New Technologies and Information Governance: Everything you need to know and more. April 14, 2016 Galina Datskovsky, Ph.D., CRM CEO, Vaporstream

Transcription

1 New Technologies and Information Governance: Everything you need to know and more April 14, 2016 Galina Datskovsky, Ph.D., CRM CEO, Vaporstream

2 About the speaker: Galina Datskovsky, Ph.D., CRM Dr. Galina Datskovsky is currently the CEO of Vaporstream. She has also served on the board of multiple startups, assisting with strategy. Formerly Vice President of Information Governance at Autonomy an HP Company. She served as Chair, President, President Elect and Director of ARMA International ( ) as well as fellow in She also served as Senior Vice President of Architecture at CA Technologies, responsible for corporate-wide architecture and design initiatives, as General Manager of the Information Governance Business Unit and as a Distinguished Engineer. She joined CA in 2006 with the acquisition of MDY Group International, where she served as founder and CEO. Galina is a Certified Records Manager (CRM) and is recognized around the world as an expert in Information Governance and associated technologies. She is the recipient of the prestigious Leahy award and a Fellow of ARMA International. She has been widely published in academic journals and speaks frequently for industry organizations such as AIIM, ARMA International, ILTA, IQPC and Cohasset Associates/MER. She received the NJBIZ: Best 50 Women in Business Award in April Prior to founding MDY, Galina consulted for IBM and Bell Labs and taught at the Fordham University Graduate School of Business and the Graduate School of Arts and Sciences at Columbia University. She earned her doctoral and master s and bachelor s degrees in Computer Science from Columbia University.

3 Agenda Mobility/Mobile Devices Cloud Social Media Big Data/ Data Lakes Retention and Disposition Revisited

4 MOBILITY/MOBILE DEVICES

5 Mobile Workforce Enablement By 2016 four in ten organizations will rely exclusively on a policy of Bring Your Own Device (BYOD) 1 By % of businesses will have some kind of BYOD or Corporate Owned Privately Enabled (COPE) programs in place by

6 Privacy and Security: Enabling Mobile Communication Assuring corporate data is separate from private data Handling potential data breach if phones are lost or stolen Protecting information once it leaves the device or tablet Sender control: recipient can copy, forward, paste, store or print

7 Data Loss Nightmares According to Accenture s mobility practice, the biggest risk to mobile workers isn t poor Wi-Fi security, it s employees who simply forget their laptops, PDAs and mobile phones in taxis, hotels and airplanes. 1 Examples of Mobile Device Loss and Data Breaches: Home Depot, Pfizer and the VA. Easier to deal with if data can be wiped off the devices or not stay there in the first place 1

8 Text Messaging & Mobile Chatting: The Next Wave Worldwide, over 350 billion text messages are sent each month. 1 Instant messaging dwarfs this number, at 50 billion per day, or 1.5 trillion per month Text Messaging Usage Statistics. (n.d.). Retrieved August 19, "50 Billion Instant Messages Expected to Be Sent Each Day in 2014." Business ETC. Accessed August 25, 2015.

9 Lessons Learned: Over 30 Years of Exposure by s that are copied, taken out of context, and propagated intentionally and unintentionally. Hitting SEND=Loss of content control. s frequently represent business records or evidence. s that are left unencrypted can be exploited in unintended ways. Recent Example: The Sony Pictures data breach. Other data leak examples are documented in Forester Report studies sited in:

10 Other Mobility Risks Text messages are even less likely than to be protected or secured Text and photo messaging can be difficult to audit, however required for many industries Communications are not always archived or retained appropriately to meet compliance requirements

11 Use an Existing Framework for Managing our Mobile Communications Generally Accepted Recordkeeping Principles Accountability Integrity Protection Compliance Availability Retention Disposition Transparency Information about ARMA International and the Generally Accepted Recordkeeping Principles can be found at

12 Principle of Protection Ensure corporate data and apps reside separately from private ones Ensure encryption is enabled on the corporate side Enable ability to wipe corporate data if phone is lost or stolen Ensure phone and/or corporate apps are pin code protected Enable handing phone to a third party without compromising corporate apps or data Encrypt in transit and on device Prevent propagation: control forwarding, store and print even on devices beyond organization s control Retain messages per policy in a single secure repository, not on devices.

13 Principle of Compliance Ensure communications are captured: healthcare, financial services, etc. Legal and regulatory requirements FRCP, SOX and HIPAA Audit for compliance with internal policies and legal considerations

14 Principle of Availability Enabling mobile communications provides timely, efficient communications that can be instant, accurate and secure Information is made available just in time for many urgent and confidential conversations

15 Principles of Retention and Disposition Mobile communications should be retained on mobile devices only as long as they are useful for active conversations. A retained secure copy should be kept under the organization s control for legal, regulatory, fiscal, operational, and historical requirements and disposed once organization retention policies have been fulfilled.

16 People, Process and Technology Policies for device management and control. Define data ownership: for example, data in the employee s BYOD or COPE managed device belongs to the company and can be cleared at company discretion. Policies for message retention Define how and mobile messages are retained for corporate use and regulatory purposes Policies for Application Usage Define which applications should be used for business , mobile messaging and chat Audit for compliance

17 Key Takeaways 1. Mobile Workforce Enablement and efficiencies can be accomplished without sacrificing security, privacy and compliance. 2. Have a framework for making and enforcing policies. 3. Establish executive team with accountability for governance. 4. Ensure technologies like encryption, secure ephemeral messaging and mobile device management are implemented for protection. 5. Understand organization and industry compliance requirements and help ensure that they are met for all content, including messaging/texts. 6. Ensure that confidential and private information is protected and accessible only by those who have access rights.

18 INFORMATION IN THE CLOUD

19 Topics Cloud Characteristics And Risks Information Management In The Cloud Preservation And Spoliation In The Cloud Collection In The Cloud ediscovery In The Cloud Authentication Of Cloud Data End Of Lifecycle Disposition End Of Vendor Relationship Mitigating Risk

20 The Cloud Is Here To Stay By 2018, more than 60% of enterprises will have at least half of their infrastructure on cloud-based platforms. 1 By 2019, more than four-fifths (86 percent) of workloads will be processed by cloud data centers; 14 percent will be processed by traditional data centers. 2 1.Source: Forbes Tech Round up Jan Source Cisco Global Cloud Index: Forecast and Methodology,

21 What Is The Cloud? Services Software as a Service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS) Deployment Public Cloud Private Cloud Hybrid Cloud

22 Essential Characteristics of Cloud Services On Demand Self Service Broad Network Access Measured Service Resource Pooling Rapid Elasticity

23 Cloud Benefits Cost Savings Pay as you go Pay for service; No hardware costs Risk of hardware or software loss shared (cost and down time) Scalability Elasticity Application Development Low Cost Experimentation Potential Compliance and Security benefits

24 Cloud Risks Access Security Location Segregation Spoliation Service (export, analytics, costs, backup and recovery) Ownership Privacy Integrity Authentication Vendor Continuity

25 Are Retention And Business Practices In The Cloud Different? Storing data in the cloud does not relieve the organization of the responsibility for protection, management or retention of its data The Principles Risk Management EDRM and Discovery Processes Location Access and Security Possession, Custody and Control

26 Generally Accepted Recordkeeping Principles Accountability Transparency Integrity Protection Compliance Availability Retention Disposition

27 Electronic Discovery Reference Model

28 Information Management In The Cloud Risks Access Security Privacy Location

29 Information Management In The Cloud Risk Mitigation Capture sufficient data when information created to govern it Handle information in compliance with reasonable, defensible, and auditable protocols: use the Principles Establish clear rules and privacy expectations for use, access and security of systems, including social networking sites Not just perimeter security Work with the cloud provider to ensure information governance compliance Verify and limit data location

30 Preservation And Spoliation In The Risks Cloud Segregation/Identification Can cloud data be linked back to a custodian? Preservation Will the vendor comply with a legal hold, and how? Access Can you preserve on multi-user servers? Location - Where is the data?

31 Preservation And Spoliation In The Cloud Risk Mitigation Information Management How information created, stored and removed from cloud Metadata Segregation/commingling Understand how vendor conducts backup and recovery In Agreement Legal Hold Protocols: how will vendor will comply with legal hold Access rights for preservation Limit data storage locations Limit or prohibit subcontracting by the cloud provider Allocation of liability for loss

32 Collection In The Cloud Risks Segregation/Identification Access Export Options Costs

33 Collection In The Cloud Risk Mitigation Vendor Analytic Tools Metadata Access Rights for collection or forensic collection In Agreement Export Options Analytic Options Cost Options

34 E-Discovery and FOIA In The Cloud Scenarios Discovery requests or third party Subpoenas to the entity Subpoenas to the third party cloud provider

35 E-Discovery and FOIA In The Cloud Risks Possession, custody and control Who controls the data if a third party is hosting it? Complicated by deployment models of cloud computing the more third parties involved (through subcontracts, public cloud, etc.), the more complicated ownership gets

36 E-Discovery and FOIA In The Cloud Risk Mitigation In Agreement Ownership Access Notice Obligation Steps provider will take in response to subpoena Cost Apportionment Allocation of liability for wrongful disclosure

37 Authentication Of Cloud Data Risk Mitigation Chain of Custody Can vendor track creation, modification and access to your information contemporaneously through lifecycle System and Access Logs In Agreement

38 Is This The End? End of Information LifeCycle in the Cloud Disposition options: transfer, destruction Most vendors are not focused on disposition they are more likely to recover deleted items than to prove something was permanently deleted End of Relationship with your Cloud Vendor? What are the obligations for returning data upon termination, or if the vendor goes out of business?

39 Risk Mitigation At The End Risk Mitigation In Agreement Data Disposition Protocols Data Transfer and Ownership Agree on fees for data transfer and disposition

40 Risk Mitigation Summary Outline Risks Weigh Risk vs. Reward Investigate Provider Audit Practices Include Important Issues in the Vendor Agreement Consult with Counsel Consult Relevant Guidelines

41 WHAT IS SOCIAL MEDIA?

42 What is Social Media? Social Media Sites are online services or platforms that focus on building and reflecting social networks or relations among people Technically Web-based Mobile-based Blogs Picture and music sharing Wall-postings and instant messaging Presence detection

43 Types of Social Media Sites Collaborative projects (e.g., Wikipedia) Blogs and microblogs (e.g., Twitter) Content communities (e.g., YouTube) Social networking sites (e.g., Facebook) Virtual game worlds (e.g., World of Warcraft and Second Life)

44 Characteristics Public or private Potentially global audience / participants User content Interactive (not one way) Immediate 44

45 The Explosion Continues Facebook: >1.6 billion active monthly users; 1.6 billion mobile active users Twitter: >3.5 million monthly active users, 500 million tweets per day and 200 billion tweets per year LinkedIn: >414 million members in over 200 countries with executives from all Fortune 500 companies Instagram: >400 million active monthly users, 40 billion photos shared to date, an average of 80 million photos shared per day WhatsApp: >1 billion active monthly users, 1 million daily registrants, 30 billion messages sent daily YouTube: >1 billion users, 4.6 billion videos viewed per day, over 400 hours of video uploaded per minute

46 Business Benefits and Opportunities Connect and collaborate with constituents Sentiment of government agency performance Public relations Enable access and education

47 HOW DO WE ACHIEVE A BALANCED APPROACH?

48 We Want a Balanced Approach Fines Sanctions Loss of Reputation Loss of Revenue Personal Injury Risk Benefit Revenue Happy Customers Efficiency New Markets New Products How big? How likely? How often?

49 Risk of Sanctions: Implications Overpreservation Overreaction to Potential Sanctions Can Lead to Overpreservation, Panelists Warn, 12 DDEE 258 (July 5, 2012) Proportionality in prelitigation preservation decisions See Pippins v. KPMG, LLC, No. 11 Civ. 377 (CM)(JLC) (S.D.N.Y. Feb. 3, 2012)

50 BIG COMPANY & SOCIAL MEDIA: CASE STUDIES

51 Case 1: Marketing The Marketing Department has is using Social Media sites to market Big Company Power Tools Facebook Twitter LinkedIn Pintrest YouTube ( how to example) Second Life Benefits Immediate Inexpensive Fun Effective Expected

52 Case 1: Recordkeeping Implications Excerpt: BIG COMPANY RECORDS RETENTION SCHEDULE Advertisements & Marketing Materials 6 years Advertisements, testimonials, marketing literature, marketing surveys, brochures, inserts, direct mail pieces and other general sales materials for the Company's products and services. At a minimum, we need to update the record description Do record keeping requirements change because the materials are on social media?

53 What is Our Defense Against False Marketing? bpe.html

54 Case 1: Technical Implications What other media could be used for this? Apps for smart devices Tools to collect information interactive or static What is sentiment analysis and how should it be used?

55 Case 1: Legal Implications Are these records under our records retention policy? How do we ensure that policy is followed? What statutory/regulatory retention obligations do we have? How do we ensure that these obligations are followed? Generally, are we watching testimonials and/or statements about products that are accurate?

56 What is Our Defense Against False Marketing? Ask the questions posed earlier Who authored any testimonial? How accurate is what was said? Who made any other statement about a product? Is the statement accurate? If applicable, are we entitled to immunity under Section 230 of the Stored Communications Act?

57 Case 2: Product Instructions The Product Support Department is using crowd sourcing for help and how to for using Big Company power tools for home workshops. Business Benefit 24 X 7 availability Engaging for our customers Some great advice and creative solutions Great advertising for other Big Co tools

58 Case 2: Recordkeeping Implications Excerpt: BIG COMPANY RECORDS RETENTION SCHEDULE Product Manuals Life of Product Instruction and parts manuals provided to consumers with Big Company power tools. Hmmm.. What is Life of Product. Do we count the time the tools sit in consumers garages? Do crowd-sourced postings qualify as Big Company Product Manuals?

59 Case 2: Technical Implications How should we capture Official Records? Capture records of any disclaimers Record live all on-going interaction Capture official company postings and periodic snapshots of other interactions How do we manage Legal Hold? Depends on the methods chosen above, holds need to be applied to captured material, but may have to go to live recording in case of hold

60 Case 2: Legal Implications What if the crowd gives bad advice and someone gets hurt? Should we monitor and manage the postings? Is a disclaimer sufficient? What do we need to control?

61 Case 3: Recruiting The HR department is using Monster.com and LinkedIn for job postings and candidate identification. Managers are Googling candidates Benefits This is the best way to advertise our openings and find candidates Our job openings are accessible to any candidate worldwide

62 Case 3: Recordkeeping Implications Excerpt: BIG COMPANY RECORDS RETENTION SCHEDULE Recruitment / Job Posting Files 6 Years Records associated with recruitment efforts, including for example position reports, job requisitions, job postings, advertisements, applications, resumes, candidate job skill test results. HR Compliance Reporting 6 Years Compliance reports and associated statistical information, including for example, Affirmative Action Plans, EEO-1, and other employment filings. Social media job postings may fall into more than one HR record category.

63 Case 3: Technical Implications How should we capture Official Records for diversity reporting? Capture and record any official searches Make a record of searches conducted just as in the case of any other form of search Keep records of candidates rejected and reasons why, as well as statistics on candidates searched, just in case (e.g. Filing for an H1) How do we manage Legal Hold? If captured as above, hold is done through the normal RM software

64 Case 3: Legal Implications What restrictions apply for recruiting on the web? Is there a State law that forbids a prospective employer from doing so? Is it OK to look up a candidate s age? Are there ADEA implications? Big Company has a zero tolerance for porn. What if the manager finds the candidate has a racy blog or Facebook page?

65 Case 4: Employee use of Social Media to Discuss Big Company It has come to our attention that some employees are writing very negative comments about the Big Company work environment on Facebook, Twitter and some personal blogs Issues This could negatively impact our recruiting and reputation Management would like to ban this practice

66 Case 4: Recordkeeping Implications Excerpt: BIG COMPANY RECORDS RETENTION SCHEDULE Policies, Procedures and Directives Until outdated + 10 Years Final policies and procedures, plus supporting documentation related to the development of the policies and procedures Policies about employee use of social media are Big Company records Are the employees postings Big Company records?

67 Case 4: Technical Implications How do we monitor what employees are saying? Sentiment Analysis Software How do we know they are employees? Particularly bad postings can be further investigated to determine identity. It is normally not kept secret and can be cross-referenced through the personnel system

68 Case 4: Legal Implications Can Big Company bar employees from saying negative things about the company? Is there a difference between Big Company and a public employer (Quon v. City Of Ontario)

69 Case 4: Legal Implications The role of Agencies Hannah v. Northeastern State University, 2014 Denial of tenure tied to racial discrimination proven in Facebook posts. Ehling v. Monmouth-Ocean Hosp. Service Corp, 2012 Invasion of privacy when an employer accessed a private Facebook account Reid v. Ingerman Smith LLP, 2012 legal secretary suing for harassment is entitled to private postings to plaintiff s social media accounts that reveal, refer, or relate to any emotion, feeling or mental state, where posts on publically available pages contradict plaintiff s claims of mental anguish resulting from harassment CDM Media USA, Inc. v. Simms, 2015 Breach of contract by former employee via refusal to cede control of professional LinkedIn group. State v. Harris, 2012 No reasonable expectation of privacy in the information intentionally broadcast to the world

70 GOVERNANCE

71 Social Media Policies Explain why the policy is important to the Company Be clear about what is not allowed Define appropriate behavior Monitor use Define consequences The Social Media Policy should not simply say NO

72 Elements of Governance Formal grants of authority Who gets to decide? Documented Laws - Rules of the Road Rules make everyone safer Processes for change How do you change rules or grant of authority? Oversight and continuous improvement Risk-based goals Clear metrics and audits Are corrective actions needed?

73 The Need for Active Governance Should we create a permanent committee of various interest groups or will we create an ad hoc committees as needed? Are there existing committees that could take on this role? What is the role of compliance? How often are these meeting? Who responds to inquiries from the outside?

74 Risk-Based Continuous Improvement WHO Risk/ Value Assessment and Governance Goals PLAN HOW Governance Review and Action ACT DO Execute Improvement Plan CHECK Measure and Report Results

75 BIG DATA AND DATA LAKES Vaporstream Confidential

76 Definition and Market Size In information technology, big data is a collection of data sets so large and complex that it becomes difficult to process using on-hand database management tools or traditional data processing applications. The challenges include capture, curation, storage, search, sharing, analysis, and visualization. (Wikipedia) Dark Data is like that furniture you have in that Dark Cupboard. Dark data is the cute name given to all that data an organization gathers that is not part of their day to day operations. It is old stuff, stuff that turned up in the mail that you kept, just in case. It is data that you didn t erase, because it might come in handy some time. (Gartner Blog by Andrew White) According to IDC, the big data technology and services market is expected to grow at a compound annual growth rate (CAGR) of 23.1% between with annual spending reaching $48.6 billion in LegalTech New York 2013

77 Data Lake Defined A data lake is a large object-based storage repository that holds data in its native format until it is needed. searchaws.techtarget.com/definition/data-lake (last visited July 25, 2015) Gartner s definition: A data lake is a collection of storage instances of various data assets additional to the originating data sources. These assets are stored in a near-exact, or even exact, copy of the source format. The purpose of a data lake is to present an unrefined view of data to only the most highly skilled analysts, to help them explore their data refinement and analysis techniques independent of any of the system-of-record compromises that may exist in a traditional analytic data store (such as a data mart or data warehouse). (last visited July 31, 2015)

78 Further Definition While a hierarchical data warehouse stores data in files or folders, a data lake uses a flat architecture to store data. Each data element in a lake is assigned a unique identifier and tagged with a set of extended metadata tags When a business question arises, the data lake can be queried for relevant data, and that smaller set of data can then be analyzed to help answer the question The term data lake is often associated with Hadooporiented object storagehttp://searchaws.techtarget.com/definition/data-lake (last visited 7/27/15

79 Beware Of The Data Lake? While the marketing hype suggests audiences throughout an enterprise will leverage data lakes, this positioning assumes that all those audiences are highly skilled at data manipulation and analysis, as data lakes lack semantic consistency and governed metadata Gartner Says Beware of the Data Lake Fallacy (Press Release) (July 28, 2014) (last visited July 25, 2015)

80 The Data Lake In Practice Some questions related to a data lake: Who decides what goes in? What goes in? How is content organized? Who has access rights and how do you secure information and resulting objects? Chain of custody? How long is the data really useful?

81 Applying The Relevant Principles Integrity Provenance Chain of Custody Protection Security (data may be quite disparate) Privacy Personally identifiable information (PII) Compliance What are the applicable regulation for the raw data and the end product? Discovery and Production

82 Applying The Relevant Principles Availability Access Rights Available Metadata System longevity Transparency Discovering the content and providing appropriate response Retention Length of useful life Data migration Disposition When, what and how Getting rid of ROT using Big Data algorithms

83 BIG Data and BIG Security Data Origin Original Security Securing the combined blobs Maintaining access controls

84 Making The Data Lake Consistent With Good Governance Make sure you are in the conversation Know what data is going into the lake and point out policy considerations consistent with the principles just covered Don t dwell on data retention data will certainly overstay the original retention schedule Emphasize Data Security Focus on other principles that will allow the business easy access and ethical use

85 Making the Data Lake and Big Data Consistent with Good Governance (Continued) Don t try to stop the inevitable Be a business enabler, therefore focus on anything other than disposition Manage the lake as a big blob Manage the mined results in accordance with data usage Notify Legal Counsel of new data location Discovery of results as well as raw data is an important consideration

86 General Takeaways: Retention and Disposition With new technology retention schedules need to be updated: social media, data lakes, etc.. Schedules may be functionally based, not just legally based Adopt and Adjust to the new world Check your contracts very carefully Don t look at retention and disposition in a vacuum

87 General Takeaway: Get Started and KEEP GOING Identify stakeholders Establish governance processes consistent with your organization s culture Do your homework Use of social media Requirements and implications Risk / Benefit profile Governance approach Measure and report results Then do it again!

88 Case Law and Social Media The Stored Communications Act: See Crispin v. Christian Audigier, 717 F. Supp. 2d 965 (C.D. Ca. 2010) Discovery of social media, representative decisions: EEOC v. Simply Storage Mgm t, 270 F.R.D. 430 (S.D. Ind McCann v. Harleysville Ins. Co., 2010 WL (N.Y. Sup. Ct. App. Div. 2010) Offenback v. L.M. Bowman, 2011 WL (M.D. Pa. June 22, 2011)

89 Resources The Principles of the Business Data Lake (Capgemini: undated) (last visited July 27, 2015) Gartner IT Glossary (last visited July 31,2015) M. Fowler, DataLake (Feb. 5, 2015) (available at (last visited July 27, 2015) Data Mining from A to Z: Better Insights, New Opportunities (SAS: undated) (available at html (last visited July 27, 2015) B. Stein & A. Morrison, The Enterprise Data Lake: Better Integration and Deeper Analytics (PWC: June 1, 2014) (available at (last visited July 27, 2015)

90 Resources FTC Report, "Big Data: A Tool for Inclusion or Exclusion?" (January 2016). Available at Much Needed Meat on Security Requirement Bones: Report from California s Attorney General. FTC Closing Letter to Morgan Stanley Smith Barney (Aug. 10, 2015). Available at

91 Q&A