(c) April 2015 ML Taylor, C.P.M. 1 - MLTWEB …c) April 2015 ML Taylor, ... Legal discovery issue relative to law enforcement subpoena of medical records consumers protected by HIPPA…

10/1/2015

1

Hot topics and hot potatoes

What supply chain managers need to know & Why

ML Taylor, C.P.M.

(c) April 2015 ML Taylor, C.P.M. 1

Big Data

Cloud Computing

E-Discovery

Objectives

1. What is it &

Why do I care?

2. Buzzwords &

Hot topics

4. References &

Resources

3. Mitigating actions

ML Taylor, C.P.M. 2 (c) April 2015

10/1/2015

2

Preface

I am not a lawyer. My opinions are not legal

advice. Obtain advice of counsel familiar with

electronic records issues for your business

decisions

“Contract” and “purchase order” are intended to

refer to the legal contract regardless of value,

product or service being procured

No difference for Federal vs. commercial

contractor unless specifically stated

Presentation posted: www.mltweb.com/handouts/

April 2015 ML Taylor, C.P.M. 3

Hot Topics

Electronic Records

Internet of Things

Cloud Computing

Big Data, Data Analytics

Software as a Service

Social media marketing

Forensic accounting, discovery software


10/1/2015

3

Why Do We Care?

Companies must implement new technologies to

stay competitive and differentiate the market Amazon stole a large market share from retailers by using new marketing

technology

Organizations must use new technologies to cut

costs, reduce staff and respond to growing

consumer information demands e.g. Online records, IRS e-filing, Social Security inquiries

Urgency: Management panic, legal

questions, IT rush-to-purchase, pushy

salesmen, incompatibilities, consumer

demand, high-risk contracts, supply-chain churn


Panacea

What Can We Do?

Lead: Take action before it’s too late

Explain business process changes & impacts

Ask for IT and Legal analysis of risks

Schedule demonstrations and ensure issues

and concerns are explained

Help everyone understand there is competition

Require key suppliers to prepare

(e.g. normalize & provide electronic data, adopt

similar standards, agree to safeguards)


We know it’s coming, so…..

10/1/2015

4

Change Happens…

Copy Machines?

“We need an original signature”

FAX Machines?

“We need a hard copy by mail”

Electronic catalogs?

Email and Digital Signatures?

“Digital Signature Laws enacted”

Cloud Computing Publicity

“Who has access to the data?”


Online

Package

Tracking,

EFT,

Electronic

Receipts,

Text

Messages

Free

Shipping

Electronic Files Flies

The Good News

Easy to create

Take up very little space

Copied easily

Translate to multiple

formats & languages

The Bad News

Too easy to save

They multiply

They all look the same


10/1/2015

5

Author

What is Meta Data?

Created

Date

Contract Document : electronic file

TEXT TEXT

Last

Change

Date

Category,

file type


The

wrapper

tells us

what’s

inside

Metadata is Critical

Library; with Metadata

Library; NO Metadata


10/1/2015

6

Big Data –Holy Grail

How can we move from a deep well of

data to deep exploitation?

How can we use information to improve

operational efficiency and customer

experience, and create useful new

business models?

Big Data takes educated “drilling” to reveal

a well of valuable information


Some institutions have used BIG Data principles for many years

The Good Old Days


Contract Data:

• PO Number

• Price

• Quantity

• Delivery Date

10/1/2015

7


BIG DATA + Customer usage

+ Raw material

+ Production schedule

+ Shop load

+ Carrying cost

+ Delivery estimate

+ Error rate

+ Transportation rates

+ Labor outages

+ Road hazards

+ Facility closures

+ Weather & roads

+ Regulation changes

+ Customs Schedule

+ Currency exchange

+ Market share

+ Profit/loss

+ Cost factors

= BIG Challenge Management’s “Holy Grail” 42

Big Data Challenges

Problem: Big Data is BIG Needs large computers, fast processing

Always gets bigger – never smaller

Requires knowledgeable analysts

Decide what data to gather & how

Traceability & accountability

Compilation & normalization

Accuracy - eliminate rekeying

Normalize, validate, control changes


10/1/2015

8

Big Data - Issues

Data becomes stale & expires

Over-dependency by management

Relationship changes & cleanup

Catch & Correct hidden ‘defects’

Confirm applicability & relevancy

Analyze & report

Make rational decisions

Liability for data misuse

Legal record and discovery compliance costs


Where Is My File?


10/1/2015

9

The Cloud…The Cloud


My data

is in here Somewhere

ISM Podcast,

Christina Kunz Bringing Cloud Computing Down to Earth

Google Data Centers To ensure security, Google keeps

every piece of data stored on at least

two servers, with the most important

data also held on digital tapes.


Cloud Computing

10/1/2015

10

Cloud Service Contracts

Data & Software reside on equipment owned

by service provider (e.g. Google)

User controls data upload/download (maybe)

Provider responsible for equipment, data

storage, backup copies, licensing?

Is Provider responsible for preventing

unauthorized access?

Does Provider comply with Government

requests w/o notification?


April 2015

ML Taylor, C.P.M.

20

Wiki Leaks

Who Protects My Data?

Taylor’s Data CIA

10/1/2015

11

Cloud Storage more issues

Data ownership,

Data retention, backups & data deletion

Clinton Lesson(s)

Data Storage, backups, protection

Security, encryption, access control

Legal evidence, compliance, spoilage

Support, changing service providers


Internet of Things

DHL report about impact on logistics

” when we light up “dark assets” — vast

amounts of information emerge, along with

potential new insights and business value”

Approx. 15B “things” connected to the

internet today. They predict by 2020 it will

be 50B “things” GPS tracking devices & services, copiers, card readers, HVAC & power

controllers, thermostats, power meters, plant equipment maintenance logs,

smartphones, access ID cards, vehicles


When “things” talk – Who listens? How is the data used?

10/1/2015

12


Assets Creating Data

Home: Web cam,

baby monitor, door

lock, HVAC, electric

meter, automobile

Consider advantage if

your car connected to

your internet at home

and automatically

uploaded maintenance

data and service issues

Work: HVAC, lighting,

card readers,

inventory dispensers,

delivery truck

locations, equipment

service data

Service providers

already provide small

tracking devices for

sensitive & high-value

shipments


10/1/2015

13


Electronic Data Storm

What well-known political family is once again in the news with issues

exacerbated by public release of email and text messages? (hint: Arkansas)

Big Data mining & analysis tools are very powerful and dangerous

when information is misused

Personal text messages, emails & cell phones are discoverable

when used for work-related communication

Cloud storage and email service providers will respond to legal and

political pressure

Data is never really gone – FBI/NSA/CIA recording

More examples:

Subpoena for email in Scotland - Microsoft defending consumers

Bill Gates embarrassing emails

Basket Ball Team owner – lost the team


10/1/2015

14

Electronic Record in Court

With Meta Data

Access Control

No Tampering

No Changes

3rd Party Custodian


No Meta Data =

no protection

Litigation Hold – our action


As soon as legal action is anticipated

Suspend record retention procedures

Preserve evidence in all locations, including

backups, DVDs, USB drives, cloud drives, etc.

Identify & notify key players – legal notice

don’t forget former employees or

contractors if they have your data) and

new or temporary employees

Prevent spoilation & loss

Prepare to comply with Discovery Order(s)

10/1/2015

15

Discovery Issues

Forensic accounting, legal specialists

software vendors - ubiquitous

Technology assisted review (TAR)

Legal Review of all records

Culling, Clustering, de-duplication

Privileged Communication

Collateral damage & clawback


Warning: Not all managers and not all lawyers are conversant with electronic

record issues . Retain competent counsel.

Who Controls Our Files?

“Cloud” & data storage contracts must

anticipate and provide for discovery

Provider must be capable and obligated to comply

with e-discovery requirements

Demonstrate that records have not been spoiled or

changed and that ALL records have been provided

IT personnel must be prepared to support

Retrieve records and preserve metadata

Provide files in standard formats


Warning: IT suppliers have different ideas about compliance requirements.

Do not assume the IT folks understand your business needs.

10/1/2015

16

More Trouble

Fail to consider, smart phone & social media

BP oil spill case, Kurt Mix

Underestimate compliance cost & effort

OFHEO case - $6M error

Mix privileged data or vital data Inadvertent production of a privileged document may waive the privilege

only for that document or for all privileged documents on that subject or on

all subjects.

DO NOT assume this is an IT issue -

Business process owner has to be involved


Reading & References

Big Data www.mltweb.com/tools/imo.htm#big_data_

www.dhl.com/en/about_us/logistics_insights/dhl_trend_research/bigdata.html

Cloud Computing www.mltweb.com/tools/imo.htm#storm_cloud

Internet of Things www.dhl.com/en/about_us/logistics_insights/dhl_trend_research/internet_of_things.html

E-Mail Pitfall http://www.mltweb.com/tools/imo.htm#email


10/1/2015

17

References

Discovery Presentation

www.mltweb.com/handouts/discovery.pdf

www.mltweb.com/handouts/references.pdf

http://www.savi.com/solutions/applications/

Smartphone app to track shipments


WWW.MLTWEB.COM

[email protected]

Discussion?


Following slides are parts of a much longer discussion. They are left

here as a discussion reference and for people viewing the handouts

10/1/2015

18

Contract Language Issues

Litigation hold & discovery response

Recovery and Backup data access

Tampering protection

Access control, system security and

emergency response

Protection for personal privacy, sensitive

& intellectual property data

Termination, data cleanup & removal

3rd party access controls & notices


Examples

Medical records, pharmacy prescriptions then Big Data

principles to align with drug company information to spot

potential drug interactions.

Legal discovery issue relative to law enforcement

subpoena of medical records consumers protected by

HIPPA… no protection for corporations

Life Insurance companies mining data to set high risk

premiums


10/1/2015

19

Is there a way to gather

Supply Chain data that

will reveal anomalies in

transactions?

Is data gathered and

reported independently or

audited?

How secure is our Supply Chain?


SOX Act specifically required management attention and business process

controls. Appropriate management controls should be number 1 priority when

considering any new electronic processes.

Discussion


Quiz: What well-known political family is once again in the news with

revelations arising from electronic media and cloud data?

- Legally discoverable information – because it was used for work

- Access available to by multiple legal systems in various storage

locations around the world

- Probably distributed and stored by multiple people in various formats

and places

Positive benefits of Big Data and Cloud data Storage?

- Health care; drug interactions & medical records

- Banking; ATMs, credit cards

- Package and freight tracking

10/1/2015

20

Big Data – Industry Buzz



10/1/2015

21

DHL Logistics Reports


Other Considerations

International electronic commerce, evidence and

discovery rules are different

retain knowledgeable counsel

Train personnel think about what they write.

Email and text messages:

Will be found….

Will be misinterpreted by opposing counsel

Will be used against you

Clean hidden data out of electronic files

Store records in a format that cannot be changed


10/1/2015

22


Electronic File Problems

Email messages transmitted through

multiple machines and servers

Copies, different versions and drafts could

be stored or backed up anywhere

Data processing centers & cloud services

add ownership and access issues

Media format & retrievability not obvious

Authentication can be difficult


10/1/2015

23


Contract Requirement

FAR 4.703 Policy

(a) Except as stated in 4.703(b), contractors shall

make available records, which includes books,

documents, accounting procedures and practices,

and other data, regardless of type and regardless of

whether such items are in written form, in the form of

computer data, or in any other form, and other

supporting evidence to satisfy contract negotiation,

administration, and audit requirements of the

contracting agencies and the Comptroller General

for—

(1) 3 years after final payment or, for certain records;

How to Get in Trouble


Inadequate litigation hold

Lose control of evidence

Company policy & rogue employee defense

Destroy records in anticipation

Rambus case

Fail discovery obligation

Spoilated data

Incomplete compliance

https://www.acquisition.gov/far/current/html/Subpart 4_7.html

10/1/2015

24

Authentication

Producing electronic evidence is not

enough.

Who created the file? When?

Where it was stored?

Who had access to it or how was it

controlled?

Who viewed, copied, edited or could have

tampered with the file?

When, why and by whom was any part of it

(including metadata) modified or deleted?


Discovery Order - Reality

Produce all relevant emails text messages by March 15

In your in-box, subfolders, archive folders

In un-emptied trash or copied to a colleague

Include attached files or links to other files

Stored on network drives, backup drives, USB drives,

smart phones, laptops, etc.

We have to search them all!

Then review, categorize and ready for submittal

Discovery order is limited only by the creativeness of opposing

counsel and the patience of the judge


10/1/2015

25

Notes;

IoT : smartphone connected to thermostat or door lock. Traffic lights

controlled by central computer, retail display cases reporting on product

sales

Items producing data and feeding to the internet at much more rapid

rate than humans. Web cams, weather stations,

Big Data analysis: combine sales information with time of day, weather

prediction, traffic, holidays, sale prices, etc. to predict sales volume and

schedule retail staff.



10/1/2015

26

Files, Documents & Records

Paper

Visible & common format

Costly to store copy and

distribute

Difficult to index and

search

Deliberate

document/record decision.

Electronic Files Invisible, exist anywhere

Easy to save & copy

Can be posted or emailed

Can be indexed and

searched electronically

Can become part of the

record by accident



Discovery Model

10/1/2015

27

Records Management Plan

Drivers Define Train Store

-Legal

-Tax

-NARA

-FAR

-Risk of loss

-HR

-Environment

-File type

-Purpose

-Capture date

-Retention

-Separate

risks

-Management

-Legal

-Staff

-Contractors

-IT staff

-Security

-Backup

-“information

lifecycle

governance

(ILG)”

-Preservation

-Retirement


Audit

-Awareness

-Compliance

-Exceptions

-Recovery

-Spoilage

-Duplication

-Garbage

What IS/NOT a Record?

Files

Working copies

Notes

Drafts

Unsigned

Old versions

Reports

Emails

Text messages

Considerations:

Is it the only evidence?

Audit support

Decision support

Lifespan – keep until

when?

Authority to destroy

should be documented

in policy


10/1/2015

28

What is a Record?


GAO, OMB, IG, DCAA audits & cases

What documents do we need to survive an incurred cost

audit or a DOL Davis Bacon audit?

What project records do we need

Warranty, QA, safety envelope, proof of insurance

What records does finance need?

Tax payments,

What records does the legal counsel want to retain?

Executed contract, stop work notice, claim

Records by department/function?

We may not all have the same needs or retention criteria.

What is a Record?


National Archives & Record Administration

GRS-3 – procurement documents

GRS -20 – electronic records (April 2010)

Describes what documents should be kept

and the normal retention period

Presidential initiative 11/28/11, OMB 8/24/12

Requires that to the fullest extent possible, agencies

eliminate paper and use electronic recordkeeping

…applicable to all executive agencies and to all records,

without regard to security classification or any other

restriction.

10/1/2015

29

Action Plan

Define

Record

Train

Procedures

Communicate Sensitize

Defensible

plan


What

records

are

required

for this

activity?

How are

we going

to capture

the

records?

How are

we going

to store

the

records?

What is

the

retention

period? When and how are we going to retire records

and non-records?

Does everyone understand the risks and

know how to respond to a legal hold?