E-discovery - social media & cloud-dec2011

Maintaining, Preserving & Disposing of Data on Social Media

& Cloud Computing Platforms

Catherine TetiManaging Director, Knowledge Services

Chief Agency Privacy OfficerUS Government Accountability Office

December 1, 2011

December 1, 2011 Data Management Challenges – Social Media & Cloud

Presentation Overview

• Challenges, issues and requirements that agencies need to be mindful of/address when moving into the cloud or using social media.

• Value Proposition• Risks and Requirements• Governance – effective information management and

oversight• GAO’s Experience• Additional References


Value Proposition

• What . . . • Problem will be solved?• Service enhanced?• Operational or resource efficiencies realized?

• Understand your audience/customer base• Multiple points of information dissemination (e.g., reposting

information to agency web sites)• OMB “Guidance for Agency Use of Third-Party Websites and

Applications”, M-10-23, June 25, 2010• Provide alternatives to 3d party websites/applications (i.e.,

public shouldn’t have to join a social media site to access agency information or services)


Risks and Requirements - Records

• Is a record required?• See Value proposition (why are you doing this in the 1st place?• Evidence of agency policy, decisions, mission• Original or repurposed content (is it already captured

elsewhere?)• Caution: Content vs. medium


Risks and Requirements – Capture/Retain

• Capture and retention• Preserving data that isn’t “owned” or controlled by your

agency - Do you (or should you) care?• What if – the cloud vendor goes out of business, the

agency changes contractors, you decide to stop using Facebook?

• Disposing of or destroying data at the end of its retention period (inclusion in terms of service)• Does it matter if you can’t dispose of it – i.e., potential lack

of control


Risks and Requirements – Security/Privacy • Security

• Potential for hacking or attacking systems and/or data • Privacy – Potential for inappropriate use of personal data

• What is captured (essential only) ? • Why? How is it used? • How is it secured? • User notification – collection and use• See also OMB M-10-23 requirements for

• privacy impact assessments • Agency privacy notices


Federal Agency Information Management Requirements• The Paperwork Reduction Act – information collection and

responsibilities for the management of information resources• The Privacy Act - use of personal information by federal

agencies• FISMA, the Federal Information Security Management Act -

requirements for protecting agency information and systems from misuse

• FOIA - public access to agency records• The Federal Records Act - requires agencies to manage

records needed for their operations and have processes to properly dispose of or save (historically significant) records

• NARA Bulletin 2011-02 - Guidance on Managing Records in Web 2.0/Social Media Platforms


E-Discovery Requirements

• Formalized in the amended Federal Rules of Civil Procedures in 2006.

• All Electronically Stored Information (ESI) stipulated in a subpoena must be preserved as part of a legal hold.

• Organizations must be able to preserve and produce all ESI relevant to a discovery order.

• Organizations’ inability to search for and locate relevant information is causing significant risk.

• Costs for e-discovery are continuing to skyrocket for organizations without proper information management.


Governance – The Key to Effective Information Management and Oversight • Different information – and mission - disciplines working together

for an integrated approach:• Records Management• Information Security• Information Technology• Legal• Privacy• Business owner(s)

• Realigning and re-engineering stove-piped management processes to create integrated and coordinated approaches to managing information across the information life cycle

• Oversight – capture/custodianship• Guidance – Who speaks for the agency


GAO’s Key Requirements for Effective IM

• Business Purpose• Align management with GAO business processes to meet

mission objectives• Organizational Commitment

• Ensure executive sponsorship and stakeholder buy-in• Governance

• Clearly define policy and requirements• Recognize constraints and limitations• Strive for user engagement and senior executive sponsorship• Information governance alliance among IT, records, legal,

information security, privacy, public affairs, business owners• Oversight

• Performance measures and accountability


GAO’s (Adaptive) Use of Social Media Tools• Information Dissemination

• Twitter (RSS feeds)• YouTube• Podcasts• Facebook• Flickr

• Information Sharing• Wiki (internal)

• All records are managed according to GAO IM policies


An Effective IM Program

• An effective IM program allows GAO to:• Retrieve: Easily retrieve relevant information in a timely

fashion• Access: Provide access to information to the right people

when it is needed• Audit: Able to identify anomalies and ensure compliance with

all applicable rules and regulations (FRA, FISMA, etc.)• Dispose: Ability to dispose of information in the normal

course of business when it is no longer needed in accordance with GAO’s retention and disposition policy


GAO’s Disposition Strategy

• GAO’s records disposition schedule applies to records regardless of format or media.

• Disposition strategy is comprehensive for all records types (paper, electronic, data sets, and other “stuff”) so it is applied uniformly across all media and formats.

• Ensures that GAO complies with all requirements, mitigates risk and exposure, saves storage space, is cost-effective, and allows for easier search and retrieval of remaining records.


GAO Reports on Information Management and Social Media• GAO-11-605: Social Media: Federal Agencies Need Policies and

Procedures for Managing and Protecting Information They Access and Disseminate

• GAO-10-838T: Information Management: The Challenges of Managing Electronic Records

• GAO-11-15: NARA: Oversight and Management Improvements Initiated, but More Action Needed

• GAO-08-536: Privacy: Alternatives Exist for Enhancing Protection of Personally Identifiable Information

• GAO-10-537T: Freedom of Information Act: Requirements and Implementation Continue to Evolve


Additional References

• OMB Memorandum M-10-23, Guidance for Agency Use of Third-Party Websites and Applications

• Best Practices Study of Social Media Records Policies, ACT/IAC Collaboration and Transformation (C&T) Shared Interest Group (SIG), March 2011 ( www.actgov.org/SocialMediaRecords )

• NARA Bulletin 2011-02, Guidance on Managing Records in Web 2.0/Social Media Platforms, October 20, 2010


Questions?

Catherine Teti Managing Director, Knowledge Services,

Chief Agency Privacy OfficerUS Government Accountability Office (GAO)

[email protected]


GAO on the WebWeb site: http://www.gao.gov/

ContactChuck Young, Managing Director, Public Affairs, [email protected](202) 512-4800, U.S. Government Accountability Office441 G Street NW, Room 7149, Washington, D.C. 20548

CopyrightThis is a work of the U.S. government and is not subject to copyright protection in the United States. The published product may be reproduced and distributed in its entirety without further permission from GAO. However, because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately.

E-discovery - social media & cloud-dec2011

Business

Transcript of E-discovery - social media & cloud-dec2011