Upload
basil-reynolds
View
212
Download
0
Tags:
Embed Size (px)
Citation preview
Cloud Computing: A Life Cycle ViewMITRE Conference
McLean, Virginia November 9, 2009
Jason R. BaronDirector of Litigation
Office of General CounselNational Archives and Records Administration
Government Information
Forecast: Partly Sunny, Partly Cloudy --A NARA Lawyer’s Perspective
A New Era of Government President Obama’s Memorandum dated 1/21/09 on Transparency and Open Government http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernment/
Life in the fishbowl
FOIA
Federal Records Act
Privacy Act
E-Government Act of 2002
Clinger-Cohen Act (formerly IT Mgmt Reform Act)
Government Paperwork Elimination Act
OMB Circular A-130
Etc.
A New Legal Term of Art Under the Federal Rules of Civil Procedure:Electronically Stored Information or
“ESI”
“Electronically stored information”: -The wide variety of computer systems currently in use, and the rapidity of technological change, counsel against a limiting or precise definition of ESI…A common example [is] email … The rule … [is intended] to encompass future developments in computer technology. --Advisory Committee Notes to Rule 34(a), 2006 Amendments
Rule 26(f) Initial “Meet and Confer”
The early meet and confer presents an opportunity to show that government “gets it” on the subject of ESI.
Lead counsel for the government and agency point persons should be able to discuss preservation of ESI issues fluently, including with respect to + Scope of ESI holdings (key players and custodians of data)+ Preservation of specific types and forms of electronic media involved + Formatting issues (TIFF v ‘native’ v. whatever)+ Access issues (how searches will be conducted)
….The ever increasing volume of ESI is a problem
In a world of limited tools and resources…..
In a world of limited tools and resources…..
13
Microblogs (e.g., NASA tweets from Mars)NEW YORK (CNN) – 2/13/09 NASA was honored Wednesday for its efforts to inform the public through the popular social-networking Web site Twitter. More than 38,000 people followed NASA's "tweets" of the Mars Phoenix Lander mission. NASA received the "Shorty Award" for documenting the mission of the Mars Phoenix Lander. The Mars Phoenix Lander spent nearly five months in 2008 on the red planet conducting research.Twitter allows users to post updates or "tweets" in 140 characters or less. NASA said it delivered more than 600 updates during the 152 days the Phoenix was operating in the north polar region of Mars.By the end of the mission in early November, more than 38,000 people were following its tweets, NASA said."We created the account, known as Mars Phoenix, last May with the goal of providing the public with near real-time updates on the mission," said Veronica McGregor, a NASA spokesperson. "The response was incredible. Very quickly, it became a way not only to deliver news of the mission, but to interact with the public and respond to their questions about space exploration."
14
Virtual worlds
The Library of Congress’ virtual Declaration of Independence display as officially announced and which has opened as an Info Island in Second Life. The exhibit includes dioramas, streamed audio, text in the form of larger-than-life documents, information kiosks and even period furniture.
The Intersection of the Public Record Laws and E-Discovery
+ As a baseline, the Federal Records Act requires that appropriate preservation be taken for electronically stored information which falls within the federal record definition (44 USC 3301) + The existence of a valid record retention policy is a factor used by courts in considering whether to impose sanctions when hearing allegations of destruction of evidence+ Failures of adequate recordkeeping (and information management) easily translate into litigation failure
18
Examples of potential federal records “in the clouds”
Google Docs Gmail Facebook, Twitter, Youtube postings Email and structured databases of all kinds
hosted on private servers PDA text messaging hosted on private servers
The Supreme Court on Record Retention“’Document retention policies,’ which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business * * * It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances.”--Arthur Andersen LLP v. U.S., 125 S. Ct. 2129 (May 31, 2005)
21
The Litigation Minefield U.S. litigation increasingly demands
the preservation of and access to all relevant documents, including in the form of “electronically stored information” or “ESI”
Courts impose sanctions on parties for failing to preserve evidence under the “spoliation” doctrine
Absent saving everything, often it is only with 20/20 hindsight that one can determine what should have been preserved in response to a lawsuit
Recordkeeping solutions that rely on human judgment are prone to being second-guessed by litigants and judges.
Two Recent Cautionary Tales
In re Fannie Mae Litigation, 2009 WL 21528 (D.C. Cir. Jan. 6, 2009)
Aguilar v. ICE Division of US Dept of Homeland Security, 2008 WL 5062700 (S.D.N.Y. Nov. 21, 2008)
E-Recordkeeping in Government: Five Paths
1. Print to hardcopy
2. Backup tapes
3. Preserve in online ad hoc folders
4. DoD 5015.2 recordkeeping
5. 100% email archiving
27
Electronic Archiving
What is it? 100% snapshot of (typically) email, plus in some cases other selected ESI applications
How does it differ from an RMA?Goal is of preservation of evidence, not records management per se
NARA Bulletin 2008-05 Cloud issues not yet addressed in policy guidance
28
Impact of Technology on E-Records Management Applications:
On the Ground and in the Cloud
A universe of proprietary products exists in the marketplace: document management and RMAs
DoD 5015.2 compliant products However, scalability issues exist Utopia is records mgmt without extra keystrokes Agencies must prepare to confront significant front-end
process issues when transitioning to electronic recordkeeping
Records schedule simplification is key Cloud computing adds new wrinkles: can existing
products and services adequately capture non-transitory federal record content put up in cloudspace?
29
Obama Administration commitment to cloud architecture
Vivek Kundra, Chief Information Officer in the White House Office of Science and Technology, announces launch of Apps.gov:
https://apps.gov/cloud/advantage/main/start_page.do
With links to Business apps, Productivity apps, Social media apps, Cloud computing services
30
Leading case precedent
Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich. 2008) (where City of Detroit, as defendant, entered into contract for text messaging services with non-party service provider, held, City exercised sufficient control over ESI in form of text messages so as to require production to plaintiff under FRCP 34 standards; additionally, court ordered plaintiff to make its request under FRCP 34, in lieu of Court adjudicating dispute over the propriety of plaintiff’s pending 3rd party subpoena for same material).
31
Applicable Federal Rules of Civil Procedure
FRCP 34(a)(1) requires a party to produce documents and ESI within its “possession, custody or control”
FRCP 26(a)(1)(A)(ii) requires initial disclosure to opposing party of “location” of information in party’s possession, custody or control to be used in support of claims or defenses
FRCP 37 governs ESI “lost as a result of the routine good faith operation of an electronic information system”
FRCP 45 covers 3rd party subpoenas
32
Legal issues swirling in the clouds
Implications for legal holds on stored data Preservation of metadata (e.g., access and
modification logs) Who bears the risk (and cost) of spoliation? Who bears the risk if provider retains data
that is subject to authorized destruction under pre-existing records retention schedules?
What are search and retrieval capabilities?
33
Legal issues, con’t
How does ESI get produced in litigation? How is privileged information protected? Will data be encrypted? How will actions of cloud provider be
monitored for compliance? How are cross-border issues dealt with,
privacy laws in EU, elsewhere?
34
Service provider agreements
Need to address preservation/retention, access and control issues generally
Subcontracting allowed? Define responsibilities when ediscovery hits Cloud service provider’s own retention and
backup policies clarified Law enforcement access to dataset Segregation of data from other customers
35
Service provider agreements, con’t
Notification if subpoenas directed to provider Shipment of ESI to 3rd parties for processing Capability of provider to meet
regulatory/compliance requirements How is a right to audit clause satisfied? Cost allocations Security issues Cloud provider going out of business, will
data be returned? What format?
40
Jason R. Baron
Director of Litigation
Office of General Counsel
National Archives and Records Administration
(301) 837-1499
Email: [email protected]
Disclaimer: the views expressed in this powerpoint presentation are the author’s alone, and do not necessarily represent the official view of any component or institution with which he is affiliated.
41
Relevant NARA Publications September 2004 – Expanding Acceptable Transfer Requirements for Permanent
Electronic Records – Web Content http://www.archives.gov/records-mgmt/initiatives/web-content-records.ht
ml
January 2005 – NARA Guidance on Managing Web Records http://www.archives.gov/records-mgmt/policy/managing-web-records-ind
ex.html
September 2006 - Implications of Recent Web Technologies for NARA Web Guidance http://www.archives.gov/records-mgmt/initiatives/web-tech.html
June 2009 – Guidance Concerning Managing Records in a Multi-Agency Environment http://www.archives.gov/records-mgmt/bulletins/2009/2009-02.html
42
Further Reading
ARMA “E-discovery in the Cloud = Fog” (June 2009) (available on the Web)
Mark Austrian et al., “Cloud Computing Meets e-Discovery,Cyberspace Lawyer, Vol. 14, Issue 6 (July 2009)
NARA Bulletin 2008-05 Concerning use of Email Archiving to Store Email, www.archives.gov/records-mgmt/bulletins/2008
George L. Paul and J.R. Baron, “Information Inflation: Can the Legal System Adapt,” 13 Richmond Journal of Law and Technology 10 (2007), http://law. richmond.edu/ jolt/v13i3/ article10.pdf