How cloud-based solutions are changing the way we approach discovery and disclosure obligations

Back to Technology Law Committee publications

Daniel Rupprecht
iDiscovery Solutions, London
drupprecht@idsinc.com

Cloud-based solutions to discovery obligations

Discovery and data interrogation/disclosure can be a virtual minefield in Europe. In every circumstance, varying jurisdictional requirements and protections must be addressed before information can be processed or moved from its native environment. From attorney-client privilege and personal privacy to blocking statutes and data protection regulations, the wholesale collection of electronically stored information (ESI) needs to be run through a litany of checks and balances before reaching the hands of legal counsel or the requesting authorities.

The purpose of this article is to:

• explore emerging solutions to the data volume conundrum;

• consider how emerging solutions relate to regulatory investigations;

• identify varying issues associated with data portability; and

• look for options that enable more flexibility in deployment, effecting both time and cost.

The standard approach to data analysis

In its simplest form, data analysis follows this very high-level roadmap:

• data identification;

• collection;

• processing;

• analysis;

• review; and

• production.

Each phase requires a multitude of technologies to drive one stage to the next and each phase is necessary to provide the user essential information to protect subject rights.

Understanding where data can be found within any organisation will always be the first step. Every project is made or broken by how well information is stored. Commonly referred to as information governance, this responsibility rests with the individual or corporation in control of the data. A good handle upon one’s own data is paramount when identifying potentially relevant information. Knowing who or what might be involved also provides clarity on how measured or robust a collection needs to be. The less you know, the more information needs to be collected to ensure all relevant data has been captured.

Once particular data sets have been identified, extraction can begin. Collection typically takes place on-site with either in-house resources or through partnership with a forensics expert. This task again requires clear thought around what is acceptable with regard to governing regulations but also requires a level of expertise in order to avoid spoliation of important metadata: background information on each and every document that is relied upon to analyse ESI. Once extracted, a determination is made on where the data should go.

European jurisdictions follow different rules regarding data portability. The General Data Protection Regulation (GDPR), which came into effect in 2018, attempted to harmonise the various data protection laws across the continent; however, other limitations on data transfer have been in place to compliment the GDPR, creating additional challenges when deploying flexible solutions. France’s blocking statutes, for example, require all communications that relate to conducting business within its borders to remain in country, even if subject to legal proceedings abroad. With specifically designed vehicles only allowing data to be transferred outside of France, all technological solutions to data analysis must remain local.

The eDiscovery market

The eDiscovery market is built upon a gigabyte (GB) in/out model whereby the amount of data ingested, processed, and stored is charged on a per-GB basis.

Due to the high cost of equipment in place, again due in part to the strict rules on data transfer, coupled with maintenance associated with upkeep, those taking advantage of advanced technologies to get to relevant information at speed, often wonder if there are other options.

Although for some, local solutions will be the only option, there are now alternatives that can harness cloud environments and are providing cost savings without losing the access to next generation analytics essential in tackling large volumes of data.

AWS and data analysis in the cloud

Amazon Web Services (AWS)^[1] is a cloud-computing environment that allows subscribers to store data and software-based solutions in ‘server farms’ located around the world. On a pay-as-you-go basis, those who take advantage benefit from a lack of on-premise infrastructure and the cost in maintaining one. They also benefit from the ability to scale up or down as needed, have access to security controls in-line with the most stringent regulatory regimes, and can adopt the flexibility to move from one region to the next with fluidity.

As stated, the GDPR^[2]  is not the only concern when it comes to data processing and analysis. No issue creates more concern than the transferability of data outside of certain jurisdictions. France and Germany are two of the most rigid countries in Europe when it comes to collecting/transferring data out of country.

To address this, Amazon have stationed ‘server farms’ in locations that strictly adhere to jurisdictional differences and lock down data in accordance with the rules and regulations for that location. Control of data is maintained solely by the subscriber and remains in the designated region unless approved once again by the subscriber.

Thus, in the case of France and Germany, data remains in AWS EU Region (Paris) and AWS EU Region (Frankfurt) respectively unless specifically instructed to move data out of that particular region.

AWS also provides the security expected by data protection authorities across the continent. Maintaining confidential information that is both privileged as well as proprietary is of vital importance to any institution. Those looking to build their infrastructure in the cloud and store potentially sensitive information are ensured data receives the highest level of security. AWS environments carry with it the most stringent certifications including ISO 27001 and is far more advanced than most organisations own internal networks. Systems are regularly checked and any issues that potentially could arise are reported upon discovery.

eDiscovery companies operating in various jurisdictions have been met with varied obstacles when deploying technological solutions in different locations. By taking advantage of an AWS environment, both eDiscovery practitioners as well as their law firm and corporate clients can now benefit from a host of new options and opportunities.

According to Stuart Clarke, Chief Technology Officer & Global Head of Security & Intelligence at Nuix:

‘New storage locations and data types is not a new phenomenon, it's a constant but so are the collection challenges that come with it. It might feel natural to want to collect and download cloud data into forensically sound containers, but repositories like Office365, Google Vault, Box and more do not lend themselves to this and there is much to consider. Cloud providers often throttle access when you try to get data out and connectivity issues risk spoliation of the data. There is an ever increasing need for problems to be solved including legal hold, federated search and defensible preservation of data as it sits within the cloud.’

eDiscovery in the cloud

When taking into consideration the benefits of operating in a cloud environment, how can building a data management or document review instance in an AWS region create efficiencies in the eDiscovery space?

Mobility

First and foremost is mobility. Service providers no longer need to be locked into a single location. Platforms and document review capabilities can be spun up virtually anywhere and because each region must conform to the data protection standards of that particular jurisdiction, providers of discovery technology find themselves in compliance by design at the outset.

A common complaint associated with physical server options is the maintenance of upkeep regarding keeping the various systems online. This takes significant manpower and constant monitoring to ensure all functions remain operational. When issues do occur, downtime can last hours or longer. This becomes even more prevalent if mobile servers are deployed on-site requiring even more monitoring and regular maintenance, carrying an even higher risk of downtime. Under an AWS instance, near constant monitoring and endless backup resources provide a level of stability unmatched when utilising a more standard option. This means less chance of issues arising and a recognition of cost saving from idle lawyers unable to access documents to review.

Increase in data volumes is a common thread across all issues associated with discovery technology. The more data processed; the more cost associated with its review. As data creation is growing exponentially on a yearly basis, logic dictates that the management of that data and associated costs will also grow exponentially. By maintaining a review platform in the cloud, subscribers can deploy investigative technologies at half the cost if not less. Much of the overhead due to creating, operating, and monitoring systems is saved and thus can be passed on to the end user. This allows services providers who opt for cloud solutions to then focus on more value-add deliverables, such as consultancy.

Conclusion

Cloud-based solutions such as discovery technology deployed in an AWS environment will not be for everyone. Each organisation has its own concerns when considering the various options associated with collecting and reviewing data.

For some, it will be proprietary information that is highly confidential. Others might be focused on subject rights and data privacy. For most, however, the costs associated with interrogating and ultimately disclosing relevant information is becoming unmanageable as data volumes continue to rise.

Under these circumstances it is important to have options, one of which is to take advantage of a cloud-based solution. More industries are beginning to accept the benefits and as understanding of compliance and adherence to regulatory obligations become clearer, more will adopt this as a viable solution. Discovery technology providers should consider the same or risk precluding some potential users the ability to access valuable discovery tools due to the high cost of data storage.

As financial institutions and even law enforcement bodies move to cloud usage for their operations, their workers are already enjoying flexibility and the organisations are benefiting from lower costs. It only makes sense that disclosure and document interrogation platforms follow suit. Watch this space.

Back to Technology Law Committee publications