SEMA News—January 2012
By Joe Dysart
Protecting Far-Flung Company Data
Covering Your Assets
“The significantly lower cost of using the cloud is driving data migration beyond the firewall,” said Nick Brestoff, M.S., J.D., and principal of e-Discovery Legal. “The data is leaving the building.”
The solution? e-Discovery experts said that grilling your cloud service provider (CSP) regarding its policies and practices for managing and protecting data—before your contract with the firm—is Job One if you plan to get any sleep. Key to that research is getting crystal clear on who’s liable for stolen data, according to Matthew Knouff, Esq., general counsel for Complete Discovery Source. Incredibly, many cloud providers now limit or simply disclaim any liability for data that is stolen either physically or via web break-ins on their servers.
“To the extent that you are unable to negotiate a CSP’s standard terms and conditions, you may just have to make an informed risk assessment and then take your chances if you want to benefit from the cloud,” Knouff said.
Added Debora Motyka Jones, Esq., client services manager for Lighthouse Document Technologies: “Ultimately, it is the firm’s data, so the firm is liable. This is an important area to address in the contract between the firm and the cloud provider. If possible, the firm should include an indemnification provision for losses that are the fault of the cloud provider.”
Ensuring that your data remains in a form that can be used by your in-house computers is also critical.
“Many CSPs reserve the right to modify any content that you put in the cloud,” Knouff said. “Understanding how you might lose control over data through proprietary data formats is an important consideration. The ability to modify or alter content can impact your ability to remove data from a cloud or switch to another CSP.”
Moreover, while any reputable cloud provider should be making continual backups of your data, companies should also negotiate for additional physical copies to be provided for storage, either at company headquarters or with another third party.
“Backing up your data should not be viewed as a best practice but as a requirement,” Knouff said.
For best results, you’ll also want to create a map of how data travels through your firm’s network and how that data interacts with the remote systems of your cloud provider.
“When addressing these issues, make sure to form a cross-functional team, including members from IT, legal, human resources and various business units to achieve the most comprehensive and cohesive results,” Knouff said. “Ultimately, the elements of your data security plan are going to be based on a thorough, enterprise-level risk assessment.”
Cloud newbies are also often dismayed to learn that current law allows cloud providers to simply roll over and release your company data without so much as a hint of sweet talk when officials in a government lawsuit make demands.
“A service provider cannot be held liable for disclosing information pursuant to a legitimate government order, and a civil suit cannot be brought against the U.S. government for disclosure violations,” Knouff said. “To make the cloud environment even more risky, disclosure of sensitive data occurs in many cases without the cloud service subscriber receiving advance or even prompt notice.”
Unfortunately, a law firm’s only recourse in this case is to negotiate a notice provision with the cloud provider, which is triggered when any entity, including the government, is seeking release of your private information, Knouff said.
Meanwhile, companies looking to get a handle on data generated by mobile phones will want to investigate a raft of vendors who specialize in backing up those bits and bytes. Verizon Wireless’ V Cast Media Manager will do the trick, as will numerous third-party service providers that offer mobile phone management, on and off the cloud, Knouff said. “Bloove.com and Memotoo.com are examples of cloud-based mobile phone/desktop synchronization tools,” he added.
Today’s backup software also enables businesses to create a forensic image of every mobile phone used in the company.
“Guidance Software’s EnCase Neutrino is one of the most widely used and accepted tools to forensically collect data from mobile devices,” Knouff said. “Other tools include AccessData’s Mobile Phone Examiner, Paraben’s Device Seizure and Logicube’s CellDEK and CellDEK TEK.”
There are even solutions for mobile phones that have been lost or stolen.
“One such product, Lookout, is a third-party application that allows users to locate a missing or stolen phone and wipe it remotely, prevent viruses and outside intrusion, manage content and back up data,” Knouff said.
Companies can also save themselves a great deal of potential legal headaches by engineering everyday e-mails that disappear immediately after they are viewed by the intended recipient.
“For example, if I send an e-mail to a colleague confirming a lunch appointment, my employer may incur needless costs associated with recording and storing this communication,” said Cathy Duplissa-Lopez, project manager for electronic data and e-discovery at Fennemore Craig, P.C. It makes more sense to simply make such e-mails disappear, she said.
Long term, companies also need to prepare for the possibility that they could get hit with a lawsuit that mandates e-discovery or the court-ordered retrieval of company electronic data that resides in the cloud, in cell-phone accounts and across all social media. Instead of viewing an e-discovery request as a five-alarm fire to be handled on the fly, e-discovery programs and best practices need to be integrated into a company’s day-to-day operations, according to Dara Scott, senior project manager for Excelerate Discovery.
Scott said that company legal teams will utilize workflow-based project management technology and practices to move from a reactive approach to e-discovery to a measurable, repeatable business process. “This effort will be driven by e-discovery legal practitioners with broad knowledge bases in both law and technology,” he said.
Bottom-line: With a bit of thoughtful planning, your company can go a long way toward insulating itself from most of the risks associated with working with the increasing volume of data and applications residing on computer systems outside the enterprise.