Entries in Legal (4)


"legal obligation to delete" in the Cloud

David Navetta, Esq. CIPP, has published an interesting blog post on the topic of Legal Implications of Cloud Computing.

Mr. Navetta emphasize the need to understand the increasingly complex and interlocking relationships in the Cloud:

The party with whom a company is dealing will often not be the party actually processing data or providing computing services.  This poses compliance challenges (e.g. how to perform/show due diligence) and  contracting challenges (e.g. how to obtain/enforce contractual rights / remedies when one or two layers removed from the company actually doing the processing).

The blog post also highlights the need for proper data retention and destruction policies.

What if the SaaS provider is working on a Cloud Platform that creates residual copies of data that the Cloud User has a legal obligation to delete? What if the SaaS provider works with a Cloud Platform that does not have the technology or capability to properly wipe data? Even if the Cloud Platform has these capabilities, what if the SaaS provider has not negotiated for the right to obtain these services?

My thoughts on Legal Obligation to Delete:

Internet has created a world where "absolute destruction" of data is not easy to achieve. Even when the services are hosted in-house, this type of data destruction is not possible. There could be replicas, backups, off-site backups, DR backups, user created offline replicas, user archives and even printed copies.

I think what is a more achievable is delete in context. Data that loses its context, loses its meaning and is not of much use. So going back to Cloud Services, when I delete an email from my SaaS powered Inbox, the SaaS provider may still have some residual "Sharded" copies of the data. But these residual copies have completely lost their context. And as you traverse down the layers of Cloud Service aggregators (Saas –> PaaS –> IaaS), this residual data becomes more and more meaningless. Re-animating an email from this sharded residual data would be like trying to re-construct a needle by searching for its pieces in a haystack! :-)


i.e., to wit, e.g., in lieu

A letter to a lawyer as dictated by Groucho Marx:

Now then. In re yours of the fifth inst., yours to hand, and beg to rep, brackets, that we have gone over the ground carefully and we seem to believe, i.e., to wit, e.g., in lieu, that, despite all our precautionary measures which have been involved, we seem to believe that it is hardly necessary for us to proceed unless we receive an ipso facto that is not negligible at this moment, quotes, unquotes and quotes.

Hoping this finds you, I beg to remain...as of June 9, cordially yours.


Note: This is the first known use of quotes, unquotes.......

Another letter to a lawyer as dictated by Groucho Marx:

Honorable Charles D. Hungerdunger
c/o Hungerdunger, Hungerdunger & McCormick


In re yours of the 5th inst, yours to hand and in reply, I wish to state that the judiciary expenditures of this year, i.e., has not exceeded the fiscal year—brackets—this procedure is problematic and with nullifcation will give us a subsidiary indictment and priority. Quotes unquotes and quotes.

Hoping this finds you, I beg to remain as of June 9th, Cordially, Respectfully,



  1. Armstrong, S. V., & Terrell, T. P. (2003). Thinking Like a Writer: A Lawyer's Guide to Writing and Editing (2nd edition.). Practising Law Institute.

Origins of the phrase "Gentlemen: Yours to hand, and, In reply......."

In this context Yours means your letter, i.e., the letter you sent.

to hand means: within reach, accessible, at hand.
at hand means: within easy reach; near; close by

So the meaning would be:

  • "I have received your letter and in reply to it..." ; or
  • "I have your letter right here beside me (to hand, at hand), and in reply. . ."; or
  • "I have your letter in hand, and I'm replying."

Thanks to Peter Duncanson, Pat Durkin, and Wayne Schiess for providing the explanation of this formal phrase.

If you have information about the origins of the phrase, please share them as comments. Thanks.


Notes from RSA 2008 San Francisco

This year I attended the Law and Liability sessions at RSA. Sessions with U.S. Magistrate Judge John Facciola, Howard W. Cox (Assistant Deputy Chief, US Dept. of Justice), Steven Teppler (Attorney, Florida), and Randy V. Sabett (Attorney, Washington, D.C) were extremely interesting.

Here are some of my notes from various session. (Note: Special thanks to Steven Teppler for reviewing the accuracy of my notes, and making necessary updates).

e-discovery: discovery in civil litigation which deals with information in electronic form 

  1. An unprepared organization can be crippled with an e-discovery request. Advance planning early in the ILM can reduce or minimize e-Discovery pain.
  2. Preserve all data (email, databases etc) that may be relevant, or which may lead to relevant evidence once you get a notice of e-discovery OR legal hold OR are aware of a pending litigation. Asking your lawyer for advice before taking any action is a good idea.
  3. Don't wait to stop all automated relevant document deletion after an e-discovery notice has been received. Your duty to stop routine and systematic document destruction is triggered by the filing of a lawsuit (way in advance of discovery) and might under certain circumstances be triggered even in advance of a lawsuit.
  4. Destroying evidence by mistake is like "killing your parents and then throwing yourself on the mercy of the court because you're an orphan" (Magistrate Facciola)
  5. A digital record is no longer just a digital record, it is a potential evidence in a lawsuit.
  6. Many companies tend to settle out of the court in fear of burdensome costs of litigation, now including e-discovery. However, Settlement is NOT Justice (Magistrate Facciola).

Knowing Disregard (i.e. purposely not learning (ignoring) about an unlawful activity) => is same as knowing and not disclosing.

Overloading your organization with regulations and policies (PCI, SOX etc) results in loss of intelligence and creativity. Complying to the policies like PCI is important but do not make them the linchpin of the security of your organization. Be creative in securing your infrastructure. Complying to PCI, for example, may avert a lawsuit against you but it will not protect your reputation is case of a security breach. Sometimes these enforcement of these regulations create a false sense of security. False Confidence = Complacency.

beyond reasonable doubt ≠ mathematical certainty

Fact is a psychological construct

Habeas Data: right to own data. You own the information about yourself (Personally Identifiable Information (PII))

Safe Harbor Act also known as the European Union Data Protection Directive

  1. The act prohibits the transfer of personal data to non-European Union nations that do not meet the European "adequacy" standard for privacy protection.
  2. US based companies should try to obtain Safe Harbor Certifications
  3. Slightly higher standard than California Privacy Laws. Somewhere between EU and US
  4. Requires you to do the work up-front. 6 months - 1 year of work required. Annual re-certification required
  5. Attaining Safe Harbor certification elevates reputation of the company

Other topics discussed:
18 USC Section 1960
Software Independent Voting systems. i.e. machine that implement measures that are independent of the software e.g. paper-trail.