Williams Mullen: E-Discovery & Information Governance - What Is 'The Cloud' And Should I Store My Company's Data There?

By Monica McCarroll 

"The Cloud" is everywhere these days - Microsoft has a clever ad campaign directing consumers "to the Cloud"; Apple is launching "iCloud" to store all of your music, pictures and apps; and Google Docs has partnered with to simplify sharing documents by using "the Cloud".  So what exactly is "the Cloud", and should you move your company's data there? 

"The Cloud" generally refers to cloud computing and is something most of us are doing everyday, perhaps without even knowing it.  When you send an email from your personal Yahoo! account, share your photos using Flickr, or pay your bills via online banking, you are using "the Cloud".  In more technical terms, there generally are three service models for cloud computing:  Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS).  IaaS and PaaS are similar in what they offer, namely, the "outsourcing of equipment or hardware to support IT operations," but differ in terms of who is responsible for the configuration and maintenance of the operating system.  With IaaS, it is the cloud user who handles those functions; with PaaS, it is the cloud provider who manages them.[1]  The third model, SaaS, is the one most of us are familiar with.  A third-party provider hosts applications or programs and makes them available over a network, usually the Internet.  While the efficiency and cost-savings associated with cloud computing in one form or another are self-evident, there are some legal issues you should consider before making the move. 

Data security is a hot-button issue in this age of WikiLeaks and must be considered before moving sensitive business files to the Cloud.  It is important that any cloud user understand not only how your provider protects your files, including who has access to those files at any given time, but also how your provider will notify you if there is a data breach, as well as what steps it will take, and when, to rectify that breach.   

Another critical question is how do you ensure that data stored in the Cloud complies with your information governance policy?  More specifically, when your company's record retention policy dictates that a certain document or type of document should be destroyed, how can you verify that every copy of that document (including those stored on your cloud provider's back-up systems, wherever they may be located) has been destroyed as well?   

Yet another issue to explore before you engage your cloud provider is understanding how you will get your data out of the Cloud once you move it there.  In the event of litigation, you will have an obligation not only to preserve potentially relevant evidence, but also to identify responsive information and ultimately produce it to your opponent.  The fact that you have stored your emails and other electronic files with a third-party does not change your discovery obligations, so it is prudent to understand the process, cost and timing related to retrieving information well in advance of the tight deadlines imposed by litigation.  

While there are potential risks in moving data to the Cloud, when you identify and address these risks at the outset, you can mitigate their impact and fully enjoy the benefits of efficiency, scalability and cost-savings that cloud providers are able to deliver. 

For more information about this topic, please contact Monica McCarroll, 804.420.6444 or, or any member of the e-Discovery and Information Governance team.

[1] Bennett B. Borden and Shannon Smith, "Understanding and Mitigating the Legal Risks of Cloud Computing", Vol. 26, No. 2, The Corporate Counselor (June 2011).

Williams Mullen

With approximately 300 attorneys practicing in over 30 practice areas, Williams Mullen provides comprehensive legal services to regional, national and international clients. Their clients include multinational Fortune 500 companies, private family-owned businesses, nonprofit organizations and government entities.  From offices in North Carolina, Virginia, Washington D.C. and London, Williams Mullen attorneys bring skills and experience to solving the legal needs of their diverse client base.

Please note:
This newsletter contains general, condensed summaries of actual legal matters, statutes and opinions for information purposes. It is not meant to be and should not be construed as legal advice. Readers with particular needs on specific issues should retain the services of competent counsel. For more information, please visit our website at or contact Bennett B. Borden, 804.420.6563 or ; Monica McCarroll, 804.420.6444 or; or Jay Brudz, 202.293.8137 or For mailing list inquiries or to be removed from this mailing list, please contact Julie Layne at or 804.420.6311.

For more information about LexisNexis products and solutions, connect with us through our corporate site.