Opinion: 5 legal questions to ask before entering the cloud

As a lawyer, the thing that concerns me about the use of is that it often involves the transfer of electronic data from internal IT infrastructure to systems managed by third-party vendors. This change in custody, and potentially control, can create compliance issues. While not intended to be exhaustive, the following five questions are a good start to the analysis, from a legal perspective, that should occur during the planning of a cloud-based project.

1. How do cloud services affect ?

Litigation discovery obligations extend to documents in a litigant's custody or control. Accordingly, a consumer of cloud computing services may need to preserve, search and collect data placed onto the cloud if that data remains under the consumer's control. But how do you know whether such data remains under the consumer's control? Courts have noted in similar situations that the service agreement is the starting point for determining whether data in the custody of a third party is under the control of its originator. For that reason, the service agreement is of singular importance when determining the suitability of a given cloud service.

In the most common uses of cloud services, the consumer retains control over its data, and therefore the scope of electronic discovery obligations is unaffected. Nonetheless, the use of cloud-based services can affect the consumer's ability to meet its discovery obligations in a cost-effective and accurate manner. For example, the consumer will not have the same knowledge of the workings of the cloud service as it would typically have of its own networks, potentially resulting in slower and more costly discovery, with a higher risk of errors. As another example, a lack of direct access to the cloud hardware coupled with the transitory nature of most cloud services may make preserving and collecting forensic information challenging.

If an organization is already in litigation, or if litigation is foreseeable, care should be taken not to reduce the level of control over litigation-relevant ESI (electronically stored information). Even in the absence of specific litigation on the horizon, a cloud service consumer should determine preservation, search and collection strategies during the process of selecting the cloud service provider. If necessary, the vendor's cooperation in these discovery tasks can be contractually obligated in the service agreement along with an identification of related costs.

Finally, any organization that has taken steps to reduce its discovery burdens -- by instituting a document retention program, for example -- should make sure that the cloud service is capable of supporting those efforts. If information that is no longer supposed to exist is still available on the cloud service, the organization's cost reduction programs would be undermined.