Friday, September 13, 2013
THINK MANAGING FEDERAL EMAIL RECORDS IS TOUGH? WAIT FOR RECORDS ON SNAPCHAT Andrew McLaughlin, a former deputy U.S. chief technology officer // Flickr user rsepulveda Once upon a time when federal employees used personal email for government communication, it was easy to call evasion, subterfuge or plain old trickery aimed at avoiding federal records preservation requirements. When some of President Bush’s political advisers used Republican National Committee accounts -- designated for political-only emails -- to communicate about the firing of U.S. attorneys in 2007, the White House was quick to admit fault, launch an internal investigation and beef up its own email retention policy. As email and other forms of digital communication have become ubiquitous in Washington and elsewhere, though, it’s become increasingly difficult to stanch the flow of emails leaking between professional and personal accounts. At the same time, new third party sites and services such as Facebook and Twitter have proliferated, making it difficult and confusing for federal officials to properly store information that should be available for Freedom of Information Act requesters and future historians. How, for instance, should a federal official handle a text message to a personal cellphone from a friend and coworker that contains mostly personal information but one piece of important business? These questions become harder when it comes to new applications such as SnapChat that are specifically designed to make it difficult to preserve information, said Andrew McLaughlin, a former deputy U.S. chief technology officer . McLaughlin raised such issues on Tuesday during a House Oversight and Government Reform Committee hearing focused on preventing federal transparency law violations. Officials at the White House and most federal agencies are allowed to conduct some business on personal email accounts if their work accounts are unavailable but are instructed to forward those emails to a work account so they’re discoverable during FOIA requests. The oversight committee’s ranking member Rep. Elijah Cummings, D-Md., has introduced legislation that would make copying such emails within five days a legal requirement. McLaughlin was reprimanded in 2010 when the response to a Freedom of Information Act request revealed he had conducted some White House business on his Gmail account and not forwarded the messages, violating the 1978 Presidential Records Act. On Tuesday McLaughlin called himself “a poster child for the typical mid-level official who tries to be conscientious [about maintaining federal records] but misses some things.” He suggested that agencies or lawmakers should create a standard method such as using screenshots for federal employees to transfer information from third party services such as text messages and Facebook posts to FOIA-able government email accounts. McLaughlin also suggested that during records management training, federal employees should be urged to put language in the signature lines of their personal email and social media accounts urging people to contact them via government email for official business. If employees are wary of their government accounts being spammed, they could use automated forms that forward information to those accounts but hide the addresses, he said. Many media companies use similar forms. House Oversight Chairman Darrell Issa, R-Calif., has been pressing for more accountability and traceability of federal workers’ emails since soon after he took over the chairmanship in 2011. Witnesses at Tuesday’s hearing were all Obama administration officials who had also failed to forward records from personal to government email accounts that were later discovered by FOIA requesters or congressional investigators. In most cases, the officials attributed the failure to poor oversight, long work hours and a deluge of email that sometimes blurs the lines between personal and professional. Republican committee members lashed out at former Environmental Protection Agency administrator Lisa Jackson over an email exchange with a friend who was also a registered lobbyist and had requested an official meeting with Jackson within the email chain. Jackson, who asked the friend to send future emails to a personal account, told lawmakers she believed the friend had completed her official business and that the remainder of the email chain would just be old friends chatting. Issa shot back that, by moving the conversation to a personal account, Jackson was effectively giving herself authority, rather than a FOIA officer, to decide where the line lay between a public official talking with a lobbyist and two friends catching up.
Wednesday, September 11, 2013
Obama officials can keep private e-mail accounts for federal business, Archives says By Lisa Rein, Updated: September 11, 2013 High-level administration officials and other federal employees can continue to conduct official business using secret government e-mail accounts, but the messages must be preserved electronically and turned over to the country’s record-keeping agency. Archivist of the United States David S. Ferriero told the House Oversight and Government Reform committee Tuesday that his agency, the National Archives and Records Administration, clarified the rules this week on the use of private e-mail accounts. They must be turned over to anyone seeking them under the Freedom of Information Act, Ferriero said. The accounts must be “managed, accessible and identifiable” under federal record-keeping rules. But the archivist told lawmakers that his agency “discourages the use of private e-mail accounts to conduct federal business.” “Where a private e-mail account must be used…the federal records generated through these private accounts must be moved to the official record-keeping system of the agency as soon as practicable, and then managed according to the Federal Records Act, the Freedom of Information Act and other legal requirements and their implementing regulations,” he said. The regulations were made official after the Associated Press reported in June that some Obama administration Cabinet officials have used alternative e-mail accounts in addition to government addresses to conduct official business.
Saturday, August 31, 2013
New email archiving method attempts to ease burden on agencies Friday - 8/30/2013, 10:34am EDT By Shefali Kapadia The National Archives and Records Administration is trying to make it easier for agencies to manage and archive the billions of emails generated by federal employees. The agency released a bulletin Thursday explaining its newly-developed approach to email management called "Capstone." The Capstone approach seeks to help federal agencies manage all of their email records electronically by Dec. 31, 2016. Capstone will help agencies satisfy requirements outlined by the Managing Government Records Directive, released in August of 2012. The directive aims to "develop a 21st-century framework for the management of government records." NARA's Capstone will specifically address Goal 1.2 of the directive: "By 2016, Federal agencies will manage both permanent and temporary email records in an accessible electronic format. By December 31, 2016, Federal agencies must manage all email records in an electronic format. Email records must be retained in an appropriate electronic system that supports records management and litigation requirements (which may include preservation-in¬-place models), including the capability to identify, retrieve, and retain the records for as long as they are needed. Beginning one year after issuance of this directive, each agency must report annually to OMB and NARA the status of its progress toward this goal." The Capstone approach is designed to "preserve permanently valuable email and provide a pathway to dispose of temporary email." The approach accomplishes this goal through use of an automated system, rather than relying on agencies to manually sort emails. The bulletin said these changes will be especially helpful as agencies move toward cloud-based solutions. NARA outlines several advantages of using the Capstone approach: • Cuts down reliance on print-and-file, click-and-file, drag-and-drop or other user-dependent policies • Optimizes access to records to respond more quickly and effectively to FOIA requests • Reduces the risk of unauthorized destruction of email records • Eases the burden of email management on the end user To adopt the Capstone approach, agencies need to identify email accounts that are most likely to contain records that should be preserved as permanent, according to NARA. These accounts may include department heads, agency leaders and armed forces officers. NARA will hold workshop sessions in September and October to introduce planning for Capstone implementation. NARA encourages agencies to adopt the Capstone approach, but it is not a requirement.
Friday, August 30, 2013
Records Managements: Slowly, Federal Agencies are Achieving Improved Records Handling By Dick Weisinger, on August 29th, 2013 NARA, the National Archives for managing federal records, now maintains more than 12 billion pages of physical records, 42 million photographs, and 500 terabytes of electronic records. The 40 main federal government agencies will be expected to manage 20.4 billion records by 2015 based on a survey by Meritalk conducted in late 2012. That report found that individually each federal agency spends about $34.4 million annually and currently manages an average of about 209 million records. Sue Trombley, managing director of consulting for Iron Mountain, said that “Federal record volumes will only continue to grow, driving up budgets and making it harder for agencies to manage information on their own. This growth and the added pressure from the Presidential Directive are combining to make records management very complicated and unsustainable. Most agencies know they need outside help and are looking for alternatives that include the development of a strategic plan, agency-wide collaboration and training, implementing technology solutions, and policy guidance and enforcement all aimed at regaining control for today and the future.” Federal agencies are also up against a mandate that requires them to transition from the management of physical to electronic records. By 2016, email records must be fully managed, and by 2019 electronic systems need to be fully managing permanent records. A recent internal report graded agencies in their attempts to move to electronic records. The report found that: Agencies are gradually improving. But while there is improvement, still only 20 percent of agencies are classified as low risk. 44 percent are moderate risk and 36 percent are high risk. Agencies have been more active in designing and developing new electronic management systems Agencies are taking electronic documents into account in making updates and revisions to their policies and records schedules High risk agencies include the National Geospatial Intelligence Agency, the Federal Bureau of Prisons, the U.S. Army Materiel Command and the National Endowment for the Humanities. Perfect scores were achieved by the U.S. Secret Service, the Government Accountability Office, the Bureau of Reclamation, and top-level operations at the State Department.
Saturday, March 30, 2013
What Does the Presidential Directive on Records Management Really Require?
What Does the Presidential Directive on Records Management Really Require?
March 26, 2013 By Michael L. Miller, director, RIM Consulting, Array Information Technology
The August 2012 Presidential Directive on Managing Government Records is a major achievement for the federal records management community -- and it is the cornerstone for the long-awaited transition to electronic recordkeeping by federal agencies. But what does it really mean?
As a former federal records officer and former Director of the Modern Records Program of the National Archives and Records Administration (NARA), I have taken a keen interest in the directive, of which a large number of articles, blogs and columns have appeared about its implications. And I would like to bring my perspective as a federal records manager to the discussion.
My underlying message is that agencies can meet the directive’s targets if they carefully scope their response to its requirements and their agency goals, following a seven-year plan and bringing people, policy and process into the solution mix to supplement technology.
Here are 12 ideas agencies can use to leverage staff rather than money on not only electronic recordkeeping goals, but also other goals that are largely restatements of existing requirements.
- Read the directive very carefully.
- Identify the problem(s) you are trying to solve.
- Determine what is a “good enough” records management solution.
- Take a holistic view.
- Take the long view.
- Assemble your forces.
- Break the problem into manageable chunks.
- Assess your records management staff.
- Assess your current policy and records schedules.
- Managing permanent electronic records – manual, automated or a mix.
- Managing email – not all records are created equal.
- Look for outside help.
The directive's wording has been crafted very carefully -- and that applies to what is both said and not said. Part 1, Goal 1, for example, states that agencies “should commit immediately to the transition to a digital government.” Target 1.1, however, only requires agencies to manage all permanent electronic records in electronic format to the extent possible by 2019. In many agencies, especially smaller ones, there may not be many permanent records, so consult your records schedules, then review the Code of Federal Regulations to understand how NARA understands “manage.” Your challenges may be smaller than you envisioned.
The directive defines goals and targets; it leaves the means open. Obviously you want to meet the targets, but I’m sure there are numerous agency-specific records and information problems that could be addressed also. Continuing the example above, you are only required to manage your permanent records electronically, but you may choose to manage all of your records electronically because there is a well-defined business case for doing so, such as minimizing the number of records on hand to simplify e-Discovery responses, or maximizing document retention to support knowledge management. Electronic recordkeeping can address either, but your implementations would be different depending on your business case, hence the need to identify the specific problem(s) you wish to solve.
Many federal records managers bristle at the thought of a “good enough” records management program – they want to have the best in the federal government. I would argue that they should focus on being the best for their agency – its mission, priorities and budget. That means being “good enough” to meet both internal and external requirements. For example, the records manager in a small agency may want a records management application, but given the limited number of permanent records, a more manual process might provide a “good enough” medium-term solution at lower cost.
From a holistic perspective, you need to understand four major elements of the ecosystem in which records and other information assets are managed:
- The records and other information assets your agency creates and maintains, their characteristics and requirements, the rewards and risks associated with their management, and available resources.
- The needs and expectations of business process owners and staff who create agency records; the records program that provides RIM policy and services; and the information architecture which provides context and support for the records management.
- Four agency components that can either facilitate records management or erect barriers: agency staff, agency culture, agency policies, and the existing and planned IT infrastructure.
- External forces framing “good enough” records management including the regulatory framework (including the directive), and the expectations of the community, agency suppliers (e.g., contractors), and customers (e.g., the regulated community).
Transitioning to electronic recordkeeping will require an assessment of all ecosystem elements so an appropriate path can be chosen.
The directive has very specific (and tight) timeframes, so use all of the time alloted. The email management target is the end of 2016 and the permanent records target is the end of 2019. Provided agencies start quickly, these targets allow time for project planning, evaluating the current situation, developing policy and training, budgeting to procure necessary technology, and gradually rolling out solutions.
Another reason for taking a longer view is that successful implementations of electronic recordkeeping are done in stages, often over several years.
Records management doesn’t succeed on its own -- it needs supporters, allies and champions.
- Supporters see the benefits from records management such as approved destruction of unneeded records and information products, or the ability to find needed records for audit or litigation.
- Allies are other information managers who pursue similar information management goals.
- Champions will represent the program at the senior level of the organization.
Your “forces” should be brought together participate in a Directive Response Team and serve as a steering council for the program and an advocacy group to promote its mission, products and budget requests.
The ecosystem review discussed above provides keys to understanding your records and how they can be managed successfully. Breaking the body of records into constituent parts allows agencies to apply appropriate management controls to important categories of records. Program staff are a necessary part of the process because they will only buy into an electronic recordkeeping solution if the records warrant the effort. The initial breakdown is by organization or function. And the easiest solution is to follow the approach used in your records retention schedules. Next identify major record groups – permanent records, records required by statute or regulation, records that document the agency’s statutory mission or are subject to audit or elicit public scrutiny, and so on. Then apply appropriate controls to each grouping.
A strong records manager is critical to meeting the directive’s goals. However, records managers currently vary greatly in experience, training and skill levels.
Records managers can fill one or more of these roles on the Directive Response Team:
- Explaining federal recordkeeping to the team.
- Translating NARA requirements into agency requirements.
- Assisting in crafting policy and procedural solutions for electronic records management.
- Assisting in crafting technology solutions.
- Serving as a leader and/or champion for the records management solutions selected to address the directive’s goals.
To achieve success, all of these roles must be filled. Currently not all records managers have the requisite, experience, training and skills to participate effectively in transitioning to electronic recordkeeping. Agencies must assess whether their current records staff has the qualifications needed to play their role(s) in addressing the goals laid out in the directive. If not, agencies will need to upgrade their staff via training, hiring or contracting.
The biggest challenges in implementing electronic recordkeeping have stemmed from poor policy foundations, not technology. Most of those who are not part of the records management community (and even some of those who are) think records management policy is set in stone. It isn’t. Federal records management principles remain, but what they mean and how to implement them effectively is often radically different today.
The easiest way to simplify the management of all records – but especially electronic ones – is to clearly identify the records “containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency.” That is what agencies are required to create and preserve. An agency’s definition of record may be understood more broadly than that, but in most cases, records not required for “adequate and proper documentation” can be disposed of relatively quickly.
Records schedules often contribute to the problem. Many records schedules do not identify the specific documents needed as part of the “adequate and proper documentation.” When employees are in doubt, they tend to keep everything. Records schedules should identify specific records or categories of records to be included or excluded from the file.
The bottom line? Rrecords management policy and guidance must be simple and clear.
When most of us think of managing electronic records we think of an entirely automated solution – an electronic records management application (ERMA) engineered to accomplish specific tasks.
An alternative (but more manual) process would be making a specific individual or individuals responsible for electronic filing. In many agencies that is already the case with important records –records that need to be safe from change or deletion, filed so they can be located and preserved so they can be transferred to NARA as required by federal recordkeeping regulations. The only records that need to be managed to meet the directive mandate are the ones identified as permanent.
An ERMA is one solution that may be appropriate for your organization, but it is not required, and for smaller agencies with more simple record-keeping and tighter budgets, it may be overkill. The challenge is finding an acceptable balance between manual intervention and automation. How much are your employees able and/or willing to do to manage their records? The more they can do, the less expensive and complex the automation component.
We all can define a record; it’s tougher to get agreement on whether a specific email or document fits the definition. The actual question is not whether an email is a record, but whether it is necessary for “adequate and proper documentation of agency activities.” If it is, it definitely needs to be made part of an electronic recordkeeping system. If not, I would argue that it is part of a working file (which I do consider record material) to be maintained separately from the “adequate and proper documentation” file with its own retention.
Directive Target 1.2 requires managing emails in an “appropriate system . . . for as long as they are needed.” This allows agencies considerable latitude in determining retentions for things like working files, and NARA is working on a “tiered” approach to managing email that should simplify maintenance. The guidance is due out late in 2013.
Agencies aren’t in this alone. NARA has worked hard to collect and make available products developed by federal agencies that can be adapted for use in other agencies, and under part II of the directive, the agency and its partners will provide additional guidance and tools to assist records managers in responding to the directive.
Even more useful in many cases are the personal contacts that agency records officer can make attending NARA-sponsored training and events such as BRIDG meetings. In the D.C., metro area, there is a wide range of activities where federal records managers discuss common issues. Many federal records mangers who have good solutions don’t have the time to publish their ideas, but are available at in-town professional meetings, or one of the many local training seminars, many of which are free to federal employees. These provide excellent opportunities for learning and information sharing. Agencies should encourage their records managers, especially the less-experienced ones, to attend these activities.
The transition to electronic recordkeeping will benefit everyone – agencies, the regulated community, citizens and the government as a whole. It will make government more transparent and effective. The real transition isn’t from paper to electronic. It requires a change in how people do their jobs – and that is always difficult.
You may use or reference this story with attribution and a link to
Saturday, January 5, 2013
Tuesday, January 1, 2013
Electronic Discovery & Records Management - Tip of the Month: Cloud Computing and Data Privacy 28 December 2012 Mayer Brown Newsletter Scenario A multinational company is negotiating an agreement with a cloud computing provider to maintain and hold all of the company’s electronically stored information and data. The general counsel of the multinational company is concerned about data privacy and data protection both in the United States and worldwide. What is Cloud Computing? Cloud computing is the use of computing resources, including both hardware and software, that are made available over the Internet by a subscription-based service provider. Because cloud computing is Internet-based, it offers several advantages over more traditional access to a company’s data and software. Cloud-based software and files can be accessed “on demand” from virtually any computer with an Internet connection. For example, when email is stored “in the cloud,” the contents of a user’s email folders may actually be stored in one or more easily accessed Internet-connected servers located around the world. Moreover, because a company that receives cloud computing services does not rely on its own servers, the amount of data that can be stored is unlimited. Finally, because cloud computing services typically are managed by a third-party provider, they have the potential to reduce a company’s IT costs by eliminating the need to acquire and maintain expensive hardware and software. For all of the above reasons, many businesses are seeking to take advantage of this still-evolving technology. Potential Risks: Data Privacy, Data Storage, and E-Discovery Data privacy is an issue of concern for companies, their IT professionals and legal departments, whether files stay on-site or are stored electronically with a cloud computing provider. For companies considering cloud computing options, it is particularly important to carefully evaluate the provider’s policies and procedures to ensure that they provide sufficient safeguards to protect confidential data. The company’s lawyers and IT professionals should develop an understanding of the technology so that they can make informed decisions about whether cloud computing provides the level of protection they require. One specific risk is that electronically stored information (ESI) may be co-mingled with the ESI of another company or of a separate but related corporate entity. Such situations can make it difficult to determine what entity has “possession, custody, or control” of the data and is under an obligation to preserve or produce the data. Moreover, if a cloud computing provider stores data in multiple servers around the world, ESI may be split up among jurisdictions with different data protection and transfer laws, making it difficult to keep track of how to access and retrieve data, and how to keep data private and secure. ESI stored with a cloud computing provider can also present challenges to the discovery process in litigation. For example, the U.S. Federal Rules of Civil Procedure allow a party to request discovery of ESI in the responding party’s “possession, custody, or control.” If a company has contracted with a cloud computing provider to maintain and hold its ESI, the company does not have direct control over, or possession of, the ESI. For purposes of discovery, however, the company still has a duty to preserve and produce that data, as long as it has the practical ability to do so. Tips for Managing Risks The use of cloud computing should not fundamentally change the way a company handles ESI. No matter where the ESI resides, a company is responsible for being aware of the information that it creates and for governing that information in accordance with applicable business and legal requirements. It is important that the company be familiar with and closely monitor how its information is stored, retrieved, retained and disposed of by its cloud provider. A company should also develop effective procedures for auditing such activities by its cloud provider. At a minimum, the company should make sure it is capturing sufficient data when information is created (including what the information is, who created it, and for what purpose) to properly govern it. Before signing a service contract with a cloud computing provider, a company should be sure that the contract contains provisions protecting the company’s interests and its need to comply with data privacy requirements. Consider the following items when negotiating a service contract: Access: The company should have the right to access all ESI “on demand” and in a specified format that is easy to use. Control: The company should have the ability to reasonably direct actions of the provider to preserve and produce ESI. Cooperation: The provider should be willing to comply with the company’s directions regarding its ESI and to comply with any and all legal holds. Speed: The provider should agree to cease any data destruction in a timely manner and to produce data with sufficient speed to meet the company’s obligations. Metadata: The company should inquire as to the form or format in which data will be stored and returned for production during litigation, including whether metadata will be intact. Costs: Beyond the subscription price for the service, the contract should address the costs of potential production, as well as potential indemnification policies and attorneys’ fees should the cloud provider’s failure to comply with the contract terms result in liability for the company. Transparency: The contract should address confidentiality, data integrity and availability issues, including whether data will be commingled with the data of other cloud customers. Jurisdiction: The company should discuss with the provider where the data will be maintained and should consider whether production of the data might require compliance with data transfer laws or international privacy laws. Ownership: The contract should clearly state that the company owns the data. Security: The company should inquire about the security measures that the provider has in place to protect data privacy and attorney-client privilege and whether the company will be informed in the event of a security breach. Policies: The company should determine whether the provider’s policies and procedures could impede the company’s obligations to preserve, collect and produce ESI during litigation. Disaster Recovery: The company should have contingency plans in the event the provider was to suffer a server crash or other data loss or go bankrupt or out of business. The contract should stipulate that its provisions will remain in force if the provider is acquired by another company. The best way to manage the data privacy and security risks associated with cloud computing is to gain a comprehensive understanding of how the company plans to use cloud computing and to establish procedures and contract terms with the cloud computing provider that meet the company’s data security and privacy needs.