E-discovery and the cloud server: Issue and strategies

Issue November/December 2017 By Judith F. Albright
Health Law Section Review

Once upon a time, your primary care provider likely kept your paper chart in an untidy pile on his desk for a week or more after your last visit, until he had time to complete his charting. Then it went in an (often unlocked) file cabinet behind the front desk. If you wanted a copy, you had to wait for someone to pull that chart and photocopy each page, by hand. No one would ever want to steal it, because it would never occur to them and also because they would have to drive to your doctor’s office late at night and break in with a crowbar. If you decided to sue your doctor, your lawyer would ask to see the original chart, and make additional copies of any missing pieces not produced (and there always were). The storied “doctor’s handwriting” was the blow that killed the defense of many a health care provider when key entries were illegible — including to the doctor himself when reviewed years later in the context of litigation.

Those days are long gone. The American Reinvestment and Recovery Act required most health care providers to have “meaningful use” of electronic health records (“EHR”) in place by 2014 in order to maintain reimbursement in Medicare, Medicaid, and other government reimbursement programs. See 45 CFR Part 170. By 2015, most states required “meaningful use” or “EHR competence” for physicians to renew their licenses. See, e.g., MGL c. 112 sec. 2; 243 CMR 2.01 (1)(l). So, what do these requirements mean for discovery in civil litigation involving health care providers and institutions? It means the genie is out of the bottle, and not going back in.

The scope of discovery has included electronic data, platforms, and embedded data (“metadata”) for several years. Counsel, too, are now required to have basic competence in dealing with electronic mediums. (https://bbopublic.blob.core.windows.net/web/f/pr13-21.pdf). All litigators are familiar with the use (and occasional abuse) of the “litigation hold” for electronic data. The current Massachusetts Rules of Civil Procedure include specific standards for the scope and process of electronic discovery, and have since 2014. See Mass. R. Civ. P. 26(f). As the ways in which society in general, and health care providers in particular, manage electronic data evolves, so too do the problems and complexities of electronic discovery.

What does the advent of the cloud server mean? Whether you are an adverse party notifying an opponent of a hold, or attempting to execute a hold yourself, the involvement of a cloud server raises the question of who owns the hardware, the software, and who is responsible for executing the hold on the data itself.

The cloud does not exist. When you put data in the cloud, you are simply renting space on someone else’s server. Cloud servers are owned and operated by vendors, who generally have a contractual relationship with the owners of the data they service. Those contracts, just like the contract you have with your cell phone service, may outline responsibilities for data management. In the absence of an express contractual term, whoever holds the data in their physical possession (the owner of the server) should be the subject of the hold.

However, some cloud vendor contracts carve out the issue of electronic discovery. Vendors may hand the responsibility for litigation holds and data preservation back to the end-user, by contractual term. As an example, there are “hold” functions within Microsoft Office 365 that will allow the end-user to lock individual mailboxes. There is also a “protect” function which allows an administrator at a higher level to prevent override or alteration of the lock. Many litigation holds, however, include in their scope, existing or as yet to be created back-ups.

What are back-ups, and why do they matter in the context of discovery? Your server, including your e-mail server, makes copies of itself at regular intervals so that information can be recovered in the event of a data loss. In litigation, you or your opponent may want to compare back-ups generated over time, or compare the original document on a back-up to the final document. As an example, think about a discharge report in a medical malpractice case: someone might want to see the content of the note 1) as dictated, 2) as transcribed, and 3) as signed, and compare changes over time.

Microsoft Office 365 back-ups are not available to the end user. Microsoft Office Exchange Server is the most common application, although SharePoint and Lync are also in use. Microsoft does perform “traditional backups” on these servers, however those backups are used only for internal purposes at Microsoft and only if they experience an “internal catastrophic event”. There is no function that allows an end-user of Microsoft Office 365 “to access back-ups,” and no mechanism for those end-users to back-up their own mailboxes. (Article published online at searchdatabackup.techtarget.com by Brien Posey, MCSE, September 2012). If your hold includes a cloud server with limited e-discovery capacity, or contractual limits on that capacity, your ability to execute or enforce the hold may be limited by the vendor terms.

Many jurisdictions, such as Massachusetts, have e-discovery rules that expressly address situations in which subject material is “unavailable,” and define that term. See Mass. R. Civ. P. 26 (f). However, that does not resolve the question of who “owns” the data. Some courts can be unforgiving.

An Ohio case involved data on a cloud server. Counsel represented that back-up copies of the data were “unavailable,” because the vendor owned the server and therefore the data and had declined, by contract term, to release it. The court held that because the defendant was not contractually prohibited from seeking those e-mails or backups, the representations made by their counsel that documents were “unavailable” were inaccurate and constituted a lack of due diligence (there were some other “bad facts” in this case not relevant here, which may have affected the tenor of the court). Importantly for our purposes, the court also noted “[t]he same would be true, of course, for other web-based applications; just because, for example, emails in a Google or Outlook account might be kept on a server owned or maintained by the email provider, it does not mean that the information in those emails belongs to the provider — just the opposite.” “Information,” of course would broadly include back-ups and metadata. The case seems to set out an affirmative duty to attempt to obtain data from vendors on demand; the scope of that duty is unclear. Brown v. Tellermate Holdings (S. D. Ohio, July 1, 2014).

When executing or evaluating a litigation hold, determine as soon as possible who is actually in physical possession of the data — then think about possession, custody and control for purposes of discovery. If you are executing the hold and believe back-ups may be within the scope of reasonable e-discovery in your matter, identify the host server and vendor as soon as possible. If a cloud server is involved, obtain the service contract for review. Get on the ground with your client as quickly as you can and document carefully what will be available, and what won’t. Consider whether efforts to secure back-ups — such as a subpoena to the vendor — may be advisable to demonstrate due diligence (even if you believe the vendor will fail to comply). Explore mechanisms for preserving data that parallels what would be on back-ups if they are unavailable, and involve e-discovery experts early if the size and/or complexity of your case warrant it. Approach opposing counsel early to set voluntary e-discovery parameters and constrain costs (encouraged in most jurisdictions), and remember: your client may “own” a chunk of the cloud she can’t readily access.

Other Articles in this Issue: