Cloud Storage

Cloudy, with a chance of eDiscovery

Bill Tolson Cloud Storage, eDiscovery , , , , , , , , , ,

In the last year there has numerous articles, blogs, presentations and panels discussing the legal perils of “Bring Your Own Device” or BYOD policies. BYOD refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The problem with BYOD is company access to company data housed on the device. For example, how would you search for potentially relevant content on a smartphone if the employee wasn’t immediately available or refused to give the company access to it?

Many organizations have banned BYOD as a security risk as well as a liability when involved with litigation.

BYOC Equals Underground Archiving?

Organizations are now dealing with another problem, one with even greater liabilities. “Bring your own cloud” or BYOC refers to the availability and use by individuals of free cloud storage space available from companies like Microsoft, Google, Apple, Dropbox, and Box.net. These services provide specific amounts of cloud storage space for free.

The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere; home or while they’re traveling. This means employees no longer have to copy files to a USB stick or worse, email work files as an attachment to their personal email account. The disadvantage of these services are that corporate information can easily migrate away from the organization with no indication they were ever copied or moved – otherwise known as “underground archiving”.  This also means that potentially responsive information is not protected from deletion or available for review during eDiscovery.

Stopping employee access to outside public clouds is a tough goal and may negatively affect employee productivity unless the organization offers something as good  that they can manage and access as well. For example several companies I have talked to over the last year have begun offering Dropbox accounts to employees with the understanding that the company has access to for compliance, eDiscovery or security reasons all the while providing the employee the advantages of a cloud account.

The other capability organizations should research about these cloud offerings is their ability to respond to legal hold and eDiscovery search. Questions to consider include: Does the organization have the ability to search across all company owned accounts for specific content? What type of search do they offer; Keyword, concept? Can the organization view the contents of documents without changing the document metadata? Can the organization place to “stop” on deletions by employees at any time?

Organizations need to be aware of and adapt to these cloud services and be thorough in addressing them.

For Corporate counsel:
  1. Be aware these types of cloud storage services exist for your employees.
  2. Think about offering these cloud services to employees under the organization’s control.
  3. Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and company owned equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
  4. Audit the policy to insure it is being followed.
  5. Enforce the policy if employees are not following it.
  6. Train the employees on the policy.
  7. Document everything.
For employees:
  1. Understand that if you setup and use these services from employer locations, equipment and with company ESI, all content in that account could be subject to eDiscovery review, personal or company related.
  2. Ask your organization what the policy is for employee use of cloud storage/
  3. If you use these services for work, only use them with company content, not personal files.
  4. Be forthcoming with any legal questioning about the existence of these services you use.
  5. Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel
For opposing counsel:

Be aware of these services and ask the following questions during discovery:

  1. Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
  2. Do you have a use policy which addresses these services?
  3. Does the policy penalize employees for not following this use policy?
  4. Do you audit this use policy?
  5. Have you documented the above?

These cloud services are an obvious productivity tool for employees to utilize to make their lives easier as well as more productive. All involved need to be aware of the eDiscovery implications.

“Free to the public cloud storage” – Becareful…

Bill Tolson Cloud Storage, eDiscovery, Technology , , , ,

In a recent blog posting titled “The coming collision of “free to the public cloud storage” and eDiscovery”. I mentioned some of the potential gotchas involved in storing your ESI with these cloud services. One of the cloud storage services I named was the Dropbox service.

On Friday the Dropbox cloud storage start-up announced changes to its policies, claiming it had rights to your data stored on its service.

The original section read: “You grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service.”

This message obviously started a major reaction so the company has revisited its terms again, being forced to update its blog twice in order to try and calm the storm surrounding its policy.

The last two blog updates are below:

[Update – 7/2] – We asked for your feedback and we’ve been listening. As a result, we’ve clarified our language on licensing:

You retain ownership to your stuff. You are also solely responsible for your conduct, the content of your files and folders, and your communications with others while using the Services.

We sometimes need your permission to do what you ask us to do with your stuff (for example, hosting, making public, or sharing your files). By submitting your stuff to the Services, you grant us (and those we work with to provide the Services) worldwide, non-exclusive, royalty-free, sublicenseable rights to use, copy, distribute, prepare derivative works (such as translations or format conversions) of, perform, or publicly display that stuff to the extent reasonably necessary for the Service. This license is solely to enable us to technically administer, display, and operate the Services. You must ensure you have the rights you need to grant us that permission.

[Update 2 – 7/2] – An update based on your feedback:

One of the main reasons we updated our terms of service was to make them easier to read and understand. It seems we’ve mostly accomplished that, which we’re thrilled about.

Some of you have written us with very understandable concerns about the legal-sounding parts. In particular, our new TOS talks about the licenses we need to run Dropbox. We want to be 100% clear that you own what you put in your Dropbox. We don’t own your stuff. And the license you give us is really limited. It only allows us to provide the service to you. Nothing else.

We think it’s really important that you understand the license. It’s about the permissions you give us to run the service, things like creating public links when you ask us to, allowing you to collaborate with colleagues in shared folders, generating web previews or thumbnails of your files, encrypting files, creating backups… the basic things that make Dropbox safe and easy to use. Services like Google Docs and others do the same thing when they get these permissions (see, for example, section 11.1 of Google’s TOS).

We wish we didn’t have to use legal terms at all, but copyright law is complicated and if we don’t get these permissions in writing, we might be putting ourselves in a tough spot down the road. Not to bore you with the details, but please take a look at the license term in the TOS. We think it’s fair and strikes the right balance: “This license is solely to enable us to technically administer, display, and operate the Services.”

We want to thank everybody who wrote in, understanding your concerns helps us make Dropbox better.

Drew & Arash

It looks to me that they made a decent and honest attempt to come back from a really unsettling policy change. The main point here is that you have to understand the policies which manage your data on these services.

One practice I employ when using these services is to encrypt the data I upload to these services using applications such as TrueCrypt or PGP (see my blog on this topic). This practice does remove some of the capabilities such as indexing for search on the cloud service but the main reason I utilize these cloud storage offerings is to to be able to access my data anywhere from any computer.

Discovering the public cloud in Outlook

Bill Tolson Cloud Storage, eDiscovery, Technology , , , , , , , , , , ,

In my blog “The coming collision of “free to the public cloud storage and eDiscovery” posted on June 23, I talked about these new free cloud storage options and how they could become a problem in the litigation/eDiscovery process. While researching that blog, I found an interesting capability with Microsoft Outlook and the various cloud storage offerings.

It is called a email folder URL redirect. Microsoft Outlook includes the capability to associate an email folder with a Web page. You can set up this association so that when you select the email folder, the Web page appears or the contents of the folder appear.

This capability can be useful when you want to include internal instructions or news about the organization. Another example would be a redirected folder pushed out to all in the organization announcing a litigation hold and answering questions about the hold, expectations, target content etc.  Although this capability provides the opportunity to create powerful public folder applications, non-approved scripts can be included on the Web page that access the Outlook object model, which exposes users to security risks so users should not be adding redirected email folders without IT’s approval.

So how does this capability, email folder URL redirection, relate to cloud storage? All four of the “free to the public cloud storage” offerings mentioned in the blog include a web page where files can be uploaded, viewed and downloaded. This means, for example, the Amazon Cloud Drive service could be a redirection target for an Outlook email folder.

Use the following steps to create and associate an e-mail folder with a Web view:

  • If you don’t already have a folder list showing in your Outlook front end, click on the View menu, then click Folder List.
  • Create a new folder in the folder list called Amazon Cloud by right clicking on the top most folders where you want to create the Cloud folder under. Then type in the new folder name Amazon Cloud

Figure 1: Create a new email folder called “Amazon Cloud”

  • In the Folder List, right-click the folder that you want to associate with a Web page, and then click Properties on the shortcut menu.
  • In the Property dialog box, click the Home Page tab.
  • In the Address box, type the URL for the Amazon Cloud drive web page.
  • Click to select the Show home page by default for this folder check box if you want the Web view active.

Figure 2: Input the URL address of the Amazon Cloud drive webpage

  • Click OK.

Now, by clicking on the new email folder, you will see the Amazon Cloud drive sigh in webpage.

Figure 3: Access and sign in to your Amazon Cloud drive webpage

Figure 4: You now have full access to your cloud storage from within Outlook

Some things you can now do include being able to open files from within your Amazon Cloud Drive. Once opened, data can be copied and pasted to a new email you might be creating.

Some things you can’t do directly include saving an email attachment directly to your cloud drive, dragging a file in your cloud to an email. For both these capabilities, an interim step is required. Namely coping files to your desktop first.

If that’s the case, is this capability useful? That depends… If you utilize a “free to the public cloud storage” service then you may want a more direct capability to view content in your cloud from within Outlook. This is somewhat of a stretch but you never know.

The main reason I’ve highlighted this capability is to illustrate how difficult the eDiscovery collection and litigation hold processes are getting when custodians have all these different options for storing (hiding) potentially responsive ESI.

The coming collision of “free to the public cloud storage” and eDiscovery

Bill Tolson Cloud Storage, eDiscovery, Information Management, Technology , , , , , , , , , , , , , , , , , ,

The discovery process is tough, time consuming and expensive. What new problems are corporate attorneys facing now with the availability of “free to the public cloud storage”?

First, what is “free to the public cloud storage”? For the purposes of this blog I will define it as a minimum amount of storage capacity offered by a third party, stored and accessible via the internet made available to the public at no cost (with the hope you purchase more). The cloud storage offerings I’ve already mentioned do not limit the types of files you can upload to these services. Music storage is a prime target for these services but many, like myself, are using them for storage of other types of files such as work files which can be accessed and used with nothing more than a computer and internet connection, anywhere.

Examples of these cloud storage offerings include Dropbox, Amazon Cloud Drive, Apple iCloud, and Microsoft SkyDrive. I looked at the Google Cloud Service but determined it is only useful with Google Docs.

A more detailed comparison of these services can be found here.

The only differences between the four offerings stem from the amount of free capacity available and how you access your files. For example, my Amazon Cloud Drive as seen from my Firefox web interface:

Figure 1: The Amazon Cloud Drive web interface

The advantage to users for these services is the ability to move and store work files that are immediately available to you from anywhere. This means you no longer have to copy files to a USB stick or worse, email work files as an attachment to your personal email account. The disadvantage of these services are corporate information can easily migrate away from the company security and be managed by a third party the company has no agreement with or understanding of in reference to the third party will respond to eDiscovery requests. Also be aware that ESI, even deleted ESI is not easily removed completely. In a previous blog I talked about the Dropbox “feature” of not completely removing ESI when deleted from the application as well as keeping a running audit log of all interactions of the account (all discoverable information). The Amazon Cloud Drive has the same “feature” with deletions.

Figure 2: The deleted items folder in the Amazon Cloud Drive actually keeps the deleted files for some period of time unless they are marked and “Permanently Deleted”

The big question in my mind is how will corporate counsel, employees and opposing counsel address this new potential target for responsive ESI? Take, for example, a company which doesn’t include public cloud storage as a potential litigation hold target, doesn’t ask employees about their use and or doesn’t search through these accounts for responsive ESI…potential spoliation.

For Corporate counsel:

  1. Be aware these types of possible ESI storage locations exist.
  2. Create a use policy addressing these services. Either forbid employees from setting up and using these services from any work location and equipment or if allowed be sure employees acknowledge these accounts can and will be subject to eDiscovery search.
  3. Audit the policy to insure it is being followed.
  4. Enforce the policy if employees are not following it.
  5. Document everything.

For employees:

  1. Understand that if you setup and use these services from employer locations, equipment and with company ESI, all ESI in that account could be subject to eDiscovery review.
  2. If you use these services for work, only use them with company ESI, not personal files.
  3. Be forthcoming with any legal questioning about the existence of these services you use.
  4. Do not download any company ESI from these services to any personal computer, this could potentially open up that personal computer to eDiscovery by corporate counsel

For opposing counsel:

Ask the following questions to the party being discovered

  1. Do any of your employees utilize company sanctioned or non-sanctioned public cloud storage services?
  2. Do you have a use policy which addresses these services?
  3. Does the policy penalize employees for not following this use policy?
  4. Do you audit this use policy?
  5. Have you documented the above?

These services are the obvious path for employees to utilize over the next couple of years to make their lives easier. All involved need to be aware of the eDiscovery implications.

Software bug exposed Dropbox users’ accounts to others

Bill Tolson Cloud Storage, eDiscovery, Technology , , , ,

I posted a blog back on May 16, 2011 about the Dropbox cloud storage service. Yesterday I saw the following headline in the Los Angeles Times; “Software bug exposed Dropbox users’ accounts to others” and thought it would be a timely story to pass on to others that don’t read the LA Times. The point of the story was that accounts of people using Dropbox were accessible to other users during a nearly four hour period last Sunday.

Click on the hyperlink above to read the full story.

Steps to avoid email archiving woes

Bill Tolson Cloud Storage, eDiscovery, Information Management, records retention , , , , ,

On April 26, ProofPoint, a cloud email archiving provider (among other solutions), published a short but interesting article; “Steps to avoid email archiving woes” talking about incomplete email archives.

I must say I agree with the article in general and especially with the point that the archive needs to be easy to search for in eDiscovery. With that thought I also wanted to add that for really effective eDiscovery of your email data, a complete archive is essential. What you want to avoid is being forced to go to backup tapes because some potentially responsive email might reside only on your backup tapes; a costly situation.

If you’re going to archive your email with eDiscovery in mind, be sure you choose a vendor that can captures everything that could be asked for in eDiscovery.

The ROI of Information Management

Bill Tolson Cloud Storage, eDiscovery, records retention, Technology , , , , , , , , , , , ,

Information, data, electronically stored information (ESI), records, documents, hard copy files, email, stuff—no matter what you call it; it’s all intellectual property that your organization pays individuals to produce, interpret, use and export to others. After people, it’s a company’s most valuable asset, and it has many CIOs, GCs and others responsible asking: What’s in that information; who controls it; and where is it stored?

In simplest terms, I believe that businesses exist to generate and use information to produce revenue and profit.  If you’re willing to go along with me and think of information in this way as a commodity, we must also ask: How much does it cost to generate all that information? And, what’s the return on investment (ROI) for all that information?

The vast majority of information in an organization is not managed, not indexed, not backed up and, as you probably know or could guess, is rarely–if ever–accessed. Consider for a minute all the data in your company that is not centrally managed and  not easily available. This data includes backup tapes, share drives, employee hard disks, external disks, USB drives, CDs, DVDs, email attachments  sent outside the organization and hardcopy documents hidden away in filing cabinets.

Here’s the bottom line: If your company can’t find information or  doesn’t know what it contains, it is of little value. In fact, it’s valueless.

Now consider the amount of money the average company spends on an annual basis for the production, use and storage of information. These expenditures span:

  • Employee salaries. Most employees are in one way or another hired to produce, digest and act on information.
  • Employee training and day-to-day help-desk support.
  • Computers for each employee
  • Software
  • Email boxes
  • Share drives, storage
  • Backup systems
  • IT employees for data infrastructure support

In one way or another, companies exist to create and utilize information. So… do you know where all your information is and what’s in it? What’s your organization’s true ROI on the production and consumption of your information in your entire organization? How much higher could it be if you had complete control if it?

As an example, I have approximately 14.5 GB of Word documents, PDFs, PowerPoint files, spreadsheets, and other types of files in different formats that I’ve either created or received from others. Until recently, I had 3.65 GB of emails in my email box both on the Exchange server and mirrored locally on my hard disk. Now that I have a 480 MB mailbox limit imposed on me, 3.45 GB of those emails are now on my local hard disk only.

How much real, valuable information is contained in the collective 18 GB on my laptop? The average number of pages of information contained in 1 GB is conservatively 10,000. So 18 GB of files equals approximately 180,000 pages of information for a single employee that is not easily accessible or searchable by my organization. Now also consider the millions of pages of hardcopy records existing in file cabinets, microfiche and long term storage all around the company.

The main question is this: What could my organization do with quick and intelligent access to all of its employees’ information?

The more efficient your organization is in managing and using information, the higher the revenue and hopefully profit per employee will be.

Organizations need to be able to “walk the fence” between not impeding the free flow of information generation and sharing, and having a way for the organization as a whole to  find and use that information. Intelligent access to all information generated by an organization is key to effective information management.

Organizations spend huge sums of money to generate information…why not get your money’s worth? This future capability is the essence of true information management and much higher ROIs for your organization.

 

Cloud Storage is not as secure as local storage…Really?

Bill Tolson Cloud Storage, Technology , , , , , , , , , ,

A December 13th posting in the Harvard Business Review Blog titled; Cloud Computing? Not So Fast — Unintended Consequences of Recent Disclosures, seemed to conclude cloud computing/cloud storage was inherently less secure than traditional local or on-premise storage of sensitive records.  The blog entry tried to site a couple recent cases to prove the point. One example used was the wikileaks revelations.  The implication was this massive amount of leaked information was (more easily) leaked because it was “stored in the cloud” verses somewhere else…such as an organization’s NAS or SAN.

The implication of the blog posting is inaccurate in that it assumes the top secret federal government controlled files were stored in a third parties data center with little or no security and this was why army private Bradley Manning was able to easily steal a such huge cache of files/records.

I don’t know for a fact, but my guess would be that this data was held within the federal government infrastructure and was not being stored at a third party data center. But even if the data was held at a third party facility, security of the data is key.

There are several definitions of cloud storage but the one most referenced is; cloud storage is storage accessed over a network (internal or external) via Web Services APIs. To many in the business world, cloud storage is a service which allows an organization to store electronic files/records in a third party remote location. Organizations will look at this service for a couple of reasons; first it may be less expensive then purchasing and maintaining their own local storage resources. The second reason is for increased security; sensitive data can be better protected from employee leaks etc.

The miss-used wikileaks example aside, it may be the author doesn’t fully understand the technology involved in on-premise storage verses cloud storage. In my experience, most organizations don’t protect the data their employees store locally with encryption or other safeguards. Many of the cloud storage providers encrypt data being stored to a cloud repository as it arrives at the storage facility. A couple providers encrypt it before it leaves the customer’s location; and of course the encryption key is known only to the owner of the data not the storage provider.

Top tier cloud storage providers store their customer’s encrypted data in class 4/5 secure underground data centers. Many Fortune 100 companies believe this type of storage is higher quality than letting their employees store sensitive data locally…

With Upcoming Legislation, Cloud Storage is Looking Brighter

Bill Tolson eDiscovery, Uncategorized , , , , , , , ,

Back on December 30, 2009 I blogged about how cloud storage could have a problem catching on with larger enterprises because of a lesser known provision in the Patriot Act called the National Security Letters.

Under the provisions of the Patriot Act, these National Security Letters, a form of administrative subpoena used by the United States Federal Bureau of Investigation and reportedly by other U.S. Government Agencies including the Central Intelligence Agency and the Department of Defense, can be used to require “carriers” to turn over records and data concerning individual customers (corporate customers) if asked to do so by the Federal government. The letters do not require the government to get a court order, so in effect the regulation allows the government to access that information on demand.

So the question was; how many GCs of large corporations will steer their companies away from this potential legal risk?

I have found out that the congress is working on changing how this provision of the Patriot Act can be applied to better protect organization’s data stored in the cloud.

On March 30, 2009 H.R 1800, the National Security Letters reform Act of 2009, was introduced and is currently in committee. The summary of the Bill is below:

Prohibits a national security letter (letter) (a request for information sought by the Federal Bureau of Investigation (FBI) in connection with a criminal investigation) from being issued unless the issuing official certifies specific facts providing reason to believe that the information or records sought pertain to a foreign power or agent thereof. It prohibits a letter from being issued in connection with an investigation of a U.S. person solely upon the basis of activities protected by the First Amendment to the Constitution. It prohibits: (1) a letter from containing unreasonable requirements or requiring privileged matter; or (2) disclosing to a person that the FBI has sought or obtained access to information under a letter for 30 days after receipt of the FBI’s request for such information. It authorizes judicial review for the modification or revocation of a letter. Provides limited uses of information acquired through a letter. It allows persons against whom evidence obtained from a letter is to be used to file a motion to suppress. It provides a civil cause of action for the misuse of letters. It requires the authority to issue letters to revert, five years after the enactment of this Act, to that provided by law on October 25, 2001. It requires the Attorney General to: (1) undertake minimization and destruction procedures with respect to information acquired through letters; and (2) report semiannually on the number and use of letters. It requires the disposal of wrongly acquired information. And it revises requirements relating to claims of emergency in connection with certain letters.

With these new protections (if H.R. 1800 is passed into law eventually) on how the National Security Letters can be used, I believe many of the larger organizations will embrace these new protections and speed up their adoption of cloud storage offerings.