In December 2017, the US Department of Justice, Criminal Division’s Computer Crime and Intellectual Property Section (“DOJ”) released guidance for law enforcement to follow when seeking data stored by an entity with a cloud service provider. In short, DOJ suggests that prosecutors should seek data directly from the company, rather than its cloud service provider, so long as doing so will not compromise the investigation.
The guidance explains that the increase in the usage of cloud storage has created unique challenges in criminal investigations which can implicate information stored by individuals and organizations that are not targets of the investigation. While prosecutors have the legal authority to compel a cloud service provider to produce data belonging to its clients, there are potential downsides to doing so, such as the lengthier time often required to obtain the information and the potential for incomplete data collection. On the other hand, there are several potential benefits to seeking information directly from the company. Because many companies maintain primary control over data stored with a provider and are often better able to identify relevant subsets of data, seeking the data from the company may be the most efficient means of obtaining the necessary information. It also allows the company’s counsel the opportunity to interpose privilege and other objections to disclosure and parallels the approach that was employed before the use of cloud-based data services became widespread and companies maintained data on their own servers.
DOJ therefore suggests that prosecutors should seek data directly from the company, if it is practical and will not compromise the investigation. To determine whether to seek disclosure directly from the cloud service provider or from the company, the guidance identifies a series of factors including:
- the purpose for which the communications or records are sought and their importance to the investigation or prosecution;
- the extent of law enforcement’s ability to obtain the communications or records from the company;
- whether the company is a subsidiary of a larger institution and, if so, whether the government is aware of a contact at the parent institution;
- the extent to which the company is technologically capable of providing the communications or records; and
- the risk of an adverse result for the investigation if the company, or individual(s) who would be the logical contact at the enterprise, learns of the government’s investigation, taking into account the possibility of mitigating this risk through a preservation letter to the service provider or a protective order or other instruction to the company to prevent disclosure of the investigation to the target.
Some cloud service providers have praised the written guidance as a step towards the greater protection of cloud-stored data. While not expressly stated in the guidance, recent legal challenges by service providers to search warrants seeking to collect cloud data stored overseas (such as the United States v. Microsoft case currently before the U.S. Supreme Court) may have influenced DOJ’s decision to issue a written policy at this time. It is important to keep in mind, however, that the guidance does not impose any binding mandate on prosecutors to seek data directly from a company. Nor does it restrict a prosecutor’s legal authority to obtain information directly from a cloud service provider. Rather, the guidance simply recommends that, in many cases, data is most appropriately sought directly from a company rather than from the provider that stores the company’s data. As a result, companies may experience an increase in requests from law enforcement to produce data, including emails and electronic records, stored outside of the company’s servers.
 Seeking Enterprise Customer Data Held by Cloud Service Providers, U.S. Department of Justice, Criminal Division, Computer Crime and Intellectual Property Section (Dec. 2017), available at https://www.justice.gov/criminal-ccips/file/1017511/download.
 See, e.g., DOJ’s Newly Released Recommended Practices Are a Win for Cloud and Enterprise Customers, Neal Suggs, Microsoft Vice President and Deputy General Counsel (Dec. 14, 2017), available at https://blogs.microsoft.com/on-the-issues/2017/12/14/new-doj-guidelines-win-cloud-enterprise-customers/.