Catalyst Repository Systems - Powering Complex Legal Matters

E-Discovery Search Blog

Catalyst E-Discovery Search Blog RSS Follow Catalyst on Twitter Join Catalyst on Facebook Catalyst on LinkedIn Catalyst YouTube Channel
Follow Us:
Technology, Techniques and Best Practices

NC Bar Goes Back to the Drawing Board on Cloud Ethics

by Bob Ambrogi | July 22, 2011

One thing seems certain about the Ethics Committee of the North Carolina State Bar—it is trying hard to get its opinion right on the ethics of cloud computing.

In April 2010, the committee issued a proposed opinion that addressed the question of whether a law firm may ethically use Software as a Service in light of a lawyer’s duty to safeguard confidential client information and protect client property from destruction or loss. The opinion answered the question in the affirmative, “provided steps are taken effectively to minimize the risk of inadvertent or unauthorized disclosure of confidential client information and to protect client property, including file information, from risk of loss.”

The proposed opinion generally elicited praise from lawyers who use cloud-based applications and from vendors that provide such applications. (See what we at Catalyst had to say about it in two posts, The Legal Ethics of Cloud Computing and N.C. Ethics Opinion on SaaS Merits Broader Inquiry.) But after putting the proposed opinion out for public comment, the Ethics Committee withdrew it and, on April 21, 2011, filed a revised proposed opinion (Proposed 2011 Formal Ethics Opinion 6).

While this second proposed opinion again endorsed lawyers’ use of cloud computing, it also proposed minimum requirements a lawyer should adhere to in selecting a cloud provider. This time, the comments were less favorable, with many in the legal computing arguing that the requirements were so onerous as to effectively block the use of many cloud applications. On behalf of several cloud vendors, the Legal Cloud Computing Association filed written commentsobjecting to the proposed opinion. The comments said:

[W]e believe that the additional minimum requirements imposed on lawyers as mandatory requirements will, as a practical matter, limit the ability of North Carolina lawyers to use cloud computing services in their practices, causing North Carolina’s lawyers to become less competitive with lawyers from other states.

Rather than “mandatory requirements”, we believe that it makes more sense to establish basic principles and suggested guidelines, leaving to the individual attorney to use their best judgment to exercise reasonable care under the particular circumstances of their practice, in choosing a SaaS provider.

The International Legal Technology Standards Organization also filed comments opposing the proposed opinion, as did a number of individual attorneys.

Against this backdrop, the Ethics Committee recently voted to send the proposed opinion back to the subcommittee that drafted it, according to North Carolina lawyer Stephanie Kimbro, in a post at her blog Virtual Law Practice. The subcommittee will reconsider the opinion in light of the comments that were filed. The outcome of the reconsideration should be known by the end of October, Kimbro said.

What Does this Mean for E-Discovery in the Cloud?

The short answer to that question is: Not much. Let me explain.

The objections to the proposed opinion focused on the fairly rigorous vetting process it required lawyers to go through before entrusting client data to a cloud provider. The opinion would require a lawyer, for example, to investigate the vendor’s financial stability and review its security audits. This was seen as unfair to solo and small firm lawyers in particular, who would have neither the time nor the resources to follow each of the recommended steps. Even if a lawyer was in a position to follow each of the steps, getting all the required information would be virtually impossible from consumer-focused vendors such as Google or Dropbox.

By contrast, with regard to e-discovery, the opinion’s proposed requirements make perfect sense. A lawyer selecting a cloud provider to serve as a hosting and review platform for litigation documents would be remiss not to engage in this sort of vetting process. Further, any established e-discovery vendor will be prepared for just such an inquiry and will have due-diligence documentation readily available regarding its security, systems and facilities.

I’ve read some criticism of one aspect of the proposed rule that would require lawyers to look into the financial history and stability of the SaaS vendor. Granted, vendors are not likely to want to share all their financials with every lawyer who asks. But I do not believe that this is what the rule envisions. Surely, the rule was not intended to require lawyers to dig into a company’s finances beyond information that is publicly available.

My friend and fellow Boston College Law School alumnus Erik Mazzone made a similar point in his post about this latest proposed opinion. Mazzone, who is director of the Center for Practice Management at the North Carolina Bar Association (a separate entity from the State Bar), highlights one of the opinion’s proposed requirements as worthy of particularly close attention:

The agreement with the vendor must specify that firm’s data will be hosted only within a specified geographic area. If by agreement the data is hosted outside of the United States, the law firm must determine that the hosting jurisdiction has privacy laws, data security laws, and protections against unlawful search and seizure that are as rigorous as those of the United States and the state of North Carolina.

This could be a real problem with respect to vendors who do not focus on the legal market, Mazzone writes. Major vendors such as Google, Dropbox and Evernote are not likely to change where their data is hosted in response to one state’s ethics requirements, he argues. At the same time, he writes, “I expect that this provision will not cause a great deal of difficulty for the legal-specific … cloud software out there.”

His point about legal-specific cloud software is particularly true within the context of e-discovery. Here again, a lawyer would be remiss not to pin down at least the country in which the data will be hosted. The physical location of the data can implicate the host country’s privacy and security laws, regardless of where the company that owns the data is headquartered or of where the litigation is situated. That could open a can of worms separate and apart from the litigation at hand.

The North Carolina Bar should be commended for the careful thought and study it is devoting to this issue. We will look forward to seeing what comes of this latest reconsideration. Meanwhile, within the very specific context of e-discovery in the cloud, we are confident that established practitioners and established vendors already adhere to the most rigid of policies and practices. In e-discovery, the confidentiality and security of client data is already a matter of the highest order.

Filed Under: Cloud Computing, Ethics Tagged With: , ,

NIST Issues Draft Recommendations on Cloud Computing

by John Tredennick | June 1, 2011

Earlier this month, the Computer Security Division of the National Institute of Standards and Technology (NIST) issued draft recommendations on cloud computing (PDF). As many of you know, NIST is an agency of the U.S. Department of Commerce. Founded in 1901, the agency was the nation’s first physical science research laboratory.

In the e-discovery field, we know it better for its list of 65 million hash values of system and program files (the “NIST” list). We use the list to remove unwanted files before we process documents and other data. The NIST list is the gold standard for our industry and we use it every day.

NIST is involved in many other areas of inquiry, including the International System of Units (as discussed in my recent post, How Many Bytes in a Gigabyte? My Answer Might Surprise You). It also recently issued draft guidelines on security and privacy in cloud computing and launched the NIST Cloud Computing Collaboration wiki to encourage collaboration in refining its cloud standards.

What is Cloud Computing?

In the 84-page draft, Cloud Computing Synopsis and Recommendations, published May 12, the NIST team set out to write a primer on the cloud—types, deployment models, service models, cloud security and, ultimately, the benefits of cloud computing. They start with NIST’s definition of cloud computing, which is tricky because:

Cloud computing is not a single kind of system, but instead spans a spectrum of underlying technologies, configuration possibilities, service models, and deployment models.

Thus, while the term “cloud” is often used as a synonym for the Internet, cloud computing means more than simply the transmission of data over the Internet.

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

According to the NIST definition, cloud computing has five essential characteristics:

  • On-demand self service.
  • Broad network access.
  • Resource pooling.
  • Rapid elasticity.
  • Measured service.

Following this logic, one could argue either way for many of the e-discovery providers who bill themselves as cloud providers. While they may offer a hosted product via the Internet, they may not meet NIST’s requirements for on-demand self service, resource pooling and rapid elasticity.

There are several service models for cloud computing, each with different strengths and weaknesses:

  1. Cloud Software as a Service (SaaS): Cloud e-discovery providers would fall under this category. They offer a product accessible via a browser but manage the underlying infrastructure including network, servers, operating system, storage and applications.
  2. Cloud Platform as a Service (PaaS): This allows consumers to deploy their applications on top of a cloud infrastructure.
  3. Cloud Infrastructure as a Service (IaaS): Consumers essentially rent the infrastructure but determine their own software and even the OS they will use.

NIST's depiction of how control is shared in a SaaS model.

There are also four different deployment models for cloud computing:

  1. Private cloud: This refers to infrastructure that is operated solely for one organization. It may be managed by a third party but is dedicated to that purpose.
  2. Community cloud: In this case, a group of users provision a cloud infrastructure for a common purpose.
  3. Public cloud: Here, the infrastructure is made available to the general public, although owned by the organization selling the service.
  4. Hybrid cloud: This would be a combination of two or more clouds (private, community or public) that are connected by technology that allows data or application portability.

Why Read the Guidelines

If you are considering the cloud for any of your applications, this is a helpful document. The authors discuss operational characteristics, standards for service-level agreements and security considerations. Ultimately, they talk about the benefits of cloud computing and why organizations like law firms and corporations businesses might consider it.

Cloud computing is relatively new to the legal community, as it is to the rest of the business world. Why use it? Here is the NIST view:

In outsourced and public deployment models, cloud computing provides convenient rental of computing resources: users pay service charges while using a service but need not pay large up-front acquisition costs to build a computing infrastructure. … By using an elastic cloud, customers may be able to avoid excessive costs from overprovisioning, i.e., building enough capacity for peak demand and then not using the capacity in non-peak periods.

Earlier this year, we dumped our Exchange servers in favor of Gmail (via Google Apps). There was some grumbling at first but the transition was a success. The service has worked as well as Exchange, the product is continually updated and we don’t have to worry about hardware or software upgrades. Although email is critical to our business, it isn’t one of our core services. So why run it ourselves? Turns out we don’t need to and we get the added benefit of Google Docs, Google Calendar and other features.

Is it right for you? I would give it a good look the next time you think about upgrading or switching providers. It is the way the computing world seems to be going.

As for NIST’s draft guide to cloud computing, the agency is seeking comments from the public. The U.S. government’s CIO has asked NIST to lead federal efforts on developing standards for data portability, cloud interoperability and security. The goal, according to NIST, “is to help the federal government reap the benefits of cloud computing.” Comments must be submitted by June 13.

Filed Under: Cloud Computing, Security Tagged With: ,

The Cloud Lets Consumers Concentrate on Service Instead of Servers

by Bob Ambrogi | March 30, 2011

Recently, the chief information officer of the United States, Vivek Kundra, published a policy document “intended to accelerate the pace at which the government will realize the value of cloud computing.” Kundra’s Federal Cloud Computing Strategy (PDF) is a ringing endorsement of the cloud, as its opening words indicate:

The Federal Government’s current Information Technology (IT) environment is characterized by low asset utilization, a fragmented demand for resources, duplicative systems, environments which are difficult to manage, and long procurement lead times. These inefficiencies negatively impact the Federal Government’s ability to serve the American public.

Cloud computing has the potential to play a major part in addressing these inefficiencies and improving government service delivery. The cloud computing model can significantly help agencies grappling with the need to provide highly reliable, innovative services quickly despite resource constraints.

A few paragraphs later, Kundra says this:

By leveraging shared infrastructure and economies of scale, cloud computing presents a compelling business model for Federal leadership. Organizations will be able to measure and pay for only the IT resources they consume, increase or decrease their usage to match requirements and budget constraints, and leverage the shared underlying capacity of IT resources via a network.  Resources needed to support mission critical capabilities can be provisioned more rapidly and with minimal overhead and routine provider interaction.

Everything I’ve quoted above and much of the rest of this report applies to the private sector as much as to the public sector. The report deserves close study and I plan to delve into it in more detail in later posts.

But I wanted to highlight something in the report that, for me, sums up the advantage of cloud computing over traditional computing environments. In a section on how to provision cloud services effectively, Kundra writes:

To effectively provision selected IT services, agencies will need to rethink their processes as provisioning services rather than simply contracting assets.  Contracts that previously focused on metrics such as number of servers and network bandwidth now should focus on the quality of service fulfillment.

The cloud changes the equation for contracting IT resources, Kundra is saying. Most notably, he is suggesting that the primary focus in selecting a provider should no longer be on “metrics,” but on “service.”

Thinking of Software as a Service

What does he mean by that? I can’t presume to speak for Kundra, but I can tell you what I think he means.

Applications delivered via the cloud are often referred to by the name “Software as a Service.” The consumer has a need and the software serves that need. The important distinction is that SaaS enables the consumer to focus on the need, not the technology. Rather than first having to wrestle with finding and installing the right hardware and software, the consumer is able to get directly to the business at hand.

In 2005, just after Ray Ozzie became CTO for Microsoft, he circulated a memo to top executives that he titled, The Internet Services Disruption. He described the movement towards SaaS (and Microsoft’s need to follow suit), and he summed up the movement this way:

The ubiquity of broadband and wireless networking has changed the nature of how people interact, and they’re increasingly drawn toward the simplicity of services and service-enabled software that ‘just works’.  Businesses are increasingly considering what services-based economics of scale might do to help them reduce infrastructure costs or deploy solutions as-needed and on subscription basis.

Software that “just works,” as Ozzie put it, is the best description I’ve seen of SaaS. Another description he uses frequently is “seamless” — seamless productivity, seamless communications, seamless solutions, seamless IT. The consumer has a problem to solve or a task to do and just wants something that will deliver the service of enabling it to be done.

To my reading, this is Kundra’s message to government agencies about the cloud. The cloud lets you focus on the service you need delivered — the task you need done, the problem you need solved — without having to get hung up on the metrics and logistics of how it will be delivered.

E-discovery provides the perfect illustration of the power of the cloud to deliver the services clients need. A product such as Catalyst CR is available to clients on-demand. When clients face a discovery deadline or an investigation, they can get up and running immediately. The application is scalable to virtually any size project, is powered by a grid of hundreds of servers, and can be used by anybody with an Internet connection anywhere in the world. Rather than be sidetracked by worrying about what appliances to buy or software to install, the client starts directly on meeting its deadline.

As Kundra puts it, “Cloud computing will require a new way of thinking to reflect a service-based focus rather than an asset-based focus.” For consumers, that is a way of thinking that is long overdue.

Filed Under: Cloud Computing Tagged With: , ,

Gartner Study Endorses E-Discovery in the Cloud

by Bob Ambrogi | August 4, 2010

When it comes to e-discovery software, “the cloud” has now landed on terra firma. That is the conclusion of a just-released Gartner research study that says e-discovery software should no longer be divided into on-premises enterprise products and those delivered through the cloud as software as a service (SaaS).

For lawyers and legal professionals who are in the market for e-discovery software, the Gartner research has three important implications.

1. E-discovery software should be evaluated based not on where it resides, but on the functionality it offers. In this regard, SaaS provides clear advantages over enterprise software, particularly with regard to the functions that fall on the right side of the Electronic Discovery Reference Model (processing, review, analysis, production and presentation). As the study explains:

“SaaS offers benefits that on-premises software or appliances cannot, in terms of swift upgrades and feature addition. Enterprises that select a vendor for any aspect of the EDRM will find it easier to expand their use of a vendor through unlocking access to more capabilities, and enterprises that want to collaborate with users outside their firewalls — … a very large portion of companies in litigation and regulatory processes — will find SaaS a more effective way to accomplish such a goal. And when lawyers or legal-IT liaisons require access to functionality to handle cases swiftly, SaaS or a hybrid model allowing features to be added simply will also find a variety of delivery models valuable.”

2. “In house” does not require “on premises.” Even as enterprises take more of their e-discovery work in-house, that does not mean they have to host the software and processes on premises. If the reason for bringing e-discovery processes in-house is to achieve greater control and predictability, the cloud enables that while also offering greater flexibility. To quote the study:

“In-house development and management of information governance policy is essential but the delivery of these policies can happen anywhere, including in the cloud. Taking ownership of the process and reducing spend with outside service providers and, ultimately, with outside legal counsel is the necessary step that must be taken to reduce cost. Today’s range of alternative delivery models allow process ownership to be in the enterprise, while process delivery can be anywhere.”

3. Data increasingly lives in the cloud. Companies are increasingly using cloud-based services for e-mail, word processing and spreadsheets, the study says. In fact, the latter two are the fastest-growing markets for SaaS, with compound annual growth rates of 34.3% and 44.5%, respectively, Gartner’s research shows. Since these are the three most important targets of discovery and regulatory investigations, “that means that the discovery of them will need to take place in a SaaS model as well,” the report says.

Given these implications, Gartner recommends that enterprises select e-discovery vendors “based on the ability to flexibly address varous delivery models, including even those the enterprises may not require immediately.” Increasingly, this study suggests, those vendors are to be found in the cloud.

The research report, “E-Discovery SaaS and On-Premises Software Converge at Vendors as They Mature,” was published on July 29 (Publication ID Number G00201052). (There is no Web link to the full research report.)

Filed Under: Uncategorized Tagged With: ,