In the Cloud: DOJ Issues New Guidance for Collecting Stored Data
The Justice Department is changing its approach to collecting data stored in the cloud.
That’s the upshot of new DOJ guidance for criminal investigations issued late last month. The guidance, from the DOJ’s Computer Crime and Intellectual Property Section of the Criminal Division, tells prosecutors to go directly to organizations when seeking access to their data rather than to the cloud service providers hosting the information.
Collecting data stored in the cloud comes with unique challenges, according to the guidance. In particular, when the government only requires a subset of information stored in the cloud by an enterprise, such as the email accounts of several employees or information about a particular set of transactions, it is difficult to obtain that specific data from cloud-storage providers without also collecting other, non-relevant data. The guidance notes that overcollection is an issue in many investigations.
Cloud storage services have other limitations as well. Some providers may not possess the capability to preserve and disclose information or may not have full access to an enterprise’s data (for example, where an enterprise encrypts data before transmitting it to the cloud). To avoid these problems and limitations, the guidance advises prosecutors to seek data from enterprises when doing so would not compromise the investigation.
And in such cases, the guidance offers specific advice for approaching an enterprise directly. Identifying a legal contact in the organization to assist with collecting the data is key. That individual should be able to assist law enforcement in securing relevant information and, benefitting the enterprise, interpose privilege or other objections to its collection. Failure to have such a contact in the organization is a reason to seek data from the enterprise’s cloud-service provider rather than the entity, according to the guidance. So, too, is an inability—because of technological or personnel competence—to isolate or disclose requested information.
Of course, in some criminal investigations there are dangers to approaching an entity directly. For example, an employee, alerted to the document request, could improperly destroy data. To mitigate this risk, the guidance suggests contacting the enterprise’s cloud-service provider before approaching the enterprise and requesting the provider preserve data under 18 U.S.C. § 2703(f), which instructs a provider to preserve records in its possession for a period of 90 days upon the government’s request. Using this approach, a prosecutor can seek documents directly from the enterprise—obtaining the benefits of working with an enterprise—while also protecting potential evidence relevant to the investigation.