05 January 2017

Seven Risks in the Beneficent Cloud

Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th annual educational conference on electronic records management, in Chicago, May 8-10.

User beware: amid the security and budgetary advantages of the Cloud, risks lurk, ready to sabotage the unprepared or unsuspecting.  Make sure you are not caught unaware.

Records Management in the Cloud cries for Information Governance (IG).  It requires input, energy, and synergy from the organization’s Records, technology, and Legal groups.  Each has necessary skills, perspectives and insights beyond the scope of any one of these disciplines.

Theoretically, you can manage information in the Cloud with the same care and quality of locally stored records.  But there are complications that may not appear with local storage.  Addressing those requires teamwork from those three major constituents of IG.  Cloud-based storage is an important option, so it’s worth considering the safety, integrity, availability, and other critical aspects of your information stored there. 
Here’s the plus side: Cloud providers generally secure information better than local IT departments can.  Disaster recovery/business continuity should be better as well.
Also, economic advantages come from “elasticity”, that is, you only buy what you need.  If the need for online storage varies by the season or by the year, you can pay for Cloud storage when you need it, and conversely, you pay less when your needs diminish.  Contrast that with storage inside the firewall: you buy enough to cover your maximum use, but you still have paid for that maximum capacity even when your need is less.  If I were a seasonal retailer, doing most of my business during three months of the year, there is no way I would want to have that much capacity sitting idle inside the firewall for the other nine months.

But there are dangers.  These include:
1.       Discovery in a legal matter: Can legal holds be applied to Cloud-stored information, or does it have to be retrieved before it can be held for legal purposes?  When needed for litigation, can the servers and networks quickly deliver large quantities of data?
2.       Compliance:  Owners and custodians of information are responsible for complying with applicable laws and regulations.  When information that proves compliance is in the Cloud, is it accessible quickly and accurately?  Can the organization that owns the information (and is legally liable) easily audit the Cloud provider for compliance with laws and regulations? 
3.       Control:  Cloud providers may treat most or all information the same, but this is a problem if some records have geographical restrictions.  The Cloud user must know where the provider’s servers and pipelines are.  For example, Europe’s Safe Harbor provisions place limits on where information can be stored or transported. 
4.       Information disposal:  At the end of the information lifecycle, do Cloud users have to retrieve their records for subsequent disposal, or can the vendor provide reliable disposal?  And when the user retrieves information, is it really removed from the Cloud servers or simply deleted and/or overwritten?  When the Cloud provider disposes information, are the data and metadata truly irretrievable, or do vestiges remain, waiting to be subpoenaed and discovered?
5.       Long-term viability: For information with a retention period of over five years, backward compatibility of hardware and software can be an issue.  In the long run, will neglected updates make information files obsolete?  Does pixel-loss threaten to corrupt the files, or are the files protected?
6.       Longevity: Cloud vendors start with the best of intentions, but what happens when there are mergers, acquisitions, and divestitures?  What happens if a Cloud provider goes bankrupt, changes its business model, or gets out of the Cloud business entirely?  What then happens to the stored information?
7.       Derelict records:  Does your records management ensure that your organization does not keep paying for storage of outdated records?  Does the provider deliver the inventory and upcoming destruction dates monthly?

Again, the best answer to these dangers is a good coalition of information governors.  Records managers need savvy contract attorneys to write clauses clearly delineating a cloud provider’s responsibilities and restrictions, while mandating audits for compliance.  

Similarly, IT specialists need to ensure that the cloud provider’s technology is appropriate and adequate; that there is a forward migration path; that information is secure (internally and externally) and protected against disaster; and that accessibility will not be compromised under any circumstances.

Finally the attorneys and IT experts need Records Managers to apply the Generally Accepted Recordkeeping Principles to the whole endeavor.
Success with Cloud information management requires the cooperation, coordination, and investment of all the information governors.  Disciplines, such as Accounting and Quality Assurance, are welcome contributors.  Ignorance of this synergy leads to multiple risks.  But for those who apply Information Governance to the Cloud, success is enhanced.

The strategies and tactics to accomplish this success are many, and no two situations are identical.  Fortunately, there are helpful resources available.  One of the best is the MER Conference that meets in Chicago every May, where records managers, lawyers, techies, and others put their heads together.  The sessions, the connections, and the conviviality all help focus solutions to individual needs. You can watch streaming sessions later in the year, but nothing can replace being there with the many people who inform our choices.  MER is one of my top resources for information, networking, and inspiration, and I look forward to seeing you there.
n  -- 30

02 June 2016

MER Shows IG Advances

The 24th annual MER Conference ended May 25 amid solid growth and optimism.  That refers to both the attendees and the conference itself.  This was a roll-up-your-sleeves-and-get-to-work edition of MER.  There was a notable lack of identity-angst, replaced by a prevailing attitude of, “We know why we’re here,”, “We know what needs to be done,” and, “We want to learn the tools, strategies, and tactics that are going to get us where we need to go.”

No one asked, “What is Information Governance?” (IG).  No one described it as a buzz word that would fade.  With minor variations, the presenters and attendees addressed IG as a strategy of cooperation: the search for synergy amongst an organization’s stakeholders in information.  The quest was for a common vision, collaboration, and resource sharing that casts out redundancy.

This was a welcome departure from trade shows where software vendors commercialize IG and define it to mean their product.  At a recent expo on legal technology, I saw a plethora of signage trumpeting IG.  Closer inspection yielded little more than tools for eDiscovery, predictive coding, and technology-assisted review.

This new found confidence and identity is significant for MER, which started as Managing Electronic Records when business records were first being digitized in large numbers.  Now, according to several of this year’s presenters, electronic records management is a tactic under the strategic umbrella of IG.  Of course, both are essential to organizational success.  While technologists and legal people were in ample attendance, the majority of registrants came from records management.  It may be true (as was often said) that records officers are uniquely qualified to spearhead IG initiatives in their organizations.  

The conference itself appears healthier than ever.  Attendance was at or near capacity, and relaxed vendors filled every available spot.  I spoke with several of the latter, who expressed high satisfaction with their involvement.  One told me, “If I could only do one show a year, it would be MER.”

I have to note the unusual nature of the vendors:  In contrast to major expos, there were no bullhorns, contests, models, or magicians.  The people staffing the tables (no booths!) were knowledgeable.  They were not pushy, and there was none of that all-too-familiar desperation to succeed.  How helpful, and how refreshing!

The plenary sessions carried forth the roll-up-your-sleeves theme.  The breakout sessions, covering a spectrum of subjects, ranged from good to superb.  I am eager for the forthcoming recordings of the sessions that ran concurrent with my top choices.  [Thoughts on session content will be in future Blog posts.]

Arguably, the highest value of MER comes from the networking.  About half the attendees were first-timers, so there was plenty of new perspective.  That expanded my horizons.  There were also the voices of experience, those seminal thinkers who provide effective answers to vexing questions.
Over the years, MER’s quality has ranged from helpful to inspiring.  I would characterize this year’s edition as progressively solid, leaving me eager for next year’s edition.