chevron-down Created with Sketch Beta.

Litigation News

Litigation News | 2020

Reaching into the Cloud for Discoverable ESI

Brian Alain Zemil


  • A look at the control of electronically stored information possessed by email service providers and social media companies.
  • Providers store ESI on the cloud, which typically exists in more than one physical location. 
  • Obtaining a litigant’s ESI from a provider requires an assessment of the legal duties imposed by discovery requests and the effect of the provider’s control on those duties.
Reaching into the Cloud for Discoverable ESI
RinoCdZ via Getty Images

Jump to:

My last article discussed whether a party controls a third party’s electronically stored information (ESI) and the potential consequences of its loss. A related issue concerns control of a litigant’s ESI possessed by email service providers (e.g., Google and Microsoft) and social media companies (e.g., Twitter and Facebook) (referred to individually as “internet service provider” and collectively as “providers”). Such providers store ESI on the cloud, which typically exists in more than one physical location. Obtaining a litigant’s ESI from a provider requires an assessment of the legal duties imposed by discovery requests and the effect of the provider’s control on those duties.

Federal statutes such as the Stored Communications Act (SCA) and the Electronic Communications Privacy Act dictate whether a provider can release an account holder’s ESI to another. The SCA governs two types of online services: (1) electronic communication services (ECS) (i.e., “any service which provides to users thereof the ability to send or receive wire or electronic communications”) and (2) remote computing services (RCS) (i.e., “the provision to the public of computer storage or processing services by means of an electronic communications system”). 18 U.S.C. §§ 2510(15), 2711(2).

Civil subpoenas cannot require ECS or RCS providers to produce the “content” of a litigant’s private ESI (non-content information is available under the SCA—such as the number of times viewed or accessed—that may be meaningful to your case). Rather, that ESI can only be legally obtained (1) by using the Federal Rules to compel a party (Rule 34) or a third party (Rule 45) to produce ESI that it controls or (2) with consent from the sender, recipient, addressee, or subscriber who has the legal capacity to consent.

Courts will typically quash subpoenas that purportedly require providers to produce ESI without the consent of the user. A social media provider’s terms of service may signal whether an account user controls its social media content. Where the terms do not address control, the user generally has the legal right to obtain its social media information from the provider.

Courts have compelled parties or third parties to consent to disclose ESI and other documents in another’s possession:

Thomas v. Deloitte Consulting LP, No. 3-02-cv-0343, 2004 U.S. Dist. LEXIS 29154 (N.D. Tex. June 14, 2004). The court held that it can order disclosure of information from whoever controls the communication, even if that person is not a party in the proceeding. The court ruled that two subpoenaed third parties controlled bank statements and checks held by their banks (also third parties), ordered the subpoenaed parties to exercise their legal rights to obtain the requested documents, and, alternatively, ordered the subpoenaed parties to execute authorizations so that the requested documents could be obtained directly from the banks.

Flagg v. City of Detroit, No. 05-74253, 2008 U.S. Dist. LEXIS 21923 (E.D. Mich. Mar. 20, 2008). The court held that it has the authority to order a person to produce documents, and it can order that person to give consent so someone else can disclose documents and communications on their behalf. The court ordered the defendant to produce text messages stored with its third-party provider because the messages were within the defendant’s control. Rejecting the defendant’s argument that it could withhold its consent, the court reasoned that the defendant’s Rule 34 obligation overcame its disinclination to exercise control over the text messages. The court noted that because the court was uncertain that it had the authority to compel the defendants to consent to disclosure by the provider, it instead ordered the plaintiff to “reformulate his third-party subpoena as a Rule 34 request for production directed at the Defendant.”

Negro v. Superior Court of Santa Clara County, 230 Cal. App. 4th 879 (2014). The state appellate court held that the SCA does not allow a provider to refuse to produce a litigant’s ESI in response to a subpoena, so long as a court order compels that litigant to consent to disclosure and the litigant has complied with that order.

United States v. Martin, No. CR-14-00678, 2015 U.S. Dist. LEXIS 94754 (D. Ariz. July 21, 2015). The court ruled in a criminal case that social media companies control messages on their websites regardless of their location on the cloud. But some courts have quashed subpoenas to providers seeking the release of electronic communications. See, e.g., In re Subpoena Duces Tecum to AOL, LLC, 550 F. Supp. 2d 606 (E.D. Va. 2008).

When seeking documents protected by the SCA, parties need to identify who can consent to their disclosure. Even those who do not possess those documents might have sufficient control to consent to their disclosure. If a third party does not have that control, parties must look for others who have both the ability to consent and even indirect control over those documents. Once identified, such individuals can be compelled to consent to disclosure.