Cloud Standards Customer Council (CSCC) Cloud Privacy Summit

Reston, Virginia

March 26, 2015

Jason R. Baron, Esq.

Information Governance and eDiscovery Group

Drinker Biddle & Reath LLP

Washington, D.C. 20005 © Jason R. Baron 2015

Cloud Privacy and Information Governance

from Both Sides Now: Emerging Trends in Law

and Public Policy Out of the Private and Public

Sectors

(c) Jason R. Baron 2015

Overview

Big Data, Privacy, and the Cloud

Sectoral Basis of US Privacy Law

- Public Sector

- Private Sector

Cloud Governance Best Practices

Privacy & Recordkeeping: OMB/NARA Memorandum on

Managing Govt Records

Public Policy Challenges

Post-Snowden

(c) Jason R. Baron 2015

Post-Sony

(c) Jason R. Baron 2015

Shadow IT

(c) Jason R. Baron 2013

Tomorrow For Everyone: Moving to the

Cloud

(c) Jason R. Baron 2015

We have entered the era where

Big Data is ….

(c) Jason R. Baron 2015

The World Has Changed

We are not just managing thousands or millions of paper files

We are at an inflection point in history in terms of data volume

IDC Report: 1800 new exabytes this year

(1 exabyte=data equivalent of 50,000 yrs of continuous movies)

Open data policies vs. “the iceberg”:

a vast amount of information is

“hidden” underneath the web —how is it

to be reliably preserved and accessed?

(c) Jason R. Baron 2015

Information governance is needed in a world where . . .

- 80% of enterprise data is unstructured

- 60% of documents are obsolete

- 50% of documents are duplicate

- 80% documents are not retrieved by traditional search

(c) Jason R. Baron 2013

Congressional Research Service Report (2015)

“Privacy is a concern, especially for public and hybrid cloud services.

The greater direct control that private clouds give to users over

hardware and software may provide them more control over

management of privacy.”

“Establishing an effective and appropriate legal structure for regulating

cloud computing services is imperative, as cloud usage is expected to

represent more than half of all Internet use by the end of this decade.

Globally, advances in technology services such as cloud computing

paired with how those services are used by consumers have increased

the difficulty of maintaining the appropriate legal balance between

individual rights and the needs of law enforcement. As the depth and

breadth with which consumers incorporate cloud services into their daily

lives increases, the need for balance becomes even more important,

but also more difficult to attain.”

Source: http://fas.org/sgp/crs/misc/R42887.pdf

(

From the White House Big Data Report (2014)

Th[e] trend toward ubiquitous collection is in part driven by the nature of

technology itself. Whether born analog or digital, data is being reused and

combined with other data in ways never before thought possible, including

for uses that go beyond the intent motivating initial collection. The

potential future value of data is driving a digital land grab, shifting the

priorities of organizations to collect and harness as much data as

possible. Companies are now constantly looking at what kind of data they

have and what data they need in order to maximize their market position.

In a world where the cost of data storage has

plummeted and future innovation remains unpredictable, the logic of

collecting as much data as possible is strong.

Source:

https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report

_may_1_2014.pdf

WH Big Data Report (con’t): The Challenge

Together, these trends may require us to look closely at

the notice and consent framework that has been a

central pillar of how privacy practices have been

organized for more than four decades. In a technological

context of structural over-collection, in which re-

identification is becoming more powerful than de-

identification, focusing on controlling the collection and

retention of personal data, while important, may no

longer be sufficient to protect personal privacy. In the

words of the President’s Council of Advisors for Science

& Technology, “The notice and consent is defeated by

exactly the positive benefits that big data enables: new,

non-obvious, unexpectedly powerful uses of data.”

(c) Jason R. Baron 2015

FIPPs The Fair Information Practice Principles, adopted by the Federal Trade

Commission in 1998 as nonenforceable best practices for online privacy. The five

pillars of the FIPPs address notice, choice, access, security and enforcement:

There must be no personal data recordkeeping system whose existence is

secret.

There must be a way for individuals to find out what information about them is

recorded and how it is used.

There must be a way for individuals to prevent information that was obtained for

one purpose from being used or made available for other purposes without their

consent.

There must be a way for individuals to correct or amend records of identifiable

information about themselves.

Any organization creating, maintaining, using or disseminating identifiable

personal data must assure the reliability of the data for the intended use and

must take precautions to prevent its misuse.

(c) Jason R. Baron 2015

Overview

Top 10 areas Federal agencies need to address when procuring cloud

Gives description of issues along with ways to address issues within contracts

Provides tactical guidance through a questionnaire checklist

Available at www.cio.gov

Cloud Procurement White Paper

16

Privacy Questions to Ask in Federal Cloud

Environment

1. When implementing a cloud solution, did the agency consider whether any

personally identifiable information (PII) would be involved?

2. Did the agency consider whether any other categories of personal information,

such as those protected by special privacy legislation and regulations like

protected health information (PHI) under the Health Insurance Portability and

Accountability Act (HIPAA) Privacy Rule, would be involved?

3. If there is PII at issue, did the agency assess whether the Privacy Act of 1974

applied to the PII in question?

- If so, did the agency ensure that the agreement included mandatory FAR language

on operating Privacy Act systems of records?

4. If there is PII at issue, did the agency conduct a Privacy Impact Assessment in

accordance with section 208 of the E-Government Act of 2002 and OMB

Memorandum M-03-22?

5. If there is PII at issue, does the agreement provide instruction and

requirements on what to do in the event of a breach or unintentional release of

PII?

(

Privacy Questions To Ask in a Federal Cloud

Environment (con’t) 6. If there is PII at issue, did the agency make any arrangements to ensure that either

agency staff created appropriate PII training guidelines or actually delivered PII

training to the cloud providers?

7. If there is PII at issue, does the agency agreement provide instruction and

requirements on what to do in the event of any request for disclosure, subpoena, or

other judicial process seeking access to the records which may include USG PII?

8. If there is PII at issue, does the agency agreement limit uses strictly to support the

agency and prohibit uses for other purposes?

9. If there is PII at issue, does the agency agreement provide instruction and

requirements on terminating storage and deleting data upon expiration of the

agreement term and option extensions?

10. If there is PII at issue, does the agency agreement specify whether the data

servers, including redundant servers, may be located outside the United States?

HIPAA* in the Cloud

*Health Insurance Portability and Accountability Act

Where is the data physically stored?

How many copies of the data have been made?

Has the data been changed?

Has the data actually been deleted when requested? (index file

only or actual data blocks?)

How will the data be stored on the cloud provider’s server?

Encrypted?

Will details be shared with patients on details of third party cloud

provider information handling or security practices?

How do patients exercise their right to access to any information

stored about them, so as to correct any inaccuracies, when dealing

with third party cloud providers?

(c) Jason R. Baron 2015

Gramm-Leach-Bliley Act

Requires financial institutions to establish standards for

protecting confidentiality of customer non-public financial

information.

Encourages use of encryption techniques

Restricts financial institutions from disclosing consumer

financial information to non-affiliated third parties (although

disclosure to a cloud service provider generally not

restricted).

(c) Jason R. Baron 2015

Forrester Research: Cloud Computing Checklist: How

Secure Is Your Cloud (Chenxi Wang, Oct 30, 2009)

(c) Jason R. Baron 2013

Show me how you protect digital identities and credentials

and use them in cloud applications?

What data do you collect about me (logs, etc.)? How is it

stored? How is the data used? How long will it be stored?

Under what conditions might third parties, including

government agencies, have access to my data?

Can you guarantee that third-party access to shared logs

and resources won’t reveal critical information about my

organization?

Source: http://fas.org/sgp/crs/misc/R42887.pdf

Federal Cloud Computing

Strategy Document Vivek Kundra, Feb. 8, 2011

“Storing information in the cloud will require a technical

mechanism to achieve compliance with records management

laws, policies and regulations promulgated by both the

National Archives and Records Administration (NARA) and the

General Services Administration (GSA). The cloud solution

has to support relevant record safeguards and retrieval

functions, even in the context of a provider termination.”

(page 14)

See http://www.cio.gov/documents/federal-cloud-computing-

strategy.pdf

A New Era of Government “[P]roper records management is the backbone of open Government.”

President Obama’s Memorandum dated November 28, 2011

re “Managing Government Records”

http://www.whitehouse.gov/the-press-office/2011/11/28/presidential-memorandum-managing- government-

records

(c) Jason R. Baron 2015

Presidential Memorandum

24

From President Obama’s Memorandum on Managing Government Records, dated 11/28/11:

“Decades of technological advances have transformed agency operations, creating

challenges and opportunities for agency records management. Greater reliance

on electronic communication and systems has radically increased the volume and

diversity of information that agencies must manage. With proper planning,

technology can make these records less burdensome to manage and easier to use

and share. But if records management policies and practices are not updated for a

digital age, the surge in information could overwhelm agency systems, leading to

higher costs and lost records.

Presidential Memorandum, November 2011

Within 120 days of the date of this memorandum, each

agency head shall submit a report to the Archivist and the

Director of the Office of Management and Budget (OMB)

that:

(i) describes the agency's current plans for improving or

maintaining its records management program, particularly

with respect to managing electronic records, including email

and social media, deploying cloud based services or

storage solutions, and meeting other records challenges; *

* * *

(c) Jason R. Baron 2015

Archivist/OMB Directive

●M-12-18, Managing Government Records

Directive, dated 8/24/12:

1.1 By 2019, Federal agencies will manage all

permanent records in an electronic format.

1.2 By 2016, Federal agencies will manage both

permanent and temporary email records in an

accessible electronic format. http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-18.pdf

(c) Jason R. Baron 2015

Managing Govt Records Directive on Cloud Storage

A5. Evaluate the feasibility for secure "data at rest" storage and

management services for Federal agency-owned electronic

records

By December 31,2013, NARA will determine the feasibility of

establishing a secure cloud-based service to store and manage

unclassified electronic records on behalf of agencies. This basic,

shared service will adhere to NARA records management

regulations and provide standards and tools to preserve records

and make them accessible within their originating agency until

NARA performs disposition.

(c) Jason R. Baron 2015

Email is still

the 800 lb.

gorilla of

ediscovery &

therefore

important to

get right in

the cloud

(c) Jason R. Baron 2015

Beyond email: text messaging,

social media, etc.

(c) Jason R. Baron 2015

The demise of RM….

●John Mancini, President of AIIM:

• “If by traditional records management you mean

manual systems—even if they are computerized – then

I would say traditional records management is dead.

The idea that we could get busy people to care about

our complicated retention schedules, and drag and

drop documents into folders, and manually apply

metadata document by document according to an

elaborate taxonomy will soon seem as ridiculous as

asking a blacksmith to work on a Ferrari.”

(c) Jason R. Baron 2015

RM wish list for 2015…. •RM’s “easy button”: the elusive goal of zero

extra keystrokes to comply with RM

requirements (capture)

•A technology app that automatically tags records

in compliance with RM policies and practices

(categorize)

•Supervised learning RM with minimal records

officer or end user involvement (learn)

•Rule-based and role-based RM

•Advanced search

(c) Jason R. Baron 2013

NARA’s “Capstone” Policy:

The Path Forward

•Email archiving in short term, synced to existing proprietary software on email system

•Designation of key senior officials as creating permanent records, consistent with existing records schedules

•Additional designations of permanent records by agency component

• “Smart” filters/categorical rules built in based on content, to the extent feasible to do

•Non-senior official email records and non-tagged records designated as temporary to be held for set retention period.

(c) Jason R. Baron 2013

Capstone Officials

Capstone officials may

include:

● Officials at or near the top of

an agency or an organizational

subcomponent

● Key staff members that may be

in positions that create or

receive presumptively

permanent email records

Capstone accounts

Other accounts

Key staff accounts

Other accounts

(c) Jason R. Baron 2015

NARA on Cloud Computing NARA Bulletin 2010-05

+ Defines cloud models in

accordance with NIST definitions

+ Discusses records mgmt

challenges

+ Details how agencies can meet

records mgmt responsibilities

NARA on Cloud

Computing:

RM Challenges NARA Bulletin 2010-05

+ Lacking the capability to implement records

disposition schedules, including the ability to

transfer permanent records to archives and/or

delete temporary records

--are records maintained in a way that preserves functionality and

integrity throughout the records’ life cycle?

--are links maintained between records and metadata?

NARA on Cloud

Computing:

RM Challenges NARA Bulletin 2010-05

+ Lacking the capability to implement records

disposition schedules, including the ability to

transfer permanent records to archives and/or

delete temporary records

--are records maintained in a way that preserves functionality and

integrity throughout the records’ life cycle?

--are links maintained between records and metadata?

NARA on Cloud

Computing:

More Challenges NARA Bulletin 2010-05

+ Agencies need to be able to control proposed deletion of

records, wherever they be located

+ Agencies must ensure records are accessible for all

purposes of access (e-discovery, FOIA, etc.)

NARA on Cloud

Computing:

Still More Challenges NARA Bulletin 2010-05

+ Cloud architecture may lack formal technical standards

governing storage and manipulation of data, threatening long-

term trustworthiness and sustainability of data

NARA on Cloud

Computing:

Still More Challenges NARA Bulletin 2010-05

+ Lack of portability complicating

transferring/exporting permanent records to

archival environment

+ Agencies should anticipate how continued

preservation and access issues will be

resolved where cloud provider business

operations materially change

NARA on Cloud

Computing: How can agencies meet their RM

responsibilities? NARA Bulletin 2010-05

1) Include records officer in planning & deployment of

cloud computing solutions

2) Declare which copy of records will be the official

record copy (value of cloud version may be greater).

3) Determine if cloud data covered under existing

records schedules

4) Include instructions on how records will be captured,

managed, retained, made available to users

NARA on Cloud

Computing: How can agencies meet their RM

responsibilities? NARA Bulletin 2010-05

5) Instructions on conducting a records analysis, including on

system documentation & metadata

6) Instructions to periodically test transfers of Federal records

to other environments, including agency servers, to ensure

portability

7) Instructions on how data will be migrated to new formats, so

records are readable thru their life cycle

8) Resolve portability and accessibility thru good RM policies

and data governance practices (interoperability, security,

access, etc.)

NARA on Cloud

Computing: Contractors & Service Level

Agreements (SLAs)

NARA Bulletin 2010-05

+ Agencies maintain responsibility for managing

records whether they reside in an agency’s physical

custody or if maintained by a 3rd party contractor.

+ When dealing with 3rd parties, include RM clause to

ensure that contractor must manage records in

accordance with Federal Records Act, 44 USC

Chapters 21, 29, 31, 33, and NARA Regs, 36 CFR

Chapter XII Subchapter B.

Sample RFQ

Language The Quoter shall provide common Application Program Interfaces (APIs) allowing

integration with third party tools such as email archiving solutions, E-Discovery

solutions, and Electronic Records Management Software Applications.

The Quoter shall support an immutable email management solution integrated

with the messaging system in accordance with the requirement for Federal

agencies to manage their email messages and attachments as electronic records

in accordance with 36 CFR § 1236.22 , including capabilities such as those

identified in: DoD STD-5015.2 V3 , Electronic Records Management Software

Applications Design Criteria Standard, NARA Bulletin 2008-05, July 31, 2008,

Guidance concerning the use of e-mail archiving applications to store e-mail, and

NARA Bulletin 2010-05 September 8, 2010, Guidance on Managing Records in

Cloud Computing Environments.

Cloudy thoughts on

information governance

challenges

Process Optimization Problem: The

transactional toll of user-based

recordkeeping schemes (“as is” RM)

(c) Jason R. Baron 2013

…. and the need for better,

automated solutions ….

(c) Jason R. Baron 2013

The Coming Age of Dark Archives (i.e., the inability to

provide access unless we have smart ways of extracting

signal from noise, including use of privacy filters)

(c) Jason R. Baron 2015

Abandoning Sole Reliance on Practicing Black Swan IG

Emerging New Strategies:

“Predictive Analytics”

Improved review and case

assessment: cluster docs thru

use of software with minimal

human intervention at front end

to code “seeded” data set Slide adapted from Gartner Conference

June 23, 2010 Washington, D.C.

(c) Jason R. Baron 2015

Judicial endorsement of predictive

analytics in document review by Judge

Peck in da Silva Moore v. Publicis

Groupe (SDNY Feb. 24, 2012)

This opinion appears to be the first in which a Court has approved of the

use of computer-assisted review. . . . What the Bar should take away from

this Opinion is that computer-assisted review is an available tool and

should be seriously considered for use in large-data-volume cases where

it may save the producing party (or both parties) significant amounts of

legal fees in document review. Counsel no longer have to worry about

being the ‘first’ or ‘guinea pig’ for judicial acceptance of computer-assisted

review . . . Computer-assisted review can now be considered judicially-

approved for use in appropriate cases.

(c) Jason R. Baron 2015

Emerging Autocategorization

(c) Jason R. Baron 2015

Remarks Preceding the White House Big Data Report

Can we “build in” additional privacy protection into the

architecture of big data analytics and should the

government and the private sector be investing more in

research toward that end?

-- John Podesta, Remarks at White House/MIT “Big

Data” Privacy Workshop, March 3, 2014

(c) Jason R. Baron 2015

What is the IGI?

The IGI is a cross-disciplinary think tank and consortium

dedicated to advancing the adoption of Information Governance

practices and technologies through research, publishing,

advocacy, and peer-to-peer networking.

It provides industry thought leadership and benchmarking

designed to foster consensus and conversation

It is a connector among the stakeholders of information

governance

It is a promoter of industry best practices and standards

Why is the IGI Needed?

We believe that IGI is needed because there is an acute lack of clarity

in the marketplace regarding the contours and implications of IG.

Technical capabilities have advanced more quickly than awareness of

those capabilities amongst practitioners and purchasers.

The IG workforce is nascent and management responsibility for IG is

unclear or unassigned at most organizations.

What is Our Mission?

The mission of the IGI is to sound the clarion call that current

information management practices are unsustainable.

Unless corporations and government agencies take serious

action, information overload and mismanagement will become

a serious threat to the economy, delivery of government

services, and to the justice system itself.

We need to work with stakeholders across the IG spectrum to

architect a better path forward.

How to become a member…..

www.iginitiative.com

60

Rosetta Stone Approach:

The Need To Master 3

Languages: Legal, RM, IT

“The future is here. It is just not evenly distributed.”

--William Gibson

61

Jason R. Baron, Esq.

Drinker Biddle & Reath LLP

1500 K Street N.W.

Washington, D.C. 20005

(202) 230-5196

Email: jason.baron@dbr.com

(c) Jason R. Baron 2015