Cloud Law Presentation

advertisement
Government Information
Forecast:
Partly Sunny, Partly Cloudy -A NARA Lawyer’s Perspective
Cloud Computing: A Life Cycle View
MITRE Conference
McLean, Virginia
November 9, 2009
Jason R. Baron
Director of Litigation
Office of General Counsel
National Archives and Records Administration
A New Era of Government
President Obama’s Memorandum dated
1/21/09 on Transparency and Open
Government
http://www.whitehouse.gov/the_press_office/TransparencyandOpenGovernme
nt/
Life in the fishbowl
FOIA
Federal Records Act
Privacy Act
E-Government Act of 2002
Clinger-Cohen Act (formerly IT Mgmt Reform
Act)
Government Paperwork Elimination Act
OMB Circular A-130
Etc.
E-Discovery: The New Reality
4
A New Legal Term of Art Under the
Federal Rules of Civil Procedure:
Electronically Stored Information or
“ESI”
“Electronically stored information”:
-The
wide variety of computer systems currently in use, and the
rapidity of technological change, counsel against a limiting or
precise definition of ESI…A common example [is] email … The
rule … [is intended] to encompass future developments in
computer technology. --Advisory Committee Notes to Rule
34(a), 2006 Amendments
Rule 26(f) Initial “Meet and Confer”
The early meet and confer presents an opportunity to show
that government “gets it” on the subject of ESI.
Lead counsel for the government and agency point persons
should be able to discuss preservation of ESI issues fluently,
including with respect to
+ Scope of ESI holdings (key players and custodians of data)
+ Preservation of specific types and forms of electronic media involved
+ Formatting issues (TIFF v ‘native’ v. whatever)
+ Access issues (how searches will be conducted)
….The ever increasing
volume of ESI is a problem
In a world of
limited tools
and
resources…..
Web 2.0 Technologies as Weapons of Mass Collaboration
8
Text messaging, 2009-style
9
Wikis, TWikis
10
Social Software on the Web
(e.g., Facebook, YouTube, etc.)
11
Blogs
12
Microblogs (e.g., NASA tweets from Mars)
NEW YORK (CNN) – 2/13/09 NASA was honored Wednesday for its efforts to inform the public through the popular socialnetworking Web site Twitter.
More than 38,000 people followed NASA's "tweets" of the Mars Phoenix Lander mission.
NASA received the "Shorty Award" for documenting the mission of the Mars Phoenix Lander. The Mars Phoenix Lander
spent nearly five months in 2008 on the red planet conducting research.
Twitter allows users to post updates or "tweets" in 140 characters or less. NASA said it delivered more than 600 updates
during the 152 days the Phoenix was operating in the north polar region of Mars.
By the end of the mission in early November, more than 38,000 people were following its tweets, NASA said.
"We created the account, known as Mars Phoenix, last May with the goal of providing the public with near real-time
updates on the mission," said Veronica McGregor, a NASA spokesperson. "The response was incredible. Very quickly, it
became a way not only to deliver news of the mission, but to interact with the public and respond to their questions about
space exploration."
13
Virtual worlds

The Library of Congress’ virtual Declaration of
Independence display as officially announced and
which has opened as an Info Island in Second Life.
The exhibit includes dioramas, streamed audio, text
in the form of larger-than-life documents,
information kiosks and even period furniture.
14
Public Records in the Clouds
15
If you build it, the lawyers will come…
16
The Intersection of the
Public Record Laws
and E-Discovery
+ As a baseline, the Federal Records Act requires that
appropriate preservation be taken for electronically stored
information which falls within the federal record definition (44
USC 3301)
+ The existence of a valid record retention policy is a factor
used by courts in considering whether to impose sanctions
when hearing allegations of destruction of evidence
+ Failures of adequate recordkeeping (and information
management) easily translate into litigation failure
Examples of potential federal
records “in the clouds”





Google Docs
Gmail
Facebook, Twitter, Youtube postings
Email and structured databases of all kinds
hosted on private servers
PDA text messaging hosted on private servers
18
Email is still
the 800 lb.
gorilla of
ediscovery
(whether in
the clouds or
not)
The Supreme Court on
Record Retention
“’Document retention policies,’ which are
created in part to keep certain information
from getting into the hands of others,
including the Government, are common in
business * * * It is, of course, not wrongful for
a manager to instruct his employees to
comply with a valid document retention
policy under ordinary circumstances.”
--Arthur Andersen LLP v. U.S., 125 S. Ct. 2129
(May 31, 2005)
The Litigation Minefield




U.S. litigation increasingly demands
the preservation of and access to
all relevant documents, including in
the form of “electronically stored
information” or “ESI”
Courts impose sanctions on parties
for failing to preserve evidence
under the “spoliation” doctrine
Absent saving everything, often it is
only with 20/20 hindsight that one
can determine what should have
been preserved in response to a
lawsuit
Recordkeeping solutions that rely
on human judgment are prone to
being second-guessed by litigants
and judges.
21
Two Recent Cautionary Tales
In re Fannie Mae Litigation, 2009
WL 21528 (D.C. Cir. Jan. 6, 2009)
Aguilar v. ICE Division of US Dept
of Homeland Security, 2008 WL
5062700 (S.D.N.Y. Nov. 21, 2008)
E-Recordkeeping in Government:
Five Paths
1.
2.
3.
4.
5.
Print to hardcopy
Backup tapes
Preserve in online ad hoc
folders
DoD 5015.2 recordkeeping
100% email archiving
Transformation Strategy =
E-discovery strategy
Paper recordkeeping  True
E-government
Fractal Recordkeeping
25
The Tree = The Organization’s Knowledge
And Every User’s Email Account as a Separate Twig
26
Electronic Archiving




What is it?
100% snapshot of (typically) email, plus in some
cases other selected ESI applications
How does it differ from an RMA?
Goal is of preservation of evidence, not records
management per se
NARA Bulletin 2008-05
Cloud issues not yet addressed in policy guidance
27
Impact of Technology on E-Records
Management Applications:
On the Ground and in the Cloud







A universe of proprietary products exists in the
marketplace: document management and RMAs
DoD 5015.2 compliant products
However, scalability issues exist
Utopia is records mgmt without extra keystrokes
Agencies must prepare to confront significant front-end
process issues when transitioning to electronic
recordkeeping
Records schedule simplification is key
Cloud computing adds new wrinkles: can existing
products and services adequately capture non-transitory
federal record content put up in cloudspace?
28
Obama Administration
commitment to cloud architecture



Vivek Kundra, Chief Information Officer in the
White House Office of Science and
Technology, announces launch of Apps.gov:
https://apps.gov/cloud/advantage/main/start_
page.do
With links to Business apps, Productivity
apps, Social media apps, Cloud computing
services
29
Leading case precedent

Flagg v. City of Detroit, 252 F.R.D. 346 (E.D. Mich.
2008) (where City of Detroit, as defendant, entered
into contract for text messaging services with nonparty service provider, held, City exercised sufficient
control over ESI in form of text messages so as to
require production to plaintiff under FRCP 34
standards; additionally, court ordered plaintiff to
make its request under FRCP 34, in lieu of Court
adjudicating dispute over the propriety of plaintiff’s
pending 3rd party subpoena for same material).
30
Applicable Federal Rules of
Civil Procedure




FRCP 34(a)(1) requires a party to produce
documents and ESI within its “possession, custody
or control”
FRCP 26(a)(1)(A)(ii) requires initial disclosure to
opposing party of “location” of information in party’s
possession, custody or control to be used in support
of claims or defenses
FRCP 37 governs ESI “lost as a result of the routine
good faith operation of an electronic information
system”
FRCP 45 covers 3rd party subpoenas
31
Legal issues swirling in the
clouds





Implications for legal holds on stored data
Preservation of metadata (e.g., access and
modification logs)
Who bears the risk (and cost) of spoliation?
Who bears the risk if provider retains data
that is subject to authorized destruction under
pre-existing records retention schedules?
What are search and retrieval capabilities?
32
Legal issues, con’t





How does ESI get produced in litigation?
How is privileged information protected?
Will data be encrypted?
How will actions of cloud provider be
monitored for compliance?
How are cross-border issues dealt with,
privacy laws in EU, elsewhere?
33
Service provider agreements






Need to address preservation/retention,
access and control issues generally
Subcontracting allowed?
Define responsibilities when ediscovery hits
Cloud service provider’s own retention and
backup policies clarified
Law enforcement access to dataset
Segregation of data from other customers
34
Service provider agreements,
con’t







Notification if subpoenas directed to provider
Shipment of ESI to 3rd parties for processing
Capability of provider to meet
regulatory/compliance requirements
How is a right to audit clause satisfied?
Cost allocations
Security issues
Cloud provider going out of business, will
data be returned? What format?
35
Interdisciplinary Approaches-Three Languages: Legal, RM, and IT
36
What does the road ahead
for federal agencies
look like?
37
The leading rule for the lawyer,
as for the man, of every calling, is
diligence.
-- Abraham Lincoln
Jason R. Baron
Director of Litigation
Office of General Counsel
National Archives and Records
Administration
(301) 837-1499
Email: jason.baron@nara.gov
Disclaimer: the views expressed in this
powerpoint presentation are the author’s
alone, and do not necessarily represent the
official view of any component or institution
with which he is affiliated.
40
Relevant NARA Publications

September 2004 – Expanding Acceptable Transfer Requirements for Permanent
Electronic Records – Web Content


January 2005 – NARA Guidance on Managing Web Records


http://www.archives.gov/records-mgmt/policy/managing-web-recordsindex.html
September 2006 - Implications of Recent Web Technologies for NARA Web
Guidance


http://www.archives.gov/records-mgmt/initiatives/web-contentrecords.html
http://www.archives.gov/records-mgmt/initiatives/web-tech.html
June 2009 – Guidance Concerning Managing Records in a Multi-Agency
Environment

http://www.archives.gov/records-mgmt/bulletins/2009/2009-02.html
41
Further Reading




ARMA “E-discovery in the Cloud = Fog” (June 2009) (available
on the Web)
Mark Austrian et al., “Cloud Computing Meets e-Discovery,
Cyberspace Lawyer, Vol. 14, Issue 6 (July 2009)
NARA Bulletin 2008-05 Concerning use of Email Archiving to
Store Email, www.archives.gov/records-mgmt/bulletins/2008
George L. Paul and J.R. Baron, “Information Inflation: Can the
Legal System Adapt,” 13 Richmond Journal of Law and
Technology 10 (2007), http://law. richmond.edu/ jolt/v13i3/
article10.pdf
42
Further Reading (con’t)



The Sedona Conference®, Achieving Quality in EDiscovery (2009 forthcoming)
The Sedona Conference®, Best Practices
Commentary on the Use of Search and Information
Retrieval in E-Discovery (2007)
The Sedona Conference®, The Sedona Principles:
Second Edition (2007)
43
Download