Welcome to the October issue of Mayer Brown’s Privacy Posts, a newsletter on privacy, security and data protection law that will report and provide commentary on developments and trends that are significant to our clients’ business across the globe. As always, we welcome your thoughts and comments and invite you to contact us with any feedback.
Clear Skies or Stormy Weather for Cloud Computing: Key Issues in Contracting for Cloud Computing Services
Rebecca S. Eisner and Daniel Masur
Cloud computing has been with us for years through technology outsourcing, online service models and application service providers. But an entirely new crop of providers and service offerings has changed the way customers are contracting for cloud computing services. This article addresses cloud computing benefits, risks and regulatory challenges (including privacy & security), with suggestions for overcoming or mitigating those challenges.
Cloud Computing Introduces New challenges for E-Discovery Obligations
Pursuant to court rules, parties to litigation in the United States must preserve, collect, review and produce data that is relevant to the litigation and that is within a party’s “possession, custody or control.” Government agencies follow a similar standard when requesting information from organizations. Today, much of this data is stored electronically and, increasingly, much of this data is stored in the cloud. As with any new technology, cloud computing introduces new challenges for parties attempting to satisfy their ‘e-discovery’ obligations. When data is stored in the cloud, it may be technically within a party’s “possession, custody or control,” but may not be within its physical possession. As such, access to the data may be limited or too slow to meet the requirements of courts and government agencies, and exercising control over the destruction (or preservation) of the data may be complicated. Further, one party’s data may be co-mingled with that of another company or a separate corporate entity, giving rise to questions of who has “possession, custody and control,” and thus the obligation to preserve and produce, the data. Finally, the centralized nature of cloud computing gives rise to important jurisdictional questions. Where the cloud is located may implicate a variety of issues, including a court’s authority to manage disputes, confidentiality, and data privacy.
It is prudent for a party to know where its data is stored, how to access that data, and who has access to that data, as well as how to effectively preserve, collect and produce it in a legally defensible manner. All of these processes can be made more complicated when the data is in the cloud, but planning and strategic contracting can mitigate these risks.
Of Related Interest
New EU Standard Contractual Clauses for Commissioned Data Processing
Electronic Discovery & Records Management - Tip of the Month: Preserving Data on Custodians’ Personal Email and Personal Phones, Devices and PDAs
Electronic Discovery & Records Management - Tip of the Month: Managing E-Discovery in State Courts
SEC Sanctions Broker-Dealer and CCO for Failing to Preserve and Produce the Personal Email and Personal Computer of Independent Contractor
United States Institutes New Rules on Exports of Encryption Products
Learn more about our Privacy & Security practice.