During the last decade, individuals and business have changed the way they manage their data by moving this data management offsite – otherwise known as cloud computing. This differs from the old model of information management that, more or less, mirrored the pre-computing era, meaning that an employee’s file might be kept in a cabinet in a Human Resources (“HR”) office or stored on a company’s in-house server. With cloud computing, however, that same employee file may be stored hundreds or thousands of miles away from the HR officer who needs to review it – or the IT officer tasked with preserving that data for potential litigation.
Cloud computing outsources data and software management, migrating it from the local to the global by providing instant access over the internet. According to the National Institute of Standards and Technology, cloud computing has five primary characteristics: (1) “on-demand self-service,” or the ability to call up stored data or capabilities as needed; (2) broad network access through a variety of platforms; (3) pooling resources providing “location independence”; (4) “rapid elasticity” in the distribution of computing capabilities, and (5) “measured service,” or service-appropriate control and optimization by the cloud system manager rather than the local user. It is the pooling of resources and the measured service managed by third-parties that pose the greatest risks during e-discovery.
Under the Federal Rules of Civil Procedure, parties must produce copies or descriptions of documents in their possession, custody, or control. By using cloud services, a potential litigant has placed a third-party in the way of important data. That party, however, may not relinquish control over that data and it must be preserved and, possibly, produced. Control of that data could be set forth in the service contract between the cloud provider and the user. Control could also be found because a party has the practical ability to access and obtain the documents from a third-party. As a result, and to avoid a misstep during discovery, clients and counsel need to fully understand the agreements governing important data and the actual technology through which the cloud data is accessed.
Parties employing the cloud are also at risk that certain electronically stored information may be overwritten or subject to routine deletion. Moreover, it may not be technologically or commercially feasible for a cloud service provider to prevent routine maintenance when relevant data is pooled with that of thousands or millions of other users. Without significant guidance on the interplay between cloud computing and any safe harbors for good-faith conduct, potential litigants need to be cautious during discovery to take all reasonable and feasible steps to preserve and produce responsive data. Similarly, litigants and their counsel should remember that discovery should be candid, cooperative, and transparent. Failing to timely disclose or address issues raised by cloud computing may result in sanctions that could have been avoided.
Cloud computing creates new layers of uncertainty for businesses or individuals who may later be involved in litigation. Although the data may be stored elsewhere, parties will likely have “control” over that which is stored in the cloud and will often bear the same responsibilities with respect to preservation and production as they would for files kept on site. Cloud users should routinely assess their risk by reviewing which data and which services are being migrated to, or are currently in, the cloud. Similarly, cloud computing should be taken seriously from its inception. Parties should conduct their due diligence on potential providers, review agreements and policies, and preempt any risk that saving money now will cause serious costs in court. If litigation arises that may involve cloud data or software, parties should be vigilant in preserving that data and documenting this, and all efforts taken to comply with discovery requests.
 Peter Mell and Tim Grance, NIST, The NIST Definition of Cloud Computing 1 (2009), available at http://www.nist.gov/itl/cloud/upload/cloud-def-v15.pdf.
 See, e.g., Flagg v. City of Detroit, 252 F.R.D. 346, 354 (E.D. Mich. 2008) (finding that City maintained control over text messages preserved by cell provider “pursuant to its contractual relationship”).
 See, e.g., In re NTL, Inc. Sec. Litig., 244 F.R.D. 179, 195 (S.D.N.Y. 2007) (noting that control is often interpreted broadly).
 See, e.g., Cartel Asset Mgmt. v. Ocwen Fin. Corp., No. 01-CV-01644-REB-CBS, at 25 (D.Co. Feb. 8, 2010) (order on pending motions), available at http://www.thesedonaconference.org/content/tsc_cooperation_proclamation (endorsing Sedona Conference Cooperation Proclamation).