The iPad Lawyer | eDiscovery in a Cloud-Based World
Cloud computing is where we all seem to be headed. For storage and syncing with your iPad (and other devices), there are certainly mainstream services like Dropbox, SugarSync, SkyDrive, Google Drive, Box, SpiderOak, and other similar third party offerings. And just recently BitTorrent Labs put forth an alpha release of its new sync and share option (called BitTorrent Sync) which the publisher claims is a “private” and “secure” way to share information. For others, the cloud provides the freedom to use cloud-based vendor sites like Facebook, Twitter, Amazon, PayPal, Salesforce, QuickBooks, and a dizzying and ever‑growing array of similar services.
While the use of the “cloud” certainly makes data archiving, collaboration, and paperless storage cost‑effective and easy in an iOS environment, everyone should take the time to consider what would happen if you or your cloud service provider received a subpoena or other legally sufficient court order to turn over your cloud-based information. From the research I have seen, it appears less than 20% of cloud service users have an eDiscovery plan in place. And many of the organizations I have consulted with don’t even know if they have an eDiscovery plan in the first place. These failings will ultimately lead to the inability to readily access requested information in a timely and cost-effective manner and could lead to catastrophic results.
Others have proposed that cloud users need to carefully research, delineate, and in some cases, revise service level agreements directly with their cloud vendors to address everything from preservation of data to admissibility in court. While the use of negotiated service level agreements makes sense in a vacuum and on a hypothetical basis, let’s get real. The fact remains that neither you nor your clients are going to be able to negotiate on a case-by-case basis with the likes of Google as to eDiscovery issues. Likewise, most companies are not going to host their own private cloud server for a variety of economic and ease‑of‑use reasons. As a cloud user, then, you need to assume that at some point in time the privacy of your data will be compromised. In other words, it’s not a matter of “if” you will have to turn over information to someone, it’s a matter of “when” that will happen.
With the massive push towards iPad use, Dropbox, as an example, is gaining in popularity and ease of use. In fact, most iPad apps are now built around automatic synchronization with Dropbox! Businesses and attorneys I work with are, at the very least, using Dropbox for agenda and other document handling between iOS devices. Most of them, however, don’t realize that, although Dropbox touts its security features, those protections are in place to prevent hacking from the outside – not to prevent Dropbox, itself, from giving up of information in response to a subpoena. So there is no doubt in your mind where this is all headed, here is the current privacy posting from Dropbox on that topic: “Compliance with Laws and Law Enforcement Requests; Protection of Dropbox’s Rights. We may disclose to parties outside Dropbox files stored in your Dropbox and information about you that we collect when we have a good faith belief that disclosure is reasonably necessary to (a) comply with a law, regulation or compulsory legal request; (b) protect the safety of any person from death or serious bodily injury; (c) prevent fraud or abuse of Dropbox or its users; or (d) to protect Dropbox’s property rights. If we provide your Dropbox files to a law enforcement agency as set forth above, we will remove Dropbox’s encryption from the files before providing them to law enforcement. However, Dropbox will not be able to decrypt any files that you encrypted prior to storing them on Dropbox.”
(As a side note: I highly recommend activating what is called “two-step” or “two-factor” authentication when using the cloud. This takes security in cloud computing to the next level by requiring a user to provide two authentication factors/data pieces that are then used by the provider to prevent unauthorized access and/or identity theft. You activate this through Dropbox following the instructions found here: https://www.dropbox.com/help/363/en.)
For those of you who want to use the cloud and are not in a position to negotiate a personalized service level agreement (that’s most of you), here is a massively powerful yet easy to employ tip to which Dropbox itself alludes – use encryption programs for your cloud-based data. Continuing with our Dropbox example, there are products like Viivo (http://viivo.com) and BoxCryptor (http://boxcryptor.com) that will readily accomplish this goal. These types of products permit a cloud user to create encrypted cloud-based folders/data. If Dropbox, for example, were to be served with a subpoena, then there is likely not much that can be done with the encrypted data by the receiving party without a court order that also mandates the requesting party be given the encryption key. Voila! You now have an added layer of protection. And, both Viivo and BoxCryptor offer cross-platform and multi-device solutions. Viivo is free for personal and commercial use. BoxCryptor is free for non-commercial use.
Finally, as organizations develop their technology policies, it remains a hard fact that proper training of employees and consistency of policy enforcement is the day-to-day challenge. By creating a heightened sensitivity to cloud storage matters, some of the concerns over eDiscovery can be mitigated.
If you enjoyed this, I’d be grateful if you share this with others. That’s right, go ahead and help spread this information by emailing it to a friend, or sharing it on Twitter, Facebook, or Google+. And, if you’re interested in finding out how I can make a presentation to your law firm or association, please contact me at 909-483-1850 or email me at firstname.lastname@example.org.