Cloud Privacy and Information Governance from Both Sides Now: Emerging Trends in Law and Public Policy Out of the Private and Public Sectors

Transcription

1 Cloud Privacy and Information Governance from Both Sides Now: Emerging Trends in Law and Public Policy Out of the Private and Public Sectors Cloud Standards Customer Council (CSCC) Cloud Privacy Summit Reston, Virginia March 26, 2015 Jason R. Baron, Esq. Information Governance and ediscovery Group Drinker Biddle & Reath LLP Washington, D.C Jason R. Baron 2015

2 Overview Big Data, Privacy, and the Cloud Sectoral Basis of US Privacy Law - Public Sector - Private Sector Cloud Governance Best Practices Privacy & Recordkeeping: OMB/NARA Memorandum on Managing Govt Records Public Policy Challenges (c) Jason R. Baron 2015

3 Post-Snowden (c) Jason R. Baron 2015

4 Post-Sony (c) Jason R. Baron 2015

5 Shadow IT

6

7 (c) Jason R. Baron 2013

8 Tomorrow For Everyone: Moving to the Cloud (c) Jason R. Baron 2015

9 We have entered the era where Big Data is. (c) Jason R. Baron 2015

10 The World Has Changed We are not just managing thousands or millions of paper files We are at an inflection point in history in terms of data volume IDC Report: 1800 new exabytes this year (1 exabyte=data equivalent of 50,000 yrs of continuous movies) Open data policies vs. the iceberg : a vast amount of information is hidden underneath the web how is it to be reliably preserved and accessed? (c) Jason R. Baron 2015

11 Information governance is needed in a world where % of enterprise data is unstructured - 60% of documents are obsolete - 50% of documents are duplicate - 80% documents are not retrieved by traditional search (c) Jason R. Baron 2013

12 Congressional Research Service Report (2015) Privacy is a concern, especially for public and hybrid cloud services. The greater direct control that private clouds give to users over hardware and software may provide them more control over management of privacy. Establishing an effective and appropriate legal structure for regulating cloud computing services is imperative, as cloud usage is expected to represent more than half of all Internet use by the end of this decade. Globally, advances in technology services such as cloud computing paired with how those services are used by consumers have increased the difficulty of maintaining the appropriate legal balance between individual rights and the needs of law enforcement. As the depth and breadth with which consumers incorporate cloud services into their daily lives increases, the need for balance becomes even more important, but also more difficult to attain. Source: (

13 From the White House Big Data Report (2014) Th[e] trend toward ubiquitous collection is in part driven by the nature of technology itself. Whether born analog or digital, data is being reused and combined with other data in ways never before thought possible, including for uses that go beyond the intent motivating initial collection. The potential future value of data is driving a digital land grab, shifting the priorities of organizations to collect and harness as much data as possible. Companies are now constantly looking at what kind of data they have and what data they need in order to maximize their market position. In a world where the cost of data storage has plummeted and future innovation remains unpredictable, the logic of collecting as much data as possible is strong. Source: _may_1_2014.pdf

14 WH Big Data Report (con t): The Challenge Together, these trends may require us to look closely at the notice and consent framework that has been a central pillar of how privacy practices have been organized for more than four decades. In a technological context of structural over-collection, in which reidentification is becoming more powerful than deidentification, focusing on controlling the collection and retention of personal data, while important, may no longer be sufficient to protect personal privacy. In the words of the President s Council of Advisors for Science & Technology, The notice and consent is defeated by exactly the positive benefits that big data enables: new, non-obvious, unexpectedly powerful uses of data. (c) Jason R. Baron 2015

15 FIPPs The Fair Information Practice Principles, adopted by the Federal Trade Commission in 1998 as nonenforceable best practices for online privacy. The five pillars of the FIPPs address notice, choice, access, security and enforcement: There must be no personal data recordkeeping system whose existence is secret. There must be a way for individuals to find out what information about them is recorded and how it is used. There must be a way for individuals to prevent information that was obtained for one purpose from being used or made available for other purposes without their consent. There must be a way for individuals to correct or amend records of identifiable information about themselves. Any organization creating, maintaining, using or disseminating identifiable personal data must assure the reliability of the data for the intended use and must take precautions to prevent its misuse. (c) Jason R. Baron 2015

16 Cloud Procurement White Paper Overview Top 10 areas Federal agencies need to address when procuring cloud Gives description of issues along with ways to address issues within contracts Provides tactical guidance through a questionnaire checklist Available at 16

17 Privacy Questions to Ask in Federal Cloud Environment 1. When implementing a cloud solution, did the agency consider whether any personally identifiable information (PII) would be involved? 2. Did the agency consider whether any other categories of personal information, such as those protected by special privacy legislation and regulations like protected health information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule, would be involved? 3. If there is PII at issue, did the agency assess whether the Privacy Act of 1974 applied to the PII in question? - If so, did the agency ensure that the agreement included mandatory FAR language on operating Privacy Act systems of records? 4. If there is PII at issue, did the agency conduct a Privacy Impact Assessment in accordance with section 208 of the E-Government Act of 2002 and OMB Memorandum M-03-22? 5. If there is PII at issue, does the agreement provide instruction and requirements on what to do in the event of a breach or unintentional release of PII? (

18 Privacy Questions To Ask in a Federal Cloud Environment (con t) 6. If there is PII at issue, did the agency make any arrangements to ensure that either agency staff created appropriate PII training guidelines or actually delivered PII training to the cloud providers? 7. If there is PII at issue, does the agency agreement provide instruction and requirements on what to do in the event of any request for disclosure, subpoena, or other judicial process seeking access to the records which may include USG PII? 8. If there is PII at issue, does the agency agreement limit uses strictly to support the agency and prohibit uses for other purposes? 9. If there is PII at issue, does the agency agreement provide instruction and requirements on terminating storage and deleting data upon expiration of the agreement term and option extensions? 10. If there is PII at issue, does the agency agreement specify whether the data servers, including redundant servers, may be located outside the United States?

19 HIPAA* in the Cloud *Health Insurance Portability and Accountability Act Where is the data physically stored? How many copies of the data have been made? Has the data been changed? Has the data actually been deleted when requested? (index file only or actual data blocks?) How will the data be stored on the cloud provider s server? Encrypted? Will details be shared with patients on details of third party cloud provider information handling or security practices? How do patients exercise their right to access to any information stored about them, so as to correct any inaccuracies, when dealing with third party cloud providers? (c) Jason R. Baron 2015

20 Gramm-Leach-Bliley Act Requires financial institutions to establish standards for protecting confidentiality of customer non-public financial information. Encourages use of encryption techniques Restricts financial institutions from disclosing consumer financial information to non-affiliated third parties (although disclosure to a cloud service provider generally not restricted). (c) Jason R. Baron 2015

21 Forrester Research: Cloud Computing Checklist: How Secure Is Your Cloud (Chenxi Wang, Oct 30, 2009) Show me how you protect digital identities and credentials and use them in cloud applications? What data do you collect about me (logs, etc.)? How is it stored? How is the data used? How long will it be stored? Under what conditions might third parties, including government agencies, have access to my data? Can you guarantee that third-party access to shared logs and resources won t reveal critical information about my organization? Source: (c) Jason R. Baron 2013

22 Federal Cloud Computing Strategy Document Vivek Kundra, Feb. 8, 2011 Storing information in the cloud will require a technical mechanism to achieve compliance with records management laws, policies and regulations promulgated by both the National Archives and Records Administration (NARA) and the General Services Administration (GSA). The cloud solution has to support relevant record safeguards and retrieval functions, even in the context of a provider termination. (page 14) See

23 A New Era of Government [P]roper records management is the backbone of open Government. President Obama s Memorandum dated November 28, 2011 re Managing Government Records governmentrecords (c) Jason R. Baron 2015

24 Presidential Memorandum From President Obama s Memorandum on Managing Government Records, dated 11/28/11: Decades of technological advances have transformed agency operations, creating challenges and opportunities for agency records management. Greater reliance on electronic communication and systems has radically increased the volume and diversity of information that agencies must manage. With proper planning, technology can make these records less burdensome to manage and easier to use and share. But if records management policies and practices are not updated for a digital age, the surge in information could overwhelm agency systems, leading to higher costs and lost records. 24

25 Presidential Memorandum, November 2011 Within 120 days of the date of this memorandum, each agency head shall submit a report to the Archivist and the Director of the Office of Management and Budget (OMB) that: (i) describes the agency's current plans for improving or maintaining its records management program, particularly with respect to managing electronic records, including and social media, deploying cloud based services or storage solutions, and meeting other records challenges; * * * * (c) Jason R. Baron 2015

26 Archivist/OMB Directive M-12-18, Managing Government Records Directive, dated 8/24/12: 1.1 By 2019, Federal agencies will manage all permanent records in an electronic format. 1.2 By 2016, Federal agencies will manage both permanent and temporary records in an accessible electronic format. (c) Jason R. Baron 2015

27 Managing Govt Records Directive on Cloud Storage A5. Evaluate the feasibility for secure "data at rest" storage and management services for Federal agency-owned electronic records By December 31,2013, NARA will determine the feasibility of establishing a secure cloud-based service to store and manage unclassified electronic records on behalf of agencies. This basic, shared service will adhere to NARA records management regulations and provide standards and tools to preserve records and make them accessible within their originating agency until NARA performs disposition. (c) Jason R. Baron 2015

28 is still the 800 lb. gorilla of ediscovery & therefore important to get right in the cloud (c) Jason R. Baron 2015

29 Beyond text messaging, social media, etc. (c) Jason R. Baron 2015

30 The demise of RM. John Mancini, President of AIIM: If by traditional records management you mean manual systems even if they are computerized then I would say traditional records management is dead. The idea that we could get busy people to care about our complicated retention schedules, and drag and drop documents into folders, and manually apply metadata document by document according to an elaborate taxonomy will soon seem as ridiculous as asking a blacksmith to work on a Ferrari. (c) Jason R. Baron 2015

31 RM wish list for RM s easy button : the elusive goal of zero extra keystrokes to comply with RM requirements (capture) A technology app that automatically tags records in compliance with RM policies and practices (categorize) Supervised learning RM with minimal records officer or end user involvement (learn) Rule-based and role-based RM Advanced search (c) Jason R. Baron 2013

32 NARA s Capstone Policy: The Path Forward archiving in short term, synced to existing proprietary software on system Designation of key senior officials as creating permanent records, consistent with existing records schedules Additional designations of permanent records by agency component Smart filters/categorical rules built in based on content, to the extent feasible to do Non-senior official records and non-tagged records designated as temporary to be held for set retention period. (c) Jason R. Baron 2013

33 Capstone Officials Capstone officials may include: Officials at or near the top of an agency or an organizational subcomponent Capstone accounts Key staff accounts Key staff members that may be in positions that create or receive presumptively permanent records Other accounts Other accounts (c) Jason R. Baron 2015

34 NARA on Cloud Computing NARA Bulletin Defines cloud models in accordance with NIST definitions + Discusses records mgmt challenges + Details how agencies can meet records mgmt responsibilities

35 NARA on Cloud Computing: RM Challenges NARA Bulletin Lacking the capability to implement records disposition schedules, including the ability to transfer permanent records to archives and/or delete temporary records --are records maintained in a way that preserves functionality and integrity throughout the records life cycle? --are links maintained between records and metadata?

36 NARA on Cloud Computing: RM Challenges NARA Bulletin Lacking the capability to implement records disposition schedules, including the ability to transfer permanent records to archives and/or delete temporary records --are records maintained in a way that preserves functionality and integrity throughout the records life cycle? --are links maintained between records and metadata?

37 NARA on Cloud Computing: More Challenges NARA Bulletin Agencies need to be able to control proposed deletion of records, wherever they be located + Agencies must ensure records are accessible for all purposes of access (e-discovery, FOIA, etc.)

38 NARA on Cloud Computing: Still More Challenges NARA Bulletin Cloud architecture may lack formal technical standards governing storage and manipulation of data, threatening longterm trustworthiness and sustainability of data

39 NARA on Cloud Computing: Still More Challenges NARA Bulletin Lack of portability complicating transferring/exporting permanent records to archival environment + Agencies should anticipate how continued preservation and access issues will be resolved where cloud provider business operations materially change

40 NARA on Cloud Computing: How can agencies meet their RM responsibilities? NARA Bulletin ) Include records officer in planning & deployment of cloud computing solutions 2) Declare which copy of records will be the official record copy (value of cloud version may be greater). 3) Determine if cloud data covered under existing records schedules 4) Include instructions on how records will be captured, managed, retained, made available to users

41 NARA on Cloud Computing: How can agencies meet their RM responsibilities? NARA Bulletin ) Instructions on conducting a records analysis, including on system documentation & metadata 6) Instructions to periodically test transfers of Federal records to other environments, including agency servers, to ensure portability 7) Instructions on how data will be migrated to new formats, so records are readable thru their life cycle 8) Resolve portability and accessibility thru good RM policies and data governance practices (interoperability, security, access, etc.)

42 NARA on Cloud Computing: Contractors & Service Level Agreements (SLAs) NARA Bulletin Agencies maintain responsibility for managing records whether they reside in an agency s physical custody or if maintained by a 3 rd party contractor. + When dealing with 3 rd parties, include RM clause to ensure that contractor must manage records in accordance with Federal Records Act, 44 USC Chapters 21, 29, 31, 33, and NARA Regs, 36 CFR Chapter XII Subchapter B.

43 Sample RFQ Language The Quoter shall provide common Application Program Interfaces (APIs) allowing integration with third party tools such as archiving solutions, E-Discovery solutions, and Electronic Records Management Software Applications. The Quoter shall support an immutable management solution integrated with the messaging system in accordance with the requirement for Federal agencies to manage their messages and attachments as electronic records in accordance with 36 CFR , including capabilities such as those identified in: DoD STD V3, Electronic Records Management Software Applications Design Criteria Standard, NARA Bulletin , July 31, 2008, Guidance concerning the use of archiving applications to store , and NARA Bulletin September 8, 2010, Guidance on Managing Records in Cloud Computing Environments.

44 Cloudy thoughts on information governance challenges

45 Process Optimization Problem: The transactional toll of user-based recordkeeping schemes ( as is RM) (c) Jason R. Baron 2013

46 . and the need for better, automated solutions. (c) Jason R. Baron 2013

47 The Coming Age of Dark Archives (i.e., the inability to provide access unless we have smart ways of extracting signal from noise, including use of privacy filters) (c) Jason R. Baron 2015

48 Abandoning Sole Reliance on Practicing Black Swan IG

49 Emerging New Strategies: Predictive Analytics Improved review and case assessment: cluster docs thru use of software with minimal human intervention at front end to code seeded data set Slide adapted from Gartner Conference June 23, 2010 Washington, D.C. (c) Jason R. Baron 2015

50 Judicial endorsement of predictive analytics in document review by Judge Peck in da Silva Moore v. Publicis Groupe (SDNY Feb. 24, 2012) This opinion appears to be the first in which a Court has approved of the use of computer-assisted review.... What the Bar should take away from this Opinion is that computer-assisted review is an available tool and should be seriously considered for use in large-data-volume cases where it may save the producing party (or both parties) significant amounts of legal fees in document review. Counsel no longer have to worry about being the first or guinea pig for judicial acceptance of computer-assisted review... Computer-assisted review can now be considered judiciallyapproved for use in appropriate cases. (c) Jason R. Baron 2015

51 Emerging Autocategorization (c) Jason R. Baron 2015

52 Remarks Preceding the White House Big Data Report Can we build in additional privacy protection into the architecture of big data analytics and should the government and the private sector be investing more in research toward that end? -- John Podesta, Remarks at White House/MIT Big Data Privacy Workshop, March 3, 2014 (c) Jason R. Baron 2015

53 What is the IGI? The IGI is a cross-disciplinary think tank and consortium dedicated to advancing the adoption of Information Governance practices and technologies through research, publishing, advocacy, and peer-to-peer networking. It provides industry thought leadership and benchmarking designed to foster consensus and conversation It is a connector among the stakeholders of information governance It is a promoter of industry best practices and standards

54 Why is the IGI Needed? We believe that IGI is needed because there is an acute lack of clarity in the marketplace regarding the contours and implications of IG. Technical capabilities have advanced more quickly than awareness of those capabilities amongst practitioners and purchasers. The IG workforce is nascent and management responsibility for IG is unclear or unassigned at most organizations.

55 What is Our Mission? The mission of the IGI is to sound the clarion call that current information management practices are unsustainable. Unless corporations and government agencies take serious action, information overload and mismanagement will become a serious threat to the economy, delivery of government services, and to the justice system itself. We need to work with stakeholders across the IG spectrum to architect a better path forward.

56

57

58

59 How to become a member..

60 Rosetta Stone Approach: The Need To Master 3 Languages: Legal, RM, IT 60

61 The future is here. It is just not evenly distributed. --William Gibson 61

62 Jason R. Baron, Esq. Drinker Biddle & Reath LLP 1500 K Street N.W. Washington, D.C (202) jason.baron@dbr.com (c) Jason R. Baron 2015