As we explained in our last post, managing ediscovery in the cloud is the only viable solution for dealing with the massive amount of electronic data involved in litigation today. Nextpoint has been an advocate for cloud-based ediscovery for 20 years, but the industry’s transition to the cloud has been slow. In 2022, less than half of ediscovery professionals surveyed agreed that the cloud is now the norm, but the vast majority believe it will become the norm within the next two years.

This means many firms and legal teams will be looking to make the switch to the cloud in the near future. When adopting any new technology, it’s important to know the right questions to ask and the criteria to look for in a vendor. In this excerpt from our white paper on managing ediscovery in the cloud, we cover these questions and share tips to help legal teams make the transition to the cloud. Click here to download the full white paper.

Cloud Computing in Ediscovery – Is It Ethical?

All businesses should be concerned about putting client data in the hands of a third party. Lawyers have reason to be especially concerned about these kinds of transactions, as they have special ethical obligations to maintain absolute client confidentiality.

To maintain client confidence and to avoid the inadvertent disclosure of data, law firms have to perform due diligence to understand how their data is being stored. Under the comments to ABA Model Rule 1.1 regarding competency, lawyers now have to understand the “risks and benefits of technology.” This means for competency purposes, lawyers have to understand technology, much like they do the substantive areas of the law.

Given this fact, ediscovery providers in the cloud must be treated as partners, not just a software provider. The right partner will make sure your clients’ data is private and secure – in fact, with the right security measures, hosting data in the cloud is far more secure than hosting it on-site.

In this paper, you will find a checklist of questions a cloud provider must answer regarding data storage, security protocols, and data export restrictions before a law firm can export their data to them. Before entrusting client data to a third party, the ethical implications of that relationship must be considered and all doubts and questions resolved before transferring information.

What Are Your Options For a Cloud-Based Platform?

The range of options for cloud-based ediscovery runs from old-fashioned client-server software that demands an experienced, in-house IT staff, to services that offer some infrastructure, all the way to Software-as-a-Service (SaaS). SaaS should require no maintenance, updates or hardware other than your connection to the online service you purchased.

Some ediscovery vendors have relaunched existing locally-installed software to take advantage of the cloud environment. Unfortunately, locally installed software is not designed to dynamically allocate resources or effectively take advantage of cloud computing architecture. Often, these efforts are marketed as a “private cloud,” which is a cloud infrastructure operated solely for a single organization. These products are most times hosted and managed by in-house IT staff or in other instances by an outside third-party.

Note that a private cloud is often just a rebranded version of software that was created for an on-premise computing model. It often offers none of the advantages of a true cloud environment while keeping many of the disadvantages of on-premise software. Even the Wikipedia entry describing this model notes that “Undertaking a private cloud project requires a significant level and degree of engagement to virtualize the business environment, and requires the organization to reevaluate decisions about existing resources. It can improve business, but every step in the project raises security issues that must be addressed to prevent serious vulnerabilities.”

When considering a solution, see where it fits on the continuum between on-premise, private cloud, or Software-as-a-Service.

Questions to Ask a Cloud Ediscovery Vendor

True Cloud

What kind of cloud or SaaS service do they claim to provide? Are they offering an actual cloud application, or is it called a hosted service? A private ‘cloud’? Only a full-fledged cloud computing platform can offer all of the advantages described in our last post.

SLA

Does your provider have a Service Level Agreement (SLA) and a response time that will be acceptable to your stakeholders? Ask the provider how highly available the cloud platform will be. Examine the aspects that give it claimed high availability. What will you need to do yourself to reach the degree of availability you think your applications will need?

Access

Is data accessible 24 x 7? Some cloud providers do not deliver round-the-clock data access.

Guaranteed Uptime

How do they guarantee that their service will experience only minimal levels of service interruptions? Most companies claim to have practically no downtime. This may be true, but only if data is stored in paired but geographically distributed data centers. Providers that host data in their own data centers are not likely to be able to guarantee service.

Stamping/Production/Exporting

Can they stamp and produce your data to third parties electronically through the cloud? Do they limit your ability to export your data? Can you get your data back without any complications? How is data delivered, and how quickly can they return it to you? Does the vendor charge additional fees to stamp, produce, and export data or to leave the service? Is there a feature that allows you to see when someone has opened and viewed your production?

Services/Support

Are professional services available to assist with complex importing and management of data? Are there on-going services provided to customers for data export? Almost every company will have some form of tech support, but in many cases, it only exists for troubleshooting issues with the software. A provider that offers expert ediscovery support will be able to assist with matters like data collection and processing and help your team meet tight deadlines when necessary. Be sure to determine whether your provider offers “tech support” or true litigation support.

Data Controls

Do they prohibit data co-mingling with other customers? Can they guarantee your data is kept in a virtual workspace that is not accessed by anyone else? What access controls do they provide? Can they guarantee only trusted users can access your data?

Security

Make sure the provider you choose has strong data security features, including:

• Firewall to prevent outsiders from breaking into a closed computing system.

• Encryption to protect data as it is being transmitted, and while it is at rest.

• Intrusion Detection to identify potential threats.

• Geographic Redundancy of all data for disaster recovery and backup

Additionally, companies can obtain certifications from outside parties to verify the effectiveness of their data security measures. These include Soc 2 Compliance, FISMA certification, SAS 70 – Type II, and SSAE-16.

Geography

Can the cloud provider offer location assurance? Is data always maintained in the jurisdiction specified by the customer (e.g. US, Canada, or EMEA)? Consumer data privacy has come under deeper scrutiny in recent years, and many jurisdictions are enacting stricter data privacy laws. Legal teams may face restrictions on the geographic location data can be stored in, which is why Nextpoint recently launched new AWS environments in California and Canada. Be sure to speak with potential providers to make sure they’re keeping up with changes in data privacy laws.

Software

Some ediscovery applications need to download an ActiveX installer or an applet to your system in order to work. This is a sign that the software is built with licensed technology. The best applications are built from the ground up by a dedicated team of in-house developers, and are not a grab bag of licensed software kludged together. Is the software built and maintained by in-house developers?

Credentials

Most importantly – does the service provider have proven ediscovery and litigation support experience? Do they have client references and industry cred?