Cloud Computing: A Life Cycle ViewMITRE Conference

McLean, Virginia November 9, 2009

Jason R. BaronDirector of Litigation

Office of General CounselNational Archives and Records Administration

Government Information

Forecast: Partly Sunny, Partly Cloudy --A NARA Lawyer’s Perspective

A New Era of Government President Obama’s Memorandum dated 1/21/09 on Transparency and Open Government http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment/

Life in the fishbowl

FOIA

Federal Records Act

Privacy Act

E-Government Act of 2002

Clinger-Cohen Act (formerly IT Mgmt Reform Act)

Government Paperwork Elimination Act

OMB Circular A-130

Etc.

4

E-Discovery: The New Reality

A New Legal Term of Art Under the Federal Rules of Civil Procedure:Electronically Stored Information or

“ESI”

“Electronically stored information”: -The wide variety of computer systems currently in use, and the rapidity of technological change, counsel against a limiting or precise definition of ESI…A common example [is] email … The rule … [is intended] to encompass future developments in computer technology. --Advisory Committee Notes to Rule 34(a), 2006 Amendments

Rule 26(f) Initial “Meet and Confer”

The early meet and confer presents an opportunity to show that government “gets it” on the subject of ESI.

Lead counsel for the government and agency point persons should be able to discuss preservation of ESI issues fluently, including with respect to + Scope of ESI holdings (key players and custodians of data)+ Preservation of specific types and forms of electronic media involved + Formatting issues (TIFF v ‘native’ v. whatever)+ Access issues (how searches will be conducted)

….The ever increasing volume of ESI is a problem

In a world of limited tools and resources…..

In a world of limited tools and resources…..

8

Web 2.0 Technologies as Weapons of Mass Collaboration

9

Text messaging, 2009-style

10

Wikis, TWikis

11

Social Software on the Web(e.g., Facebook, YouTube, etc.)

12

Blogs

13

Microblogs (e.g., NASA tweets from Mars)NEW YORK (CNN) – 2/13/09 NASA was honored Wednesday for its efforts to inform the public through the popular social-networking Web site Twitter. More than 38,000 people followed NASA's "tweets" of the Mars Phoenix Lander mission. NASA received the "Shorty Award" for documenting the mission of the Mars Phoenix Lander. The Mars Phoenix Lander spent nearly five months in 2008 on the red planet conducting research.Twitter allows users to post updates or "tweets" in 140 characters or less. NASA said it delivered more than 600 updates during the 152 days the Phoenix was operating in the north polar region of Mars.By the end of the mission in early November, more than 38,000 people were following its tweets, NASA said."We created the account, known as Mars Phoenix, last May with the goal of providing the public with near real-time updates on the mission," said Veronica McGregor, a NASA spokesperson. "The response was incredible. Very quickly, it became a way not only to deliver news of the mission, but to interact with the public and respond to their questions about space exploration."

14

Virtual worlds

The Library of Congress’ virtual Declaration of Independence display as officially announced and which has opened as an Info Island in Second Life. The exhibit includes dioramas, streamed audio, text in the form of larger-than-life documents, information kiosks and even period furniture.

15

Public Records in the Clouds

16

If you build it, the lawyers will come…

The Intersection of the Public Record Laws and E-Discovery

+ As a baseline, the Federal Records Act requires that appropriate preservation be taken for electronically stored information which falls within the federal record definition (44 USC 3301) + The existence of a valid record retention policy is a factor used by courts in considering whether to impose sanctions when hearing allegations of destruction of evidence+ Failures of adequate recordkeeping (and information management) easily translate into litigation failure

18

Examples of potential federal records “in the clouds”

Google Docs Gmail Facebook, Twitter, Youtube postings Email and structured databases of all kinds

hosted on private servers PDA text messaging hosted on private servers

Email is still the 800 lb. gorilla of ediscovery (whether in the clouds or not)

The Supreme Court on Record Retention“’Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business * * * It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”--Arthur Andersen LLP v. U.S., 125 S. Ct. 2129 (May 31, 2005)

21

The Litigation Minefield U.S. litigation increasingly demands

the preservation of and access to all relevant documents, including in the form of “electronically stored information” or “ESI”

Courts impose sanctions on parties for failing to preserve evidence under the “spoliation” doctrine

Absent saving everything, often it is only with 20/20 hindsight that one can determine what should have been preserved in response to a lawsuit

Recordkeeping solutions that rely on human judgment are prone to being second-guessed by litigants and judges.

Two Recent Cautionary Tales

In re Fannie Mae Litigation, 2009 WL 21528 (D.C. Cir. Jan. 6, 2009)

Aguilar v. ICE Division of US Dept of Homeland Security, 2008 WL 5062700 (S.D.N.Y. Nov. 21, 2008)

E-Recordkeeping in Government: Five Paths

1. Print to hardcopy

2. Backup tapes

3. Preserve in online ad hoc folders

4. DoD 5015.2 recordkeeping

5. 100% email archiving

Transformation Strategy = E-discovery strategyPaper recordkeeping True E-government

25

Fractal Recordkeeping

26

The Tree = The Organization’s Knowledge

And Every User’s Email Account as a Separate Twig

27

Electronic Archiving

What is it? 100% snapshot of (typically) email, plus in some cases other selected ESI applications

How does it differ from an RMA?Goal is of preservation of evidence, not records management per se

NARA Bulletin 2008-05 Cloud issues not yet addressed in policy guidance

28

Impact of Technology on E-Records Management Applications:

On the Ground and in the Cloud

A universe of proprietary products exists in the marketplace: document management and RMAs

DoD 5015.2 compliant products However, scalability issues exist Utopia is records mgmt without extra keystrokes Agencies must prepare to confront significant front-end

process issues when transitioning to electronic recordkeeping

Records schedule simplification is key Cloud computing adds new wrinkles: can existing

products and services adequately capture non-transitory federal record content put up in cloudspace?

29

Obama Administration commitment to cloud architecture

Vivek Kundra, Chief Information Officer in the White House Office of Science and Technology, announces launch of Apps.gov:

https://apps.gov/cloud/advantage/main/start_page.do

With links to Business apps, Productivity apps, Social media apps, Cloud computing services

30

Leading case precedent

Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008) (where City of Detroit, as defendant, entered into contract for text messaging services with non-party service provider, held, City exercised sufficient control over ESI in form of text messages so as to require production to plaintiff under FRCP 34 standards; additionally, court ordered plaintiff to make its request under FRCP 34, in lieu of Court adjudicating dispute over the propriety of plaintiff’s pending 3rd party subpoena for same material).

31

Applicable Federal Rules of Civil Procedure

FRCP 34(a)(1) requires a party to produce documents and ESI within its “possession, custody or control”

FRCP 26(a)(1)(A)(ii) requires initial disclosure to opposing party of “location” of information in party’s possession, custody or control to be used in support of claims or defenses

FRCP 37 governs ESI “lost as a result of the routine good faith operation of an electronic information system”

FRCP 45 covers 3rd party subpoenas

32

Legal issues swirling in the clouds

Implications for legal holds on stored data Preservation of metadata (e.g., access and

modification logs) Who bears the risk (and cost) of spoliation? Who bears the risk if provider retains data

that is subject to authorized destruction under pre-existing records retention schedules?

What are search and retrieval capabilities?

33

Legal issues, con’t

How does ESI get produced in litigation? How is privileged information protected? Will data be encrypted? How will actions of cloud provider be

monitored for compliance? How are cross-border issues dealt with,

privacy laws in EU, elsewhere?

34

Service provider agreements

Need to address preservation/retention, access and control issues generally

Subcontracting allowed? Define responsibilities when ediscovery hits Cloud service provider’s own retention and

backup policies clarified Law enforcement access to dataset Segregation of data from other customers

35

Service provider agreements, con’t

Notification if subpoenas directed to provider Shipment of ESI to 3rd parties for processing Capability of provider to meet

regulatory/compliance requirements How is a right to audit clause satisfied? Cost allocations Security issues Cloud provider going out of business, will

data be returned? What format?

36

Interdisciplinary Approaches--

Three Languages: Legal, RM, and IT

37

What does the road ahead for federal agencies

look like?

The leading rule for the lawyer, as for the man, of every calling, is diligence.

-- Abraham Lincoln

40

Jason R. Baron

Director of Litigation

Office of General Counsel

National Archives and Records Administration

(301) 837-1499

Email: jason.baron@nara.gov

Disclaimer: the views expressed in this powerpoint presentation are the author’s alone, and do not necessarily represent the official view of any component or institution with which he is affiliated.

41

Relevant NARA Publications September 2004 – Expanding Acceptable Transfer Requirements for Permanent

Electronic Records – Web Content http://www.archives.gov/records-mgmt/initiatives/web-content-records.ht

ml

January 2005 – NARA Guidance on Managing Web Records http://www.archives.gov/records-mgmt/policy/managing-web-records-ind

ex.html

September 2006 - Implications of Recent Web Technologies for NARA Web Guidance http://www.archives.gov/records-mgmt/initiatives/web-tech.html

June 2009 – Guidance Concerning Managing Records in a Multi-Agency Environment http://www.archives.gov/records-mgmt/bulletins/2009/2009-02.html

42

Further Reading

ARMA “E-discovery in the Cloud = Fog” (June 2009) (available on the Web)

Mark Austrian et al., “Cloud Computing Meets e-Discovery,Cyberspace Lawyer, Vol. 14, Issue 6 (July 2009)

NARA Bulletin 2008-05 Concerning use of Email Archiving to Store Email, www.archives.gov/records-mgmt/bulletins/2008

George L. Paul and J.R. Baron, “Information Inflation: Can the Legal System Adapt,” 13 Richmond Journal of Law and Technology 10 (2007), http://law. richmond.edu/ jolt/v13i3/ article10.pdf

43

Further Reading (con’t) The Sedona Conference®, Achieving Quality in E-

Discovery (2009 forthcoming) The Sedona Conference®, Best Practices

Commentary on the Use of Search and Information Retrieval in E-Discovery (2007)

The Sedona Conference®, The Sedona Principles: Second Edition (2007)