While many of the high-level principles of Information Governance (IG) and the technologies supporting their implementation are almost universally applicable, each industry sector presents different challenges – one-size solution does not fit all. For example, unregulated privately held technology start-ups that are experiencing rapid growth may not have any retention / destruction policies in place; they will expand their IT storage until they crash into a big event, such as litigation, an IPO, or a merger. At that point they might require a top to bottom reconstruction – akin to an emergency room visit after a car crash.

Other organizations already function within the constraints of a regulatory regime such as life sciences or financial services. Especially in publicly traded companies, regulated industries are further along the continuum in almost all of the metrics associated with IG principles such as: existence of a RIM program; adoption of a retention schedule; legal hold procedures; and protection of sensitive information. Unlike the emergency room metaphor above, the relative maturity of IG initiatives in these organizations requires more of a performance coach than an emergency room doctor to improve their well-being.

Organizations also differ greatly in the need for dispersal of their information assets. Most organizations have adopted IT systems to allow employees to work remotely for convenience and productivity. The adoption of Bring Your Own Device (BYOD / BYOT) policies is the logical extension of this trend. The pace and extent of this trend are unevenly distributed depending on industry. For example, Forrester Research published a 2012 report comparing the pace (intensity) of adoption of BYOD / BYOT with the need for mobility among various industries.[1] The report found that 64% of respondents considered BYOD / BYOT support to be a high or critical strategic priority over the next 12 months.

The life sciences industry was slightly below the mean for the pace of adoption but ranked the highest for the need for mobility. An example of the drivers at work might be where life sciences organizations equip the outside sales team with iPads to control the risk of off-label sales pitches in violation of FDA regulations. By contrast, the financial services industry was described as more of a “fortress” industry with similar adoption of BYOD / BYOT but much less mobility.

The adoption of BYOD / BYOT policies is only one example of how productivity and technological enhancements insidiously expand the quantity and types of information assets that an organization must manage. There is ample evidence that IG policies for electronic information assets are often afterthoughts to the adoption of new workflow technology. Even content and document management systems are implemented without automated procedures for eventual deletion of unneeded information.

The unabated and expanding growth of information assets presents challenges in all organizations, including sophisticated companies in the regulated life sciences and financial services industries. Business leaders must recognize that the solutions to these challenges are cross-disciplinary, requiring understanding and cooperation among technical, legal, records management, information security and line of business stakeholders.


According to a prominent 2014 benchmarking survey of information practices in the life sciences industry, effective IG is increasingly recognized as an imperative for corporate compliance and risk mitigation.[2]  Some of the most interesting findings and recommendations of the survey demonstrate that the life sciences industry, while further along than others, still needs significant improvement:

  • 76% report that over-retention of information occurs due to how legal holds are written or applied
  • Nearly 80% report that they would prefer a retention schedule with fewer categories (“bigger buckets”)
  • Only 41% have a comprehensive records & information (RIM) strategy in place
  • Only 7% report a mature use of metrics to guide records management program assessment
  • 55% report automated deletion of email, IM and other electronic communications
  • Only 6% report that content/document management solutions fully automate the deletion / destruction process
  • New media formats and data locations are largely neglected (e.g., BYOD/BYOT, social media, collaborative tools)
  • Only 13% report that cloud services solutions automate the deletion / destruction process (5% fully and 8% partially)


A companion survey of the financial services industry showed that while these highly regulated organizations have made substantial progress in managing information assets, many similar challenges remain:

  • Compared to 70% of all surveyed industry groups, 77% of financial services organizations report that over-retention of information occurs due to how legal holds are written or applied
  • 76% report that they would prefer a retention schedule with “bigger buckets” (from 25 to 249 retention categories)
  • Only 46% have a comprehensive records & information (RIM) strategy in place
  • A paltry 3% report a mature use of metrics to guide records management program assessment
  • Compared to 45% of all surveyed industry groups, 55% report automated deletion of email, IM and other electronic communications
  • Only 9% report that content/document management solutions fully automate the deletion / destruction process
  • New media formats and data locations are largely neglected (e.g., BYOD/BYOT, social media, collaborative tools), only 1% report fully automated deletion of social media content at the end of its information lifecycle
  • Only 15% report that cloud services solutions automate the deletion / destruction process (2% fully and 13% partially) [3]

These recent surveys of Information Governance practices demonstrate that the “data explosion” threatens to outpace the implementation of management and technical solutions. Information Governance principles and best practices should be applied as an integrated part of every technology solution, so that “day forward” retention solutions automate the deletion of data in a legally defensible manner – but subject to legal holds.

Ironically, over-retention of information due to legal holds is an ad hoc risk management strategy that needlessly increases costs and may create its own set of legal risks. Current technologies exist to defensibly implement, modify and release legal holds on electronically stored information (ESI). Sound policies and procedures together with electronic document retention schedules should be developed in conjunction with the implementation of such technologies. Both the life sciences and financial services industries lag in fully automating the deletion of records at the end of the information lifecycle. This is no longer a question of rocket science. The surveys emphasize that automated solutions are ready for prime time:

Content analytics tools have matured and are now accepted as a defensible and practical method for applying lifecycle controls to large volumes of eligible information. These tools enable organizations to classify information, separate high-value information and delete unneeded information, mitigating the cost and risk associated with over-retention.[4]

In addition, pending changes to the ESI discovery rules in the Federal Rules of Civil Procedure should provide greater certainty and reduce the likelihood of the imposition of severe sanctions in litigation. As with the 2006 FRCP changes, the changes at the federal level will guide the development of law in state courts. My recent white paper, The C-Level Guide to Covering Your Information Governance Assets, addresses these important changes and provides a practical and attainable approach to a complex set of challenges that can begin immediately.


[1] Connie Moore and Jamie Warner, Industry Contexts and Constraints Diversify Approaches to Bring-Your-Own- Technology (Cambridge, MA: Forrester Research, Inc., 2012)

[2] 2013 – 2014 Information Governance Benchmarking Survey for Life Sciences (Minneapolis, MN: Cohasset Associates, ARMA International, AIIM, 2014). (“Cohasset Life Sciences Survey”).

[1] 2013 – 2014 Information Governance Benchmarking Survey for Financial Services and Insurance (Minneapolis, MN: Cohasset Associates, ARMA International, AIIM, 2014). (“Cohasset Financial Services Survey”)

[1] See, e.g., Cohasset Financial Services Survey, Section 4.2.

Posted in Document Retention Policies, Information Governance (IG), Records & Information Management (RIM) | Tagged , , , | Leave a comment

Cloudy Laws II – Only 65 Challenges to eDiscovery Forensics in the Cloud

Among the many types of challenges presented by the adoption of cloud computing are those involving computer forensics. Computer forensics can be thought of as the set of tools and techniques that make eDiscovery possible and reliable. It is defined in Wikipedia as, “a branch of digital forensic science pertaining to legal evidence found in computers and digital storage media.” The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) defines cloud computing forensic science more specifically as,

the application of scientific principles, technological practices and derived and proven methods to reconstruct past cloud computing events through identification, collection, preservation, examination, interpretation and reporting of digital evidence

As with other legal evidence, digital evidence is subject to challenge in court. It has to be what it purports to be. Therefore, the accurate identification of the creator, custodian, chain of custody, authenticity and other attributes of digital evidence is essential in any eDiscovery setting. Essentially, a computer forensic investigation must locate and identify “documents” and other information that can be traced to the actions, knowledge and information available to parties and other witnesses involved in a lawsuit, arbitration or investigation

While a number of technical tools and techniques have been developed to secure forensically sound images of data stored in workstation computers, servers, in-house data centers and mobile devices (e.g., Guidance Software EnCase, Symantec Clearwell, etc.), the rapidly developing and widely varying makeup of cloud computing architecture has presented or exacerbated numerous new challenges to computer forensics.

In conjunction with its work to define and apply some standards for understanding cloud computing issues (See my Cloudy Laws – Part I article), NIST formed a working group to research and evaluate the special challenges facing cloud computing forensics. The NIST Cloud Computing Forensic Science Working Group (NCC FSWG) created a draft Report dated July 2014, which identified and categorized 65 current challenges (hereinafter “Challenges”). The Report stresses the fact that the Challenges are multidisciplinary and that solutions require the interaction of experts in several fields. It states:

 Cloud forensics challenges cannot be solved by technology, law, or organizational principles alone. Many of the challenges need solutions in all three areas. Technical, legal and organizational scholars and practitioners have begun to discuss these challenges. This report focuses more on the technical challenges, which need to be understood in order to develop technology- and standards-based mitigation approaches.

The Report goes on to warn that the interests and expectations of the technical, legal, and organizational stakeholders must be properly allocated and documented in contracts in order to avoid “misunderstandings” in the event cloud computing evidence is required in any kind of litigation, arbitration, government investigation, criminal probe, homeland security investigation or otherwise. It states:

There are many stakeholders involved in cloud forensics activities, including members of government, industry, and academia. One of the biggest challenges in cloud computing is understanding who holds the responsibilities for the various tasks involved in managing the cloud. All responsibilities should be clear at the time of contract signing. Forensics is an area that is particularly prone to misunderstandings since it is often not until a forensic investigation is under way that stakeholders start making assertions about ownership and responsibilities.

The Report, NIST Cloud Computing Forensic Science Challenges (Draft NISTR 8006) contains a densely packed 15 page table categorizing and describing the Challenges. The Report also produced the following “mind map” summarizing the findings of the NCC FSWG Group.

Mindmap of Cloud Forensics from NIST


The forensics Challenges are mainly technical but as in other situations dealing with the closely intertwined fields of eDiscovery, Computer Forensics and Document Retention / Destruction Policies, the components must all work together as a system for managing information assets. All the processes in the system must be coordinated to achieve the goal of a legally defensible system, if and when it is ever tested, challenged or scrutinized by outside forces.

The Report categorizes the 65 Challenges into nine major groups (represented in the above chart in red). Some of the Challenges reside in more than one category. A quick review of the major categories brings to mind many other questions about the need for coordination among stakeholders. The nine categories are, Architecture, Data Collection, Analysis, Anti-forensics, Role management, Legal, Standards, and Training. The Report explains:

  1. Architecture (e.g., diversity, complexity, provenance, multi-tenancy, data segregation, etc.) –Architecture challenges in cloud forensics include dealing with variability in cloud architectures between providers; tenant data compartmentalization and isolation during resource provisioning; proliferation of systems, locations and endpoints that can store data; accurate and secure provenance for maintaining and preserving chain of custody; infrastructure to support seizure of cloud resources without disrupting other tenants; etc.
  2. Data collection (e.g., data integrity, data recovery, data location, imaging, etc.) — Data collection challenges in cloud forensics include locating forensic artifacts in large, distributed and dynamic systems; locating and collecting volatile data; data collection from virtual machines; data integrity in a multi-tenant environment where data is shared among multiple computers in multiple locations and accessible by multiple parties; inability to image all the forensic artifacts in the cloud; accessing the data of one tenant without breaching the confidentiality of other tenants; recovery of deleted data in a shared and distributed virtual environment; etc.
  3. Analysis (e.g., correlation, reconstruction, time synchronization, logs, metadata, timelines, etc.) — Analysis challenges in cloud forensics include correlation of forensic artifacts across and within cloud providers; reconstruction of events from virtual images or storage; integrity of metadata; timeline analysis of log data including synchronization of timestamps; etc.
  4. Anti-forensics (e.g., obfuscation, data hiding, malware, etc.) — Anti-forensics are a set of techniques used specifically to prevent or mislead forensic analysis. Challenges in cloud forensics include the use of obfuscation, malware, data hiding, or other techniques to compromise the integrity of evidence; malware may circumvent virtual machine isolation methods; etc.
  5. Incident first responders (e.g., trustworthiness of cloud providers, response time, reconstruction, etc.) — Incident first responder challenges in cloud forensics include confidence, competence, and trustworthiness of the cloud providers to act as first-responders and perform data collection; difficulty in performing initial triage; processing a large volume of forensic artifacts collected; etc.
  6. Role management (e.g., data owners, identity management, users, access control, etc.) — Role management challenges in cloud forensics include uniquely identifying the owner of an account; decoupling between cloud user credentials and physical users; ease of anonymity and creating fictitious identities online; determining exact ownership of data; authentication and access control; etc.
  7. Legal (e.g., jurisdictions, laws, service level agreements, contracts, subpoenas, international cooperation, privacy, ethics, etc.) — Legal challenges in cloud forensics include identifying and addressing issues of jurisdictions for legal access to data; lack of effective channels for international communication and cooperation during an investigation; data acquisition that relies on the cooperation of cloud providers, as well as their competence and trustworthiness; missing terms in contracts and service level agreements; issuing subpoenas without knowledge of the physical location of data; seizure and confiscation of cloud resources may interrupt business continuity of other tenants; etc.
  8. Standards (e.g., standard operating procedures, interoperability, testing, validation, etc.) — Standards challenges in cloud forensics include lack of even minimum/basic SOPs, practices, and tools; lack of interoperability among cloud providers; lack of test and validation procedures; etc.
  9. Training (e.g., forensic investigators, cloud providers, qualification, certification, etc.) — Training challenges in cloud forensics include misuse of digital forensic training materials that are not applicable to cloud forensics; lack of cloud forensic training and expertise for both investigators and instructors; limited knowledge by record-keeping personnel in cloud providers about evidence; etc.

The need for cloud customers to have their data forensically searched should be addressed early in vendor selection and contract negotiations – not after an incident (lawsuit, discrimination claim, terminating employee, subpoena), which requires a forensic search. Ediscovery Standards and best practices can be useful in communicating among stakeholders, without having to reinvent the wheel. The Electronic Discovery Reference Model ( provides a widely known standard, which delineates the processes required to boil down a forensic search into relevant evidence. Typically, the Identification, Preservation and Collection will create a forensic (bit by bit, verified by hash values) copy. That copy can then be searched for relevant information without altering the original digital evidence.

Because of the inconsistent log protocols, virtualization technology, elasticity and shared cloud servers, cloud computing presents some particularly difficult challenges to the Identification, Preservation and Collection of evidence. It is no longer a matter of pulling hard drives, attaching a write-block and running a bit by bit image. The NIST Report highlights the following characteristics of cloud forensics, many of which do not exist in a typical on-site forensics examination:

  1. Identification of the cloud provider and its partners. This is needed to better understand the environment and thus address the factors below.
  2. The ability to conclusively identify the proper accounts held within the cloud by a consumer, especially if different cyber personas are used.
  3. The ability of the forensics examiner to gain access to the desired media.
  4. Obtaining assistance of the cloud infrastructure/application provider service staff.
  5. Understanding the topology, proprietary policies, and storage system within the cloud.
  6. Once access is obtained, the examiner’s ability to complete a forensically sound image of the media.
  7. The sheer volume of the media.
  8. The ability to respond in a timely fashion to more than one physical location if necessary.
  9. E-discovery, log file collection and privacy rights given a multi tenancy system. (How does one collect the set of log files applicable for this matter versus extraneous information with possible privacy rights protections?)
  10. Validation of the forensic image.
  11. The ability to perform analysis on encrypted data and the collector’s ability to obtain keys for decryption.
  12. The storage system no longer being local.
  13. There is often no way to link given evidence to a particular suspect other than by relying on the cloud provider’s word.

The fact that this Report was first created as late as mid-2014 demonstrates that this emerging technology has jumped ahead of some very important legal and organizational controls. Previously I highlighted the risk that a vendor somewhere in the chain of companies who provision a cloud service could render a company’s data (i.e., information assets) beyond their reach. The breadth and complexity of these 65 Challenges to successful eDiscovery in the cloud, at the very least should motivate stakeholders to investigate whether their existing or intended cloud solutions can be inspected with current forensic tools. For example, where a cloud vendor is unwilling to create or share log files and other metadata, or to permit forensic collection in a multi tenancy system, legitimate eDiscovery efforts would be frustrated and the vendor would appear to be a poor choice.

Borrowing Ronald Reagan’s old phrase to the Soviet Union, “Trust but Verify”, cloud users should take steps to make sure that the systems they deploy are reasonably safe from these known Challenges by running tests to determine if authenticated data can be extracted. You, opposing counsel or the government may someday need to come looking in your cloud for authentic and verifiable documents. Cloud providers should compete on their ability to correct, manage, mitigate or indemnify their users against these risks to valuable information assets.

Posted in Cloud Computing, Cloud Forensics, Computer Forensics, Document Retention Policies, eDiscovery, Information Security, Information Technology, Privacy, Vendor Contracts | Tagged | Leave a comment

Cloudy Laws – Part I

Cloud computing presents innumerable opportunities and brings with it enormous security and legal challenges. While there is no single accepted definition of the “cloud,” the National Institute of Standards and Technology created a reference model in 2011. NIST defined cloud computing by describing its five essential characteristics, three service models, and four deployment models. (NIST Special Publication 800-145)

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.

Essential Characteristics

Service Models

Deployment Models

  1. On demand self service
  2. Broad network access
  3. Resource Pooling
  4. Rapid Elasticity
  5. Measured Service
  1. Software as a Service
  2. Platform as a Service
  3. Infrastructure as a Service
  1. Private Cloud
  2. Community Cloud
  3. Public Cloud
  4. Hybrid Cloud


The rapid increase in the availability of cloud computing solutions ranging from Enterprise systems, to Office 365, to the ad hoc use of unencrypted Dropbox accounts, has profound implications for privacy, information security, eDiscovery and legally defensible document retention policies. Hardly a day passes without news of another serious security breach or weakness. The security risks and the costs of misjudgments, mistakes or vulnerabilities are huge. A small recent sample tells the story:

  • News reports that Russian hackers have stolen over 1 billion user credentials.
  • Target disclosed that its costs for the 2013 credit card security breach have reached $148M. Brian Krebs reported on May 14th that the costs to banks related to the Target breach was on the order of $200M and several banks have started class action suits against Target.
  • A flaw in the widely-adopted yet poorly supported open source software, OpenSSL led to the Heartbleed bug affecting hundreds of millions of secure websites.
  • Bloomberg News reported on July 29th that, “U.S. technology companies may lose as much as $35 billion in the next three years from foreign customers choosing not to buy their products over concern they cooperate with spy programs, according to an earlier study by the Washington-based Information Technology and Innovation Foundation.”
  • And to put icing on the cake, Microsoft and other U.S. companies’ attempt to offshore data to protect it from spying and comply with EU Privacy Rules have been put at risk by the ruling of a Federal Judge in New York. Judge Preska ruled that it is not the location of the email on Irish servers but rather the issue of “control” of the email by an American corporation that matters. Therefore she approved a search warrant by a U.S. Prosecutor to reach email stored solely in Ireland. The order was stayed pending appeal but it places Microsoft in a position of being ordered by a U.S. Court to violate EU Privacy Rules.

Not surprisingly, The New York Times quoted David Jordan, CISO for Arlington County, VA speaking for all information security professionals by stating that, “(w)e are like sheep waiting to be slaughtered.” (NYT 7/20/14)

The Microsoft Irish server email case is just one of many unresolved legal issues facing this emerging technology. The case illustrates the conflict between EU Data Protection Directive (officially Directive 95/46/EC) and the reach of a prosecutor’s search warrant in U.S. Federal Courts. Verizon’s amicus brief warns of the consequences of extending this reach:

It would mean that foreign customers’ communications and other stored data would be available to hundreds or thousands of federal, state, and local law enforcement agencies, regardless of the laws of the countries where the data is held. Foreign customers will respond by moving their business to foreign companies without a presence in the United States.

The legal issue of who “controls” data in the cloud has an impact on systems architecture, legal jurisdiction, and vendor contracts. The breadth of the problem lies in the fact that the international legal framework for cloud computing is uneven and undeveloped. Consequently, the legitimate legal and contractual regime set up by Microsoft as a protection against the reach of U.S. courts (and NSA spying) has been upended. Other large players in cloud services are in a similar situation and have expressed support for Microsoft’s position.

The legal reasoning in the case (however it is eventually resolved) is likely to impact procedures in civil courts and should be considered when negotiating and updating cloud services contracts. Legal discovery rules require that a party to a lawsuit, arbitration or regulatory investigation must produce all documents and Electronically Stored Information (ESI), which is within their possession, custody or control. Judge Preska ruled that the power to control data (e.g., a parent company’s power over an offshore subsidiary), should trump the other legal standards governing whether a court has jurisdiction over the data.

Where data resides and who has control over it should be the subject of negotiations and carefully drafted contract language, wherever possible. For example, problems can arise where vendor contracts are silent on what happens in the event of a legal discovery demand on the client or the vendor. Similar problems can arise when a vendor goes bankrupt or is shut down by authorities, as happened to many innocent clients when the U.S. government shut down Megaupload’s servers. What about a third-party subpoena on a vendor – should the vendor be required to notify the client before turning over data? Better yet, should the vendor be prohibited from turning over data until the customer has a chance to challenge the subpoena in court? What happens if a vendor refuses to turn over data that a court has ordered?

The “control” of electronic records concerning eDiscovery and document retention/destruction policies was already challenging enough when corporate data resided on networked desktop computers and in-house servers. The BYOD trend and the third party control of cloud computing resources present new challenges, which must be addressed as this emerging technology law evolves.

Posted in Cloud Computing, eDiscovery, Information Security, Privacy, Vendor Contracts | Leave a comment

Live Courtroom Coverage in Massachusetts |

OpenCourt is a pilot project which aims to open the workings of the justice system to the public. The project involves live-streaming of proceedings from the Quincy District Court in Massachusetts.  Live Coverage | OpenCourt screen capture 2011-5-6-13-25-2

In addition to being the first video streaming of live court proceedings, the project changes the traditional rules prohibiting the public from using most electronic devices while in the courtroom.  Bloggers and texters (i.e., new media journalists) will also be able to post to the internet live from the courtroom.

The judge has the ability to shut off the entire feed to protect identity, such as that of a victim.  The site posts updates regarding outages. For example, it reported:

The judge has toggled off the feed several times today. Right now we are off because of a potential identity issue.
Thu May 5 17:13:07 EDT 2011

On May 6th, after the prosecution requested shutting off the feed to protect the name and address of a victim, the judge ruled that the request could be handled instead by not mentioning that particular personal information and continued.  Nevertheless, live streaming means that there is no tape delay in case something slips out.  Currently the project is trying to determine a policy for access to the video archives.

Posted in Information Technology, Privacy, Procedure | Tagged , , | Leave a comment

LocationGate – Where in the World Was Waldo?

Just look at his iPhone data

Apparently I am not the only person troubled by the recent revelation that Google and Apple collect location data from smart phones.  Mike Elgan wrote a thoughtful piece for Computerworld. Who owns your location? – Computerworld

The idea of tracking files existing on phones and on the computers used to synch data raises eDiscovery issues as well as obvious privacy and data security concerns.  Will employers be tempted to look at the data collected by company issued phones to see if their sales team or delivery drivers were on task?  Employers defending discrimination cases are always on the lookout for employee misconduct that would justify termination of employment on non-discriminatory grounds.  Did she lie to the boss about that sick day as shown by the trip to the Foxwoods Casino? 

Warrantless Searches

A January 2011 decision by the California Supreme Court held that police may make a warrantless search of a person’s cell phone incident to a lawful arrest – in California.  In the opinion, the court considers and dismisses the privacy argument:

Regarding the quantitative analysis of defendant and the dissent, the salient point of the high court‟s decisions is that a “lawful custodial arrest justifies the infringement of any privacy interest the arrestee may have” in property immediately associated with his or her person at the time of arrest even if there is no reason to believe the property contains weapons or evidence (Robinson, supra, 414 U.S. at p. 235).

Although the phone at issue People v. Diaz was not an iPhone or Android phone, the court declined to make a distinction between dumb and smart cell phones:

. . . even were it true that the amount of personal information some cell phones can store “dwarfs that which can be carried on the person in a spatial container” — and, again, the record contains no evidence on this question — defendant and the dissent fail to explain why this circumstance would justify exempting all cell phones, including those with limited storage capacity, from the rule of Robinson, Edwards, and Chadwick.

With an Android or iPhone in California, once a person is arrested this location data becomes the functional equivalent of having worn a GPS ankle bracelet for the police. 

Follow the Money

The “LocationGate” controversy over the collection of location data by Apple and Google is about money as well as privacy.  Elgan’s article discusses the monetization of this very private data without anything approaching informed consent by the user. 

The controversy has already prompted a lawsuit against each company.  The Google suit is fantastically seeking $50 million in damages according to a CNET article. The Apple suit seeks class action status.

Posted in Document Retention Policies, eDiscovery, Information Security | Tagged , , | Leave a comment