Today’s Blog is sponsored by MER 2017, Cohasset Associates’ 25th
annual educational conference on electronic records management, in Chicago, May
8-10.
User beware: amid the security and
budgetary advantages of the Cloud, risks lurk, ready to sabotage the unprepared
or unsuspecting. Make sure you are not
caught unaware.
Records Management in the Cloud
cries for Information Governance (IG).
It requires input, energy, and synergy from the organization’s Records,
technology, and Legal groups. Each has
necessary skills, perspectives and insights beyond the scope of any one of
these disciplines.
Theoretically, you can manage
information in the Cloud with the same care and quality of locally stored
records. But there are complications
that may not appear with local storage.
Addressing those requires teamwork from those three major constituents
of IG. Cloud-based storage is an
important option, so it’s worth considering the safety, integrity, availability,
and other critical aspects of your information stored there.
Here’s the plus side: Cloud providers
generally secure information better than local IT departments can. Disaster recovery/business continuity should
be better as well.
Also, economic advantages come
from “elasticity”, that is, you only buy what you need. If the need for online storage varies by the
season or by the year, you can pay for Cloud storage when you need it, and
conversely, you pay less when your needs diminish. Contrast that with storage inside the
firewall: you buy enough to cover your maximum use, but you still have paid for
that maximum capacity even when your need is less. If I were a seasonal retailer, doing most of
my business during three months of the year, there is no way I would want to
have that much capacity sitting idle inside the firewall for the other nine
months.
But there are dangers. These include:
1.
Discovery in a legal matter: Can legal holds be
applied to Cloud-stored information, or does it have to be retrieved before it
can be held for legal purposes? When
needed for litigation, can the servers and networks quickly deliver large
quantities of data?
2.
Compliance:
Owners and custodians of information are responsible for complying with
applicable laws and regulations. When
information that proves compliance is in the Cloud, is it accessible quickly and
accurately? Can the organization that
owns the information (and is legally liable) easily audit the Cloud provider
for compliance with laws and regulations?
3.
Control:
Cloud providers may treat most or all information the same, but this is
a problem if some records have geographical restrictions. The Cloud user must know where the provider’s
servers and pipelines are. For example, Europe’s
Safe Harbor provisions place limits on where information can be stored or transported.
4.
Information disposal: At the end of the information lifecycle, do
Cloud users have to retrieve their records for subsequent disposal, or can the
vendor provide reliable disposal? And
when the user retrieves information, is it really removed from the Cloud
servers or simply deleted and/or overwritten?
When the Cloud provider disposes information, are the data and metadata
truly irretrievable, or do vestiges remain, waiting to be subpoenaed and
discovered?
5.
Long-term viability: For information with a
retention period of over five years, backward compatibility of hardware and
software can be an issue. In the long
run, will neglected updates make information files obsolete? Does pixel-loss threaten to corrupt the files,
or are the files protected?
6.
Longevity: Cloud vendors start with the best of
intentions, but what happens when there are mergers, acquisitions, and
divestitures? What happens if a Cloud
provider goes bankrupt, changes its business model, or gets out of the Cloud
business entirely? What then happens to
the stored information?
7.
Derelict records: Does your records management ensure that your
organization does not keep paying for storage of outdated records? Does the provider deliver the inventory and upcoming
destruction dates monthly?
Again, the best answer to these
dangers is a good coalition of information governors. Records managers need savvy contract attorneys
to write clauses clearly delineating a cloud provider’s responsibilities and
restrictions, while mandating audits for compliance.
Similarly, IT specialists need to
ensure that the cloud provider’s technology is appropriate and adequate; that
there is a forward migration path; that information is secure (internally and
externally) and protected against disaster; and that accessibility will not be
compromised under any circumstances.
Finally the attorneys and IT
experts need Records Managers to apply the Generally Accepted Recordkeeping
Principles to the whole endeavor.
Success with Cloud information
management requires the cooperation, coordination, and investment of all the
information governors. Disciplines, such
as Accounting and Quality Assurance, are welcome contributors. Ignorance of this synergy leads to multiple
risks. But for those who apply
Information Governance to the Cloud, success is enhanced.
The strategies and tactics to
accomplish this success are many, and no two situations are identical. Fortunately, there are helpful resources
available. One of the best is the MER
Conference that meets in Chicago every May, where records managers, lawyers, techies,
and others put their heads together. The
sessions, the connections, and the conviviality all help focus solutions to
individual needs. You can watch streaming sessions later in the year, but nothing
can replace being there with the many people who inform our choices. MER is one of my top resources for
information, networking, and inspiration, and I look forward to seeing you there.
n -- 30