Cloud computing is getting a lot of traction in a time of shrinking budgets. Industry experts speaking at NASSCOM 2011 are expecting cloud based services to be roughly a quarter of the outsourcing industry over the next two years.
So the business team is ready to move everything to the cloud. “But wait,” says the General Counsel, “if someone else has our email what happens if they get served with a subpoena? They won’t protect our information the same way we would.”
While there is no case law directly addressing discovery of corporate email held by cloud providers, there are some instructive analogs found in cases involving third-party email providers under the Stored Communications Act (“SCA”) and in cases addressing the concept of “control” under US Federal regulations that should be considered by large corporations thinking of migrating email to the cloud.
In general, courts have held that the SCA prohibits third-party email service providers from disclosing without authorization the contents of users’ email accounts, even to comply with civil subpoenas.
The Stored Communications Act
A pair of cases provide some insight into the analysis courts have applied in these situations. Like most cases in this area, the courts in these example cases have presumed that third parties cannot be compelled to disclose electronic communications pursuant to a civil subpoena and have, instead, focused on whether email account holders who are parties in the underlying litigation can be ordered to authorize access to their email accounts, despite the SCA.
Thayer v. Chiczewski, (N.D. Ill. Sept. 11, 2009) was a civil rights suit against the city of Chicago in which the city served a subpoena on AOL seeking production of several of the the plaintiff’s emails. Contrary to general practice, the court granted the motion over the objections of both the plaintiff and AOL.
The Thayer court first acknowledged that the SCA usually prevents enforcement of such civil subpoenas against third parties, stating,
“The Court agrees that, although decisions analyzing the SCA have defined its parameters in sometimes competing ways, most courts have concluded that third parties cannot be compelled to disclose electronic communications pursuant to a civil-as opposed to criminal-discovery subpoena.”
However, the court went on to state that because the plaintiff would be required to produce relevant emails if he were in possession of them, and AOL would be obliged to produce the emails at the plaintiff’s request, the emails were under the plaintiff’s “control” for discovery purposes. The court noted that the plaintiff had authorized the production of at least one email and had put his mental state at the time of the relevant events at issue (which arguably would be shown by contemporaneous emails), thus, the court assumed that the plaintiff had authorized disclosure of all of his relevant emails.
Another recent case concerning the SCA and third-party email providers that provides a consistent approach is Chasten v. Franklin, No. C10-80205 MISC JW (HRL), 2010 WL 4065606 (N.D. Cal. Oct. 14, 2010). Chasten involved a defendant in a civil rights case serving on Yahoo a subpoena seeking the plaintiff’s emails. The plaintiff argued that the SCA prohibited Yahoo from disclosing his emails, and the court agreed and quashed the subpoena stating, “Because no exception applies, compliance with the [third-party] subpoena would be an invasion of the specific interests that the SCA seeks to protect.” Unlike the court in Thayer, the Chasten court did not examine whether the plaintiff could or should be ordered to consent to Yahoo producing the emails. The court’s failure to discuss whether the email account holder could be forced to consent to the emails’ disclosure was unique among courts that have considered the question.
For a more detailed looked at how courts have handled subpoenas in these situations, see Taking Corporate email to the Cloud: The Stored Communications Act and Control.