Interesting thoughts on the cloud from a blog on e-discovery by the authors of specialized software for e-discovery.
The key phrase “possession, custody or control” is something to be examined more closely in the context of Cloud Computing environments, where typically the cloud customer is the party in control and the cloud service provider is the party in possession and custody. In cases where the cloud customer is the party in litigation, it is natural to serve pre-trial a discovery request under Rule 26 (b) to the cloud customer and expect that since they are the party in control, and can therefore instruct the cloud provider to perform at least some form of collections. Now the question that remains is whether the same request can be made of the cloud provider, since they are the party in possession and/or custody. It is evident that requesting the cloud provider to perform a discovery request on behalf of their customers is impractical since any assertion of privilege or confidentiality would require the cloud customer to be involved in the discovery request. Besides, the cloud provider producing documents without consent from the customer of the cloud would run afoul of the Stored Communications Act (SCA). For these reasons, the broader three-pronged test of “possession, custody or control” embodied in Rule 34 (a)(1) should be revised to mean only “party in control”.
That says to me that discovery should no longer hinge on where data resides; the only test would be access to the data. This argument is said to be based on a notion of cloud provider possession and custody but delegation of control to a customer.
Their blog explains that removing a possession and custody test removes the chance a client will try to waive an obligation for e-discovery in the cloud. It also removes the obligation of a cloud provider to respond to e-discovery if they have only possession or custody.
Two things come to mind from this. First, it supposes that e-discovery is easier with a client than a provider — a provider may have no knowledge of what data constitutes a business record subject to discovery. A provider that turns over a cloud environment can easily over-deliver and provide more data than required. Second, it supposes that a client can know the inner workings of a provider well enough to understand archives and residue of their data.
These two points are counter to each other. Only the provider knows where data goes, but only the customer knows what data is relevant. Without the first half there is a real possibility that data will exist and never be found by a client during e-discovery. This is not far from pre-cloud environments where an IT department would not be involved in discovery. A legal department might install a tool to answer discovery requests, which technically would not address the residue policies and procedures known by IT.
Take email, for example. A company policy could say that local mailboxes are prohibited. A central mail server would have a master repository of messages, as is usually the policy set forth by legal. However users might still have a regular habit of archiving local copies, as is usually the behavior in response to policies set forth by legal. The non-IT manager of a centralized mailbox — client in control — would likely respond to discovery with an incomplete set of data while the IT managers — provider in possession or custody — would be more likely to provide a more complete picture of the mail ecosystem and include localized backups and copies of deleted messages.
A lack of obligation on the provider will mean a lack of pressure for the technical tools and techniques to serve a technology shift in discovery. A customer is unlikely to push for this capability, or even realize the capability exists. Thus possession and custody tests still seem relevant to me.
Ok, three things come to mind. A company that sells e-discovery software might not want possession and control to be part of the definition in a cloud environment because it may challenge their current software capabilities. The cloud provider could introduce technical issues (e.g. VM volume residue) that current e-discovery software may be unable to accomodate.