As a follow-up to the recent Microsoft Office 365 governance webinar we hosted with PwC, we’re answering some of the audience questions we got during the live event. For more question and answers about Office 365, click here for our other posts.
The cloud would most likely not reduce your risk of not knowing what you have. On one hand, there is an argument that the majority of your data would be stored in one place, which presumes the data is migrated. The only way to truly mitigate your risk is to have a fairly good idea of what you have. This means looking at ways to clean up your existing data stores whether they are going to be maintained on premise OR in the cloud, and establishing a go-forward strategy to ensure that the data is managed on a go forward basis.
Throughout most of the US, a party is responsible for knowing where their data is: the fact that it is with a third party provider does NOT alleviate such requirement. As decided in the GenOn Mid-Atlantic v Stone & Webster, Inc. case, General Counsel is responsible for identifying and preserving ALL information within the company’s “legal right and practical control,” even with third parties. In this case, the company GenOn had hired the third-party consultant, FTI, to conduct an audit on the parent company of Stone & Webster. Subsequently, FTI failed to produce some of the relevant data that had existed on backup tapes.
The judge noted, “To prevail on this argument, it is sufficient for Shaw to establish that GenOn had either the legal right or the practical ability to obtain FTI’s materials.” “…FTI’s materials related to the audit were within GenOn’s practical control. It follows that GenOn had a duty to ensure that those materials were adequately preserved.” (Emphasis added)
As to maintaining defensibility upon moving the data to the cloud, the only way to ensure defensibility is to know the answers to these questions:
- What data is being moved?
- Are there any restrictions in placing that data in the cloud, either regulatory or contractual?
- What is the process that is going to be used to migrate the data so as to ensure that the metadata is not modified?
- Does the organization have a clear understanding of where the data is going to be physically located within the cloud environment?
- What are the processes and costs to retrieve data from the cloud provider in the event of eDiscovery requirements or migrating the data out of the solution all together?