Given how much you rely on SaaS, how do you even know the data is actually gone? Come discovery, I'd expect you'd find its a lot more permanent and exposed than you expect.
Worrying about privacy while using SaaS seems to be missing the forest for a single small tree.
Not really, and there is a ton of case law on the topic. The way (civil) discovery works makes the SaaS concern far less of an issue.
Civil cases are NOT criminal or national security -- this is not the CIA, it is not a secret court, it is not being tapped... it doesn't even rise to the level of a search warrant. It is up to the party being requested on to produce the documents. So, if we get a discovery request, we have to deliver the documents to fulfill it.
For example, we have an automatic email cleanup after 90 days -- both technically, and in policy. This means if we are served with discovery, we can show the policy, show we have taken steps to follow our policy and produce the last 90 days of email. Same goes for Hipchat logs.
Now, they could make some crazy play to extend discovery to Google or Atlassian. There are a couple problems with this, the first of which is such an insanely broad request would be flat out denied as fishing. If it wasn't, they would fight it kicking and screaming because they don't want to be involved in every civil case of every one of their of clients. They then would have to actually have the data, which in the no logging situation, hopefully they never had.
Discovery is often used as a tool of attrition, to wear down the guy with the smaller wallet -- run lean (by policy and design) and if you ever get a request for discovery -- you can fulfill it quickly and completely.
> Now, they could make some crazy play to extend discovery to Google or Atlassian ... Discovery is often used as a tool of attrition, to wear down the guy with the smaller wallet
Not that crazy. If the data exists, the fact that it's on a cloud vendor's backup tape is your problem.
On a technical level, I can understand your concerns. I am a developer, and it took me some time to get my head around how it works. But, the bottom line is -- it IS that crazy.
Discovery isn't what you would think from popular culture ... if you served my company with discovery request, "we" (all the lawyers and companies) would have a meeting about it -- you would want to extend your grasp, we would look to shrink it. Most of the time, you would end up with something like "All emails about 'blue paint' between April 2011 and March 2012". Then it is up to ME and my company to find all those emails and provide them to you. Even knowing my email provider would likely be outside the scope. Discovery isn't to FIND a civil issue, it is to find evidence of one already filed issue, so fishing is explicitly not allowed.
Corporate policies are a huge part of the discovery process, what makes it hellish is when you have NO policy around something (like email) because then you have to provide data or prove you don't have it. Our proof is our policy and technical measures.
Our lack of recording data (logging) IS our record management strategy (and a wholly valid one) that massively reduces our costs if we ever get sued.
The "cloud vendor's backup tape" is largely a straw man brought up by engineers rather than lawyers, I think I may have been guilty of bringing it up prior to learning about the discovery process.
It's more expensive and more complicated, but it's not crazy.
To quote the article "Stay tuned – this is a fight that will happen over and over again, and there will be more guidance provided by the courts in the coming years."
As long as the data exists, there's a very real risk someone is going to want it. If it's managed by an off-the-shelf SaaS vendor, where and how that data exists is entirely outside your control.
That article basically agrees with me. Additionally -- notice how it doesn't point to explicit existing examples, but implies "future problems" -- as did the 2006 article.
"In the vast majority of cases, cloud data that is accessible by the end-user will meet discovery needs and obligations."
and
(regarding going after cloud providers) "Serving a subpoena and ensuring compliance can be challenging and potentially expensive. Whether such efforts are worth the expense and effort will depend on the specific needs of each case. Cloud providers are likely to resist compliance with a subpoena under provisions of Title II of the Electronic Communications Privacy Act, otherwise known as the Stored Communications Act (“SCA”)."
Additionally, a director at http://tsemerge.com/ is hardly an unbiased reality oriented 3rd party. The more scared you are -- and the more complex it seems -- the more likely you are to hire them.
As for "Cloud providers are likely to resist", I dare say what's more likely to resist is controlling your own data and simply not having it stored anywhere in the first place.
Worrying about privacy while using SaaS seems to be missing the forest for a single small tree.