Cloud Storage is not as secure as local storage…Really?

A December 13th posting in the Harvard Business Review Blog titled; Cloud Computing? Not So Fast — Unintended Consequences of Recent Disclosures, seemed to conclude cloud computing/cloud storage was inherently less secure than traditional local or on-premise storage of sensitive records.  The blog entry tried to site a couple recent cases to prove the point. One example used was the wikileaks revelations.  The implication was this massive amount of leaked information was (more easily) leaked because it was “stored in the cloud” verses somewhere else…such as an organization’s NAS or SAN.

The implication of the blog posting is inaccurate in that it assumes the top secret federal government controlled files were stored in a third parties data center with little or no security and this was why army private Bradley Manning was able to easily steal a such huge cache of files/records.

I don’t know for a fact, but my guess would be that this data was held within the federal government infrastructure and was not being stored at a third party data center. But even if the data was held at a third party facility, security of the data is key.

There are several definitions of cloud storage but the one most referenced is; cloud storage is storage accessed over a network (internal or external) via Web Services APIs. To many in the business world, cloud storage is a service which allows an organization to store electronic files/records in a third party remote location. Organizations will look at this service for a couple of reasons; first it may be less expensive then purchasing and maintaining their own local storage resources. The second reason is for increased security; sensitive data can be better protected from employee leaks etc.

The miss-used wikileaks example aside, it may be the author doesn’t fully understand the technology involved in on-premise storage verses cloud storage. In my experience, most organizations don’t protect the data their employees store locally with encryption or other safeguards. Many of the cloud storage providers encrypt data being stored to a cloud repository as it arrives at the storage facility. A couple providers encrypt it before it leaves the customer’s location; and of course the encryption key is known only to the owner of the data not the storage provider.

Top tier cloud storage providers store their customer’s encrypted data in class 4/5 secure underground data centers. Many Fortune 100 companies believe this type of storage is higher quality than letting their employees store sensitive data locally…

Beware: Your Facebook Posts Could End Up in Court

Social networking posters beware…your Facebook and other social media accounts may be seen by more than just your friends; in fact, what you post and tweet could become court evidence.

But many of us don’t consider these implications when tweeting and posting. Current employers, potential employers and, yes, even attorneys review social networking sites for information on workers, job candidates and litigants.

Individuals as well as organizations need to carefully consider what they post to these sites. In the personal injury case of McMillen v. Hummingbird Speedway, Inc., No. 113-2010 CD (C.P. Jefferson, Sept. 9, 2010), Hummingbird Speedway, Inc. sought access to plaintiff’s social network accounts, requesting an eDiscovery production of his usernames, log-ins and passwords.

Plaintiff objected, arguing that the information on those sites was confidential.  Upon defendants’ Motion to Compel, the court found the requested information was not confidential or subject to the protection of any evidentiary privilege and ordered its production to defendants’ attorneys within 15 days. Additionally, the court ordered that plaintiff should not take steps to delete or alter the existing information on his social network accounts. The court said:

Specifically addressing the expectation of privacy with regard to Facebook and MySpace, the court found that any such expectation “would be unrealistic.”  The court then analyzed the relevant policies of the two sites, and concluded as to both that, “[w]hen a user communicates through Facebook or MySpace, however, he or she understands and tacitly submits to the possibility that a third-party recipient, i.e., one or more site operators, will also be receiving his or her messages and may further disclose them if the operator deems disclosure to be appropriate.”  Accordingly, the court determined that defendant could not successfully assert that his accounts were confidential.  In so holding, the court also noted the possibility that communications could be disclosed by friends of the account holder with whom the communications were shared.

Organizations need to establish and enforce employee social media policies to lower their risk and better protect their brand. Check out this related blog titled “Companies Need a Social Media Policy” for suggestions on establishing a corporate social media policy. And for all of us posters, bloggers and tweeters, be careful what you say; otherwise, it could be read back to you by an employer or judge.

Are Custodial Self-Discovery and Preserving ESI in place a good idea?

A majority of organizations still rely of the practice of instructing custodians to search for and protect potentially responsive ESI locally or “preserve it in place”. In its 7th Annual Litigation Trends Survey, Fulbright & Jaworski reported that 55% of responding companies still rely on custodians to identify and preserve their own information as the method used most frequently to preserve potentially relevant information in litigation or an investigation.

Custodial self-discovery and “preservation in place” is a potentially risky in that, especially with larger numbers of custodians, the risk of incomplete collection, inadvertent deletion/spoliation, and meta data corruption is greatly increased, legal supervision of the collection process is impossible leading to inadequate defensibility of the litigation hold and eDiscovery process.

In a 2008 Kahn Consulting survey on employee understanding of eDiscovery responsibilities, only 22% of respondents said they had a good understanding of their responsibilities for retaining ESI for discovery. Only 16% said they had a good understanding of their responsibilities when responding to a litigation hold. These statistics blatantly highlight the risk of custodial self discovery and preservation in place.

The courts are now holding litigants to a higher standard. In a recent case, Roffe v. Eagle Rock Energy GP, et al., C.A. No. 5258-VCL (Del. Ch. Apr. 8, 2010), the Judge was surprised at the custodial self discovery practice one attorney was relying on:

The Judge asks;

Am I correct that you have been relying on what they [the defendants]  self-selected to put in their transaction files, in terms of what you obtained and produced?

The defense attorney answers;

That’s correct, your Honor. I was told that they uniformly would put all of their Eagle Rock e-mails into that folder. I have not checked, and I don’t know whether that is true or whether that is accurate. I believe they are telling the truth, but I don’t know if that is accurate.

The Judge immediately responds to the defense attorney;

Then here is my ruling. This is not satisfactory. From what you have described to me, you are not doing what you should be doing. First of all, you do not rely on a defendant to search their own e-mail system. Okay? There needs to be a lawyer who goes and makes sure the collection is done properly. So both as to the two directors who already have produced — we don’t rely on people who are defendants to decide what documents are responsive, at least not in this Court. And you certainly need to put somebody on a plane to go out and see Mr. Smith.

In this exchange, the Judge clearly states; we don’t rely on people who are defendants to decide what documents are responsive. Custodial self-discovery is like the wolf guarding the chicken coop.

Relying on litigants to find, protect and eventually turn over potentially responsive ESI can be problematic. Most of them will attempt to do what’s right; to the best of their understanding (less than 23% have a good understanding). Those few that could have something to hide may find ways to do a subpar job in the discovery process. If I am the opposing counsel, I am going to want to know if self discovery was relied on.