevant information is retained on a continuing basis, and (3) that relevant non-privileged material is produced to the opposing party.20
In a recent decision, Nat’l Day Laborer Org. Network v. United States Immigration & Customs Enforcement Agency,21 Judge Scheindlin strongly admonished against the practice of “self collection,” whereby parties allow individual employees to search for relevant data and applied that caution against government agencies in the context of a Freedom of Information Act (“FOIA”) case. Nat’l Day Laborer Org. Network dealt with plaintiffs’ requests for documents under the FOIA and their assertions that defendant government entities’ searches for such information were inadequate. Although this case involves an analysis of the reasonableness of such search efforts under the FOIA, Judge Scheindlin’s opinion is applicable in the broader context of E-Discovery.
Plaintiffs charged that the search efforts of the FBI and Department of Homeland Security were unreasonable. In the context of the FOIA, the court found that the scope of some of the government’s searches were adequate while some were not, noting that it is “impossible to evaluate the adequacy of an electronic search for records without knowing what search terms have been used.”22 Disagreeing with defendants’ argument that custodians should be trusted to run effective searches of their own (i.e., “self-collect”), the court stated:
There are two answers to defendants’ question. First, custodians cannot “be trusted to run effective searches,” without providing a detailed description of those searches, because FOIA places a burden on defendants to establish that they have conducted adequate searches; FOIA permits agencies to do so by submitting affidavits that “contain reasonable specificity of detail rather than merely conclusory statements.” Defendants’ counsel recognize that, for over twenty years, courts have required that these affidavits “set [ ] forth the search terms and the type of search performed.” But, somehow, DHS, ICE, and the FBI have not gotten the message. So it bears repetition: the government will not be able to establish the adequacy of its FOIA searches if it does not record and report the search terms that it used, how it combined them, and whether it searched the full text of documents.
The second answer to defendants’ question has emerged from scholarship and case law only in recent years: most custodians cannot be “trusted” to run effective searches because designing legally sufficient electronic searches in the discovery or FOIA contexts is not part of their daily responsibilities. Searching for an answer on Google (or Westlaw or Lexis) is very different from searching for all responsive documents in the FOIA or e-discovery context.23
Judge Scheindlin concluded that it was unnecessary for her to evaluate the adequacy of defendants’ search terms. Instead, she ordered the parties to work cooperatively “to agree on additional search terms and protocols—and, if necessary, testing to evaluate and refine those terms. … Defendant agencies, in turn, will need to cooperate fully with plaintiffs.”24
National Day Laborer Org. Network deals with a number of relevant current E-Discovery issues, including the adequacy of keyword search terms and technology-assisted review. Importantly, from the perspective of a CIO, it also demonstrates the technological expertise required to assure the adequacy of a collection effort.
A recent case in the Eastern District of Texas is instructive on this point. In Green v. Blitz,25 plaintiff brought a product liability suit against a manufacturer of gasoline cans, alleging that a gas can had caused her husband’s death. Her main theory of liability was premised on the fact that the can had no flame arrester, which defendants had not incorporated and which they argued did not work anyway.
During the jury deliberations, the parties entered into a high-low settlement agreement under which the parties agreed that, notwithstanding the verdict, the case would be dismissed with prejudice and a release executed. The jury ultimately ruled in the plaintiff’s favor, but under the parties’ agreement, the amount awarded triggered a payment by the defendant on the low end of the scale.
Subsequently, counsel for plaintiff was involved in related litigation during which he learned of “extremely relevant and material” documents that had not been produced in the Green case. Plaintiff filed a motion to re-open the case and for sanctions arguing that defendant’s discovery violations were in bad faith and had led to an unfair outcome.
The court held that the defendant had committed several discovery abuses, including failing to investigate, search for, and produce relevant evidence, and never issuing a written litigation hold order. The sanctions were both steep and creative: The court ordered the defendant to pay plaintiff $250,000 in sanctions, to disclose the court’s order to plaintiffs “in every lawsuit proceeding against it,” and to disclose the order in any case in which defendant is a party for the next five years (a $500,000 sanction would be returned upon compliance).
What was the nature of the defendant’s failings in Green that warranted these extreme sanctions? According to the court, in responding to discovery, the employee “solely responsible for searching for and collecting documents relevant to the litigation,”26 and who also “headed up the research and investigation around flame arresters,”27 failed to take several steps necessary to discharge a duty to preserve and investigate responsive documents: No litigation hold was issued, key word searches were not run (a search for “flame arrester” was not run and would have garnered responsive information as it was in the subject line of emails), and the individual did not contact defendant’s IT personnel to coordinate with the search and extraction of relevant data. Making matters worse, this employee admitted that he was “about as computer literate-illiterate as they get.”28
In light of the undisclosed documents, the court found that defendant’s conduct was willful and plaintiff was prejudiced. The failure to search relevant data was compounded where no coordination with IT occurred and thus preservation was not ensured. Indeed, according to the opinion, a lead member in IT had repeatedly requested that employees delete their emails during “the precise time period” that defendant “was actively defending multiple products liability suits relating to its gas cans and had a duty to preserve evidence.”29
The court also addressed defendant’s failure to halt the overwriting of back up tapes, concluding that “it will never be known how much prejudice against the plaintiff was actually caused by Blitz’s failure to preserve documents.”30
While obviously an extreme factual scenario, Green should serve as an example of how valuable coordination with IT professionals can be in the context of E-Discovery.
III. E-Discovery Tips for the IT Professional
In conclusion, the following considerations may prove useful in managing the E-Discovery issues posed by big data:
1. Consider anticipating E-Discovery issues in advance of litigation, taking precautions such as mapping the location and/or filepaths of relevant data (wherever located, e.g., on-site, in the cloud, etc.)
2. Consider reviewing your cloud storage vendor and subcontractor contracts and ensure that the appropriate contractual obligations are in place with respect to how and by whom stored data are to be preserved, collected, and produced.
3. Consider the above questions concerning server consolidation with appropriate counsel, along with other issues counsel may raise.
4. Consider if education among IT staff is necessary in conjunction with the legal department’s needs.
5. Plan early for preservation in countries where relevant data reside, taking into account local laws that may affect implementation of litigation holds.
6. Document data collection, review and chain of custody, particularly for data in the cloud and outside the U.S., in order to lay a foundation for admissibility.
Fernando M. Pinguelo is the Chair of the Cyber Security & Data Protection Group at Norris McLaughlin & Marcus; Shannon Capone Kirk is E-Discovery Counsel at Ropes & Gray; Sara Johnson Meyers is a Senior Discovery Attorney at Ropes & Gray. The views set forth in this article are those of the authors alone and do not reflect the views of their respective firms or clients. Nothing in this article should be viewed as attorney advice. Any individuals seeking advice on the matters presented herein should seek individual and specific advice, as facts and application of law change for every matter. The authors may be contacted as follows: fernando@CyberJurist.com, email@example.com, firstname.lastname@example.org.
This document and any discussions set forth herein are for informational purposes only, and should not be construed as legal advice, which has to be addressed to particular facts and circumstances involved in any given situation. Review or use of the document and any discussions does not create an attorney-client relationship with the author or publisher. To the extent that this document may contain suggested provisions, they will require modification to suit a particular transaction, jurisdiction or situation. Please consult with an attorney with the appropriate level of experience if you have any questions. Any tax information contained in the document or discussions is not intended to be used, and cannot be used, for purposes of avoiding penalties imposed under the United States Internal Revenue Code. Any opinions expressed are those of the author. Bloomberg Finance L.P. and its affiliated entities do not take responsibility for the content in this document or discussions and do not make any representation or warranty as to their completeness or accuracy.
© 2012 Norris McLaughlin & Marcus, P.A., and Ropes & Gray LLP