It’s All the Same, Just Different
Computer forensic experts, judges, lawyers, and eDiscovery practitioners alike are all facing the next big challenge when dealing with ESI. On one level, the new cloud infrastructure seems to hold a dizzying array of both promise and risks. On the other hand, some will argue that the cloud paradigm really does not change anything at all. In the end, both opinions are somewhat correct: eDiscovery and regulatory compliance issues are all fundamentally the same, but the cloud medium does threaten to pose a range of tactical and strategic challenges.
There is an issue that's looming that hasn't really been discussed or addressed yet. That is the role of governance for companies that are consuming the services versus the role of governance for companies that are providing the services. — Joe McKendrick, Independent Analyst and ZDNet Blogger (Gardner, 2009)
Before diving right into the details surrounding cloud computing and the associated electronic challenges, it is worthwhile to examine where this relatively new discipline fits into the larger information governance infrastructure, as a discipline. While many of these definitions are still evolving, Gartner proffers the following definition regarding information governance:
Information governance is the specification of decision rights and an accountability framework to encourage desirable behavior in the valuation, creation, storage, use, archival and deletion of information. It includes the processes, roles, standards and metrics that ensure the effective and efficient use of information in enabling an organization to achieve its goals (Gartner, 2009).
Similarly, the EDRM organization has attempted to abstract upwards to include notions of governance into their newly promulgated Information Governance Reference Model (IGRM) as shown in Figure 1, which purports to tie various legal duties to the underlying data assets (EDRM, 2011). The purpose is not to conduct a deep dive surrounding the IGRM but to show electronic discovery’s place in the larger landscape.
Figure 1. Information governance reference model (IGRM)2
Regardless of which larger information governance umbrella is selected, there are a wide range of applicable Records and Information Management (RIM) regimes that may apply to a given organization, depending on size, location, vertical orientation, and regulatory posture. These RIM imperatives include SEC Rule 17a-4, FINRA, Sarbanes-Oxley, HIPAA/HITECH, EU Data Protection Act, Stored Communications Act, State Privacy Protection Laws, Gramm-Leach-Bliley Act, Safe Harbor Rules, Dodd-Frank, etc. Beyond the above list there may ultimately be thousands of discrete mandates (at the local, state, and federal level) that govern how ESI must be retained and if and when it may be destroyed. Similar to electronic discovery, records management protocols are media independent and will almost universally apply to the content of the data asset, but not the media format or location.
Within this much larger information governance ecosystem, there exists the relatively new discipline of eDiscovery. Similar to the above discussion, the cloud storage paradigm does not fundamentally alter any obligations surrounding the legal duties, obligations, and requirements, but it may impact the tactics, costs, and speed at which such obligations can be met.