Cloud Privacy and Information Governance
from Both Sides Now: Emerging Trends in Law
and Public Policy Out of the Private and Public
Sectors
Cloud Standards Customer Council (CSCC) Cloud Privacy
Summit
Reston, Virginia
March 26, 2015
Jason R. Baron, Esq.
Information Governance and eDiscovery Group
Drinker Biddle & Reath LLP
Washington, D.C. 20005
© Jason R. Baron 2015
Overview
 Big Data, Privacy, and the Cloud
 Sectoral Basis of US Privacy Law
- Public Sector
- Private Sector
 Cloud Governance Best Practices
 Privacy & Recordkeeping: OMB/NARA Memorandum on
Managing Govt Records
 Public Policy Challenges
(c) Jason R. Baron 2015
Post-Snowden
(c) Jason R. Baron 2015
Post-Sony
(c) Jason R. Baron 2015
Shadow IT
(c) Jason R. Baron 2013
Tomorrow For Everyone: Moving to the
Cloud
(c) Jason R. Baron 2015
We have entered the era where
Big Data is ….
(c) Jason R. Baron 2015
The World Has Changed
 We are not just managing thousands or millions of paper files
 We are at an inflection point in history in terms of data volume
 IDC Report: 1800 new exabytes this year
(1 exabyte=data equivalent of 50,000 yrs of continuous movies)
 Open data policies vs. “the iceberg”:
a vast amount of information is
“hidden” underneath the web —how is it
to be reliably preserved and accessed?
(c) Jason R. Baron 2015
Information governance is needed in a world where . . .
- 80% of enterprise data is unstructured
- 60% of documents are obsolete
- 50% of documents are duplicate
- 80% documents are not retrieved by traditional search
(c) Jason R. Baron 2013
Congressional Research Service Report (2015)
 “Privacy is a concern, especially for public and hybrid cloud services.
The greater direct control that private clouds give to users over
hardware and software may provide them more control over
management of privacy.”
 “Establishing an effective and appropriate legal structure for regulating
cloud computing services is imperative, as cloud usage is expected to
represent more than half of all Internet use by the end of this decade.
Globally, advances in technology services such as cloud computing
paired with how those services are used by consumers have increased
the difficulty of maintaining the appropriate legal balance between
individual rights and the needs of law enforcement. As the depth and
breadth with which consumers incorporate cloud services into their daily
lives increases, the need for balance becomes even more important,
but also more difficult to attain.”
Source: http://fas.org/sgp/crs/misc/R42887.pdf
(
From the White House Big Data Report (2014)
 Th[e] trend toward ubiquitous collection is in part driven by the nature of
technology itself. Whether born analog or digital, data is being reused and
combined with other data in ways never before thought possible, including
for uses that go beyond the intent motivating initial collection. The
potential future value of data is driving a digital land grab, shifting the
priorities of organizations to collect and harness as much data as
possible. Companies are now constantly looking at what kind of data they
have and what data they need in order to maximize their market position.
In a world where the cost of data storage has
plummeted and future innovation remains unpredictable, the logic of
collecting as much data as possible is strong.
Source:
https://www.whitehouse.gov/sites/default/files/docs/big_data_privacy_report
_may_1_2014.pdf
WH Big Data Report (con’t): The Challenge
 Together, these trends may require us to look closely at
the notice and consent framework that has been a
central pillar of how privacy practices have been
organized for more than four decades. In a technological
context of structural over-collection, in which reidentification is becoming more powerful than deidentification, focusing on controlling the collection and
retention of personal data, while important, may no
longer be sufficient to protect personal privacy. In the
words of the President’s Council of Advisors for Science
& Technology, “The notice and consent is defeated by
exactly the positive benefits that big data enables: new,
non-obvious, unexpectedly powerful uses of data.”
(c) Jason R. Baron 2015
FIPPs
The Fair Information Practice Principles, adopted by the Federal Trade
Commission in 1998 as nonenforceable best practices for online privacy. The five
pillars of the FIPPs address notice, choice, access, security and enforcement:
 There must be no personal data recordkeeping system whose existence is
secret.
 There must be a way for individuals to find out what information about them is
recorded and how it is used.
 There must be a way for individuals to prevent information that was obtained for
one purpose from being used or made available for other purposes without their
consent.
 There must be a way for individuals to correct or amend records of identifiable
information about themselves.
 Any organization creating, maintaining, using or disseminating identifiable
personal data must assure the reliability of the data for the intended use and
must take precautions to prevent its misuse.
(c) Jason R. Baron 2015
Cloud Procurement White Paper
Overview
 Top 10 areas Federal agencies
need to address when
procuring cloud
 Gives description of issues
along with ways to address
issues within contracts
 Provides tactical guidance
through a questionnaire
checklist
Available at www.cio.gov
16
Privacy Questions to Ask in Federal Cloud
Environment
 1. When implementing a cloud solution, did the agency consider whether any
personally identifiable information (PII) would be involved?
 2. Did the agency consider whether any other categories of personal information,
such as those protected by special privacy legislation and regulations like
protected health information (PHI) under the Health Insurance Portability and
Accountability Act (HIPAA) Privacy Rule, would be involved?
 3. If there is PII at issue, did the agency assess whether the Privacy Act of 1974
applied to the PII in question?
- If so, did the agency ensure that the agreement included mandatory FAR language
on operating Privacy Act systems of records?
 4. If there is PII at issue, did the agency conduct a Privacy Impact Assessment in
accordance with section 208 of the E-Government Act of 2002 and OMB
Memorandum M-03-22?
 5. If there is PII at issue, does the agreement provide instruction and
requirements on what to do in the event of a breach or unintentional release of
PII?
(
Privacy Questions To Ask in a Federal Cloud
Environment (con’t)
 6. If there is PII at issue, did the agency make any arrangements to ensure that either
agency staff created appropriate PII training guidelines or actually delivered PII
training to the cloud providers?
 7. If there is PII at issue, does the agency agreement provide instruction and
requirements on what to do in the event of any request for disclosure, subpoena, or
other judicial process seeking access to the records which may include USG PII?
 8. If there is PII at issue, does the agency agreement limit uses strictly to support the
agency and prohibit uses for other purposes?
 9. If there is PII at issue, does the agency agreement provide instruction and
requirements on terminating storage and deleting data upon expiration of the
agreement term and option extensions?
 10. If there is PII at issue, does the agency agreement specify whether the data
servers, including redundant servers, may be located outside the United States?
HIPAA* in the Cloud
*Health Insurance Portability and Accountability Act
 Where is the data physically stored?
 How many copies of the data have been made?
 Has the data been changed?
 Has the data actually been deleted when requested? (index file
only or actual data blocks?)
 How will the data be stored on the cloud provider’s server?
Encrypted?
 Will details be shared with patients on details of third party cloud
provider information handling or security practices?
 How do patients exercise their right to access to any information
stored about them, so as to correct any inaccuracies, when dealing
with third party cloud providers?
(c) Jason R. Baron 2015
Gramm-Leach-Bliley Act
 Requires financial institutions to establish standards for
protecting confidentiality of customer non-public financial
information.
 Encourages use of encryption techniques
 Restricts financial institutions from disclosing consumer
financial information to non-affiliated third parties (although
disclosure to a cloud service provider generally not
restricted).
(c) Jason R. Baron 2015
Forrester Research: Cloud Computing Checklist: How
Secure Is Your Cloud (Chenxi Wang, Oct 30, 2009)
 Show me how you protect digital identities and credentials
and use them in cloud applications?
 What data do you collect about me (logs, etc.)? How is it
stored? How is the data used? How long will it be stored?
 Under what conditions might third parties, including
government agencies, have access to my data?
 Can you guarantee that third-party access to shared logs
and resources won’t reveal critical information about my
organization?

Source: http://fas.org/sgp/crs/misc/R42887.pdf
(c) Jason R. Baron 2013
Federal Cloud Computing
Strategy Document
Vivek Kundra, Feb. 8, 2011
“Storing information in the cloud will require a technical
mechanism to achieve compliance with records management
laws, policies and regulations promulgated by both the
National Archives and Records Administration (NARA) and the
General Services Administration (GSA). The cloud solution
has to support relevant record safeguards and retrieval
functions, even in the context of a provider termination.”
(page 14)
See http://www.cio.gov/documents/federal-cloud-computingstrategy.pdf
A New Era of Government
“[P]roper records management is the backbone of open Government.”
President Obama’s Memorandum dated November 28, 2011
re “Managing Government Records”
http://www.whitehouse.gov/the-press-office/2011/11/28/presidential-memorandum-managing- governmentrecords
(c) Jason R. Baron 2015
Presidential Memorandum
 From President Obama’s Memorandum on Managing Government Records, dated 11/28/11:
“Decades of technological advances have transformed agency operations, creating
challenges and opportunities for agency records management. Greater reliance
on electronic communication and systems has radically increased the volume and
diversity of information that agencies must manage. With proper planning,
technology can make these records less burdensome to manage and easier to use
and share. But if records management policies and practices are not updated for a
digital age, the surge in information could overwhelm agency systems, leading to
higher costs and lost records.
24
Presidential Memorandum, November 2011
Within 120 days of the date of this memorandum, each
agency head shall submit a report to the Archivist and the
Director of the Office of Management and Budget (OMB)
that:
(i) describes the agency's current plans for improving or
maintaining its records management program, particularly
with respect to managing electronic records, including email
and social media, deploying cloud based services or
storage solutions, and meeting other records challenges; *
***
(c) Jason R. Baron 2015
Archivist/OMB Directive
●M-12-18, Managing Government Records
Directive, dated 8/24/12:
1.1 By 2019, Federal agencies will manage all
permanent records in an electronic format.
1.2 By 2016, Federal agencies will manage both
permanent and temporary email records in an
accessible electronic format.
http://www.whitehouse.gov/sites/default/files/omb/memoranda/2012/m-12-18.pdf
(c) Jason R. Baron 2015
Managing Govt Records Directive on Cloud Storage
A5. Evaluate the feasibility for secure "data at rest" storage and
management services for Federal agency-owned electronic
records
 By December 31,2013, NARA will determine the feasibility of
establishing a secure cloud-based service to store and manage
unclassified electronic records on behalf of agencies. This basic,
shared service will adhere to NARA records management
regulations and provide standards and tools to preserve records
and make them accessible within their originating agency until
NARA performs disposition.
(c) Jason R. Baron 2015
Email is still
the 800 lb.
gorilla of
ediscovery &
therefore
important to
get right in
the cloud
(c) Jason R. Baron 2015
Beyond email: text messaging,
social media, etc.
(c) Jason R. Baron 2015
The demise of RM….
●John Mancini, President of AIIM:
• “If by traditional records management you mean
manual systems—even if they are computerized – then
I would say traditional records management is dead.
The idea that we could get busy people to care about
our complicated retention schedules, and drag and
drop documents into folders, and manually apply
metadata document by document according to an
elaborate taxonomy will soon seem as ridiculous as
asking a blacksmith to work on a Ferrari.”
(c) Jason R. Baron 2015
RM wish list for 2015….
• RM’s “easy button”: the elusive goal of zero
extra keystrokes to comply with RM
requirements (capture)
• A technology app that automatically tags records
in compliance with RM policies and practices
(categorize)
• Supervised learning RM with minimal records
officer or end user involvement (learn)
• Rule-based and role-based RM
• Advanced search
(c) Jason R. Baron 2013
NARA’s “Capstone” Policy:
The Path Forward
• Email archiving in short term, synced to existing
proprietary software on email system
• Designation of key senior officials as creating
permanent records, consistent with existing
records schedules
• Additional designations of permanent records by
agency component
• “Smart” filters/categorical rules built in based on
content, to the extent feasible to do
• Non-senior official email records and non-tagged
records designated as temporary to be held for
set retention period.
(c) Jason R. Baron 2013
Capstone Officials
Capstone officials may
include:
Capstone
accounts
● Officials at or near the top of
an agency or an organizational
subcomponent
● Key staff members that may be
in positions that create or
receive presumptively
permanent email records
Key staff
accounts
Other
accounts
Other
accounts
(c) Jason R. Baron 2015
NARA on Cloud Computing
NARA Bulletin 2010-05
+ Defines cloud models in
accordance with NIST definitions
+ Discusses records mgmt
challenges
+ Details how agencies can meet
records mgmt responsibilities
NARA on Cloud
Computing:
RM Challenges
NARA Bulletin 2010-05
+ Lacking the capability to implement records
disposition schedules, including the ability to
transfer permanent records to archives and/or
delete temporary records
--are records maintained in a way that preserves functionality and
integrity throughout the records’ life cycle?
--are links maintained between records and metadata?
NARA on Cloud
Computing:
RM Challenges
NARA Bulletin 2010-05
+ Lacking the capability to implement records
disposition schedules, including the ability to
transfer permanent records to archives and/or
delete temporary records
--are records maintained in a way that preserves functionality and
integrity throughout the records’ life cycle?
--are links maintained between records and metadata?
NARA on Cloud
Computing:
More Challenges
NARA Bulletin 2010-05
+ Agencies need to be able to control proposed deletion of
records, wherever they be located
+ Agencies must ensure records are accessible for all
purposes of access (e-discovery, FOIA, etc.)
NARA on Cloud
Computing:
Still More Challenges
NARA Bulletin 2010-05
+ Cloud architecture may lack formal technical standards
governing storage and manipulation of data, threatening longterm trustworthiness and sustainability of data
NARA on Cloud
Computing:
Still More Challenges
NARA Bulletin 2010-05
+ Lack of portability complicating
transferring/exporting permanent records to
archival environment
+ Agencies should anticipate how continued
preservation and access issues will be
resolved where cloud provider business
operations materially change
NARA on Cloud
Computing:
How can agencies meet their RM
responsibilities?
NARA Bulletin 2010-05
1) Include records officer in planning & deployment of
cloud computing solutions
2) Declare which copy of records will be the official
record copy (value of cloud version may be greater).
3) Determine if cloud data covered under existing
records schedules
4) Include instructions on how records will be captured,
managed, retained, made available to users
NARA on Cloud
Computing:
How can agencies meet their RM
responsibilities?
NARA Bulletin 2010-05
5) Instructions on conducting a records analysis, including on
system documentation & metadata
6) Instructions to periodically test transfers of Federal records
to other environments, including agency servers, to ensure
portability
7) Instructions on how data will be migrated to new formats, so
records are readable thru their life cycle
8) Resolve portability and accessibility thru good RM policies
and data governance practices (interoperability, security,
access, etc.)
NARA on Cloud
Computing:
Contractors & Service Level
Agreements (SLAs)
NARA Bulletin 2010-05
+ Agencies maintain responsibility for managing
records whether they reside in an agency’s physical
custody or if maintained by a 3rd party contractor.
+ When dealing with 3rd parties, include RM clause to
ensure that contractor must manage records in
accordance with Federal Records Act, 44 USC
Chapters 21, 29, 31, 33, and NARA Regs, 36 CFR
Chapter XII Subchapter B.
Sample RFQ
Language
The Quoter shall provide common Application Program Interfaces (APIs) allowing
integration with third party tools such as email archiving solutions, E-Discovery
solutions, and Electronic Records Management Software Applications.
The Quoter shall support an immutable email management solution integrated
with the messaging system in accordance with the requirement for Federal
agencies to manage their email messages and attachments as electronic records
in accordance with 36 CFR § 1236.22 , including capabilities such as those
identified in: DoD STD-5015.2 V3 , Electronic Records Management Software
Applications Design Criteria Standard, NARA Bulletin 2008-05, July 31, 2008,
Guidance concerning the use of e-mail archiving applications to store e-mail, and
NARA Bulletin 2010-05 September 8, 2010, Guidance on Managing Records in
Cloud Computing Environments.
Cloudy thoughts on
information governance
challenges
Process Optimization Problem: The
transactional toll of user-based
recordkeeping schemes (“as is” RM)
(c) Jason R. Baron 2013
…. and the need for better,
automated solutions ….
(c) Jason R. Baron 2013
The Coming Age of Dark Archives (i.e., the inability to
provide access unless we have smart ways of extracting
signal from noise, including use of privacy filters)
(c) Jason R. Baron 2015
Abandoning Sole Reliance on Practicing
Black Swan IG
Emerging New Strategies:
“Predictive Analytics”
Improved review and case
assessment: cluster docs thru
use of software with minimal
human intervention at front end
to code “seeded” data set
Slide adapted from Gartner Conference
June 23, 2010 Washington, D.C.
(c) Jason R. Baron 2015
Judicial endorsement of predictive
analytics in document review by Judge
Peck in da Silva Moore v. Publicis
Groupe (SDNY Feb. 24, 2012)
This opinion appears to be the first in which a Court has approved of the
use of computer-assisted review. . . . What the Bar should take away from
this Opinion is that computer-assisted review is an available tool and
should be seriously considered for use in large-data-volume cases where
it may save the producing party (or both parties) significant amounts of
legal fees in document review. Counsel no longer have to worry about
being the ‘first’ or ‘guinea pig’ for judicial acceptance of computer-assisted
review . . . Computer-assisted review can now be considered judiciallyapproved for use in appropriate cases.
(c) Jason R. Baron 2015
Emerging Autocategorization
(c) Jason R. Baron 2015
Remarks Preceding the White House Big Data Report
 Can we “build in” additional privacy protection into the
architecture of big data analytics and should the
government and the private sector be investing more in
research toward that end?
-- John Podesta, Remarks at White House/MIT “Big
Data” Privacy Workshop, March 3, 2014
(c) Jason R. Baron 2015
What is the IGI?
The IGI is a cross-disciplinary think tank and consortium
dedicated to advancing the adoption of Information Governance
practices and technologies through research, publishing,
advocacy, and peer-to-peer networking.
It provides industry thought leadership and benchmarking
designed to foster consensus and conversation
It is a connector among the stakeholders of information
governance
It is a promoter of industry best practices and standards
Why is the IGI Needed?
We believe that IGI is needed because there is an acute lack of clarity
in the marketplace regarding the contours and implications of IG.
Technical capabilities have advanced more quickly than awareness of
those capabilities amongst practitioners and purchasers.
The IG workforce is nascent and management responsibility for IG is
unclear or unassigned at most organizations.
What is Our Mission?
The mission of the IGI is to sound the clarion call that current
information management practices are unsustainable.
Unless corporations and government agencies take serious
action, information overload and mismanagement will become
a serious threat to the economy, delivery of government
services, and to the justice system itself.
We need to work with stakeholders across the IG spectrum to
architect a better path forward.
How to become a member…..
www.iginitiative.com
Rosetta Stone Approach:
The Need To Master 3
Languages: Legal, RM, IT
60
“The future is here. It is just not evenly distributed.”
--William Gibson
61
Jason R. Baron, Esq.
Drinker Biddle & Reath LLP
1500 K Street N.W.
Washington, D.C. 20005
(202) 230-5196
Email: jason.baron@dbr.com
(c) Jason R. Baron 2015