Allison Stanton, Director of E-Discovery, FOIA, and Records

U.S. Department of Justice, Civil Division

1

Disclaimer

The views expressed in this presentation

are solely those of the panel members

and do not necessarily reflect those of

the U.S. Department of Justice.

Overview

� E-Discovery Challenges in the Cloud

� Advantages of the Cloud

� Minimizing Litigation Risk and Cost

� Cloud E-Discovery IT Issues

� Practical Suggestions

3

NIST Definition“Cloud computing is a model for enabling convenient, on-demand network access to a

shared pool of configurable computing resources (e.g., networks, servers, storage,

applications, and services) that can be rapidly provisioned and released with minimal

management effort or service provider interaction. This cloud model promotes availability

and is composed of five essential characteristics, three service models, and four

deployment models.”

Laymen's Definition� Cloud is essentially utility computing

� Automated services (no humans needed for change in services)

� Services are consumed as used (“pay per drink”)

� Enabled via the internet (accessible anywhere)

� Elasticity in amount of services consumed (rapid provisioning and de-

provisioning)

� Transition from capital expenses to operating expense

What is Cloud Computing?

4

“Cloud First” Policy� Point 3 of the White House’s 25 Point Plan to Reform Federal IT

� Requires agencies to evaluate safe, secure cloud options before

making any new investments.

� This means agencies should evaluate their technology sourcing

plans to include cloud solutions as part of the budget process.

Three Cloud Projects by June 9, 2012� “Cloud First” mandates agencies move three projects to the cloud

� At least 1 project had to move to the cloud by December 9, 2011;

� 2 additional must move by June 9, 2012.

Cloud: 25 Point Plan to Reform IT

5

Why do the lawyers do what they do and ask what they ask?

6

Backdrop: Civil Litigation

� Parties can request hardcopy documents or electronically stored information (ESI) from each other if the information is relevant to the litigation

� This “discovery” process is permitted under court rules and case law

� Electronic discovery (e-discovery) is the process of locating, preserving, collecting, processing, reviewing and producing ESI in the context of civil litigation or investigation

7

What the lawyers are trying to avoid

� In Re Fannie Mae Securities, 553 F.3d 814 (D.C. Cir. 2009)

� Agency held in contempt for failing to meet discovery deadline

� Agency spent $6 million (9% of total budget) on discovery

8

What is E-Discovery?

� The identification, preservation, collection, review, production, and presentation of

� (1) documents and data found originally in electronic form and/or

� (2) documents found originally in hard copy but converted to electronic form

9

Cloud and E-Discovery

10

Cloud E-Discovery Challenges

� Data volume in the cloud may be overwhelming

� 1TB of data can cost <$100 to store but >$1million in litigation costs

� Cloud type impacts strategy� Comingling of data (private vs. public cloud)

� Actual data location complicates E-Discovery efforts� Collection from multiple sources

� Outsourcing by the cloud provider

� Transfer of data issues (i.e. cross-borders)

11

Cloud E-Discovery Challenges

� Further challenges

� Implementing litigation holds

� Incurring the cost of identifying relevant data

� Determining the collection method for relevant data

� Accessing the data

� Locating the original custodian of the data

� Production of data

12

Advantages of E-Discovery in the Cloud

� Centralized litigation hold capabilities

� Stream-line search and production

� Technology upgrades and access

� Efficiency of process

� Decreased response time

13

Minimizing Litigation Risks & Costs

� Proactive (pre-litigation) steps

� Evaluate� Type of cloud needed (e.g. private vs. public)

� Type of data to be stored or service needed

� Security and Privacy considerations

� Cloud provider contract language� Use the White Paper: “Cloud Computing and the Federal

Government: Effectively Acquiring IT as a Service”

� Include mechanism to ensure compliance (e.g. audit rights, certifications)

� Address subcontracting of cloud services

� For example, who providing E-Discovery tools and support

14

Minimizing Litigation Risks & Costs

�Proactive (pre-litigation) steps

� Document Retention Policy

� Data volume control

� Whose policy rules

� True data destruction

� Jurisdictional concerns

� Cross-borders issues

�Records considerations15

Minimizing Litigation Risks & Costs

Legal and IT dialogue on cloud service

selection is crucial.

� Legal will have to defend use

� IT will have to implement and support

� Understand the end-to-end costs of storage, access, andlitigation

16

Minimizing Litigation Risks & Costs

� Reactive (once litigation exists) steps

� Identify relevant data in the cloud

� Act quickly to preserve data

� Work with IT & specialists to understand burdens

17

Minimizing Litigation Risks & Costs

� Reactive (once litigation exists) steps

� Negotiate and limit cloud data discovery early in litigation

� Educate court, opposing party, litigators, etc. about cloud and related burdens

� Ensure data security when collecting from cloud

� Understand how the cloud services are managed and executed � Who are the “key-holders?”

� Ask for help from IT and Legal 18

Cloud E-Discovery IT Issues

� How will I manage content in the cloud?

� Cloud vendors offer two options

� Use cloud vendors product

� Send a copy to an archive

19

Cloud E-Discovery IT Issues

� Manage content

� Business Functions

� E-Discovery

� FOIA/Sunshine laws

� Electronic Records Management

� Privacy

� Etc.

� IT Functions

� Preserve – Dispose

� Find

� Produce20

Cloud E-Discovery IT Issues

� Challenges with archival

� Data is dynamic, therefore, metadata is dynamic

� Encrypted data

� Data transmission and synchronization

� Management of “legacy” data and equipment

21

Cloud E-Discovery IT Issues

� Challenges with archival

� Why email first

� Many agencies have targeted email as primary cloud implementation

� Email is most challenging content type

� Most E-Discovery cases involve email

22

Email – Lessons from a federal

agency� Prior state

� over a dozen email systems, no archive capability, no cross-search capability, no on-demand preservation capability

� Retrieval of email took weeks

� Security issues with multiple systems

� Solution -- Cloud-based system with separate email repository to journal all email for all users (120,000+) and a preservation, search, and retrieval component

23

Email – Lessons from a federal

agencyIssues –

� Keys to the kingdom – who has access and who manages the preservation and search function?

� Retention period -- longer the period > costs, shorter less likely to capture known unknown triggers

� Training – combining preservation and collection steps into one� Chain of custody� Need to have a protocol for requests and access� Processing platform – build on it or handle separately� Legacy email – what to do with it and keeping track of it?� User control to download and save email – defeats purpose of not

having to search all machines� Processing -- build platform on top or simply export to process

separately?

24

Overview

� Top 10 areas Federal agencies need to address when procuring cloud

� Gives description of issues along with ways to address issues within contracts

� Provides tactical guidance through a questionnaire checklist

Cloud Procurement White Paper

25

“Today, the CIO Council, CAO Council, and Federal Cloud Compliance Committee released: Creating Effective Cloud Computing Contracts for the Federal Government: Best Practices for Acquiring IT as a Service.

This guide enables Federal agencies to make smarter, more informed cloud purchasing decisions by utilizing lessons learned and best practices of early adopters – moving us to a more efficient and more effective government.”

Steven VanRoekelU.S. Chief Information Officer, OMB

February 24, 2012

Partnership of IT, Acquisition, Legal

26

Development of White Paper

Two-Tier Approach to Creating Guidance.

Existing Cloud Contracts

� Develop lessons learned from early adopters

� Informal data call through OMB to collect ~15 existing Federal cloud contracts

� Review of contracts to see variance of contract terms, establish baseline and identify themes

� Interview project managers and contracting officers of each contract:� What worked� What doesn’t work� How various issues were

addressed

FC3 Guidance

� Guidance Developed by Federal Cloud Compliance Committee (FC3)

� Informal interagency group comprised of Federal Attorneys, procurements officials, and cloud SMEs.

� Mission: create tactical guidance to proactively assist agencies when contracting cloud

� Created four working groups:� Security� Privacy� E-Discovery � Records Management/FOIA 27

Cloud Computing and the Federal Government:

Effectively Acquiring IT as a Service

Goals of White Paper

� Merge the “Cloud First” mandate and the visionary “Cloud Computing Strategy”

� The next step in government’s move to cloud with specific guidance in effectively buying cloud services

� Provide guidance to agencies in developing requirements for a cloud computing contract.

� Highlight top ten areas for Federal agencies to address in cloud contracts

� Help shape the way that cloud computing services are purchased and consumed

� Establish common practices for the Federal government to take advantage of its position as the largest purchaser of IT

28

1) Selecting a Cloud Service2) CSP and End-User Agreements3) Service Level Agreements (SLAs)4) CSP, Agency, and Integrator Roles and

Responsibilities5) Standards6) Security7) Privacy8) E-Discovery9) Freedom of Information Act (FOIA)10) E-Records

Top 10 Focus Areas

29

Selecting a Cloud, End User Agreements

ONE

Selecting a Cloud Service

� Agencies must choose the appropriate cloud to meet their needs

� Determine the appropriate service model to meet user needs

� Determine the appropriate deployment model that meets data protection needs

TWO

CSP & End-User

Agreements

� Terms of Service Agreements (TOS) need to be negotiated

� TOS must be compliant with Federal laws and statutes

� Need to ensure NDA enforceability

� End User Agreements need to be integrated fully into cloud contracts 30

SLAs and CSP, Agency, Integrator Rs & Rs

THREE

Service Level Agreements

for SLA compliance

� SLAs should clearly define CSP performance standards

� Need clear terms and definitions

� Need to determine how CSP performance will be measured

� Needs to establish enforcement mechanisms for SLA compliance

FOUR

CSP, Agency, & Integrator

Roles and Responsibilities

� Establishes a contract with (at least) three parties

� Determine integrator role with CSP

� Need to clearly define the roles and responsibilities of all actors to ensure effectiveness of the cloud contract

31

Standards and Security

FIVE

Standards

� Agencies should ensure CSPs align with government standards

� Map services to NIST Reference Architecture

� Ensure government participation in standards creation

� Compliance with Internet Protocol version 6

SIX

Security

� FedRAMP Compliance� Clearly defined

requirements� Continuous monitoring

activities� Incident response to attacks

and vulnerabilities� Key escrow/encryption� Forensic capabilities� Multi-factor authentication

with HSPD-12� Audit capabilities 32

Privacy and E-Discovery

SEVEN

Privacy

� Ensure compliance with the Privacy Act of 1974 and PII requirements

� Privacy Impact Assessments� Adequate privacy training� Clearly defined data location

requirements� How to respond to a breach

where privacy data was compromised

EIGHT

E-Discovery

� Provide information management in the cloud

� Ability to locate relevant documents

� Ability to preserve data in a cloud environment

� Moving documents through the e-discovery process

� Cost avoidance by inclusion of tools with CSP solution

33

FOIA and Federal Recordkeeping

NINE

FOIA Access

� Ability to conduct a reasonable search to meet Freedom of Information Act (FOIA) obligations

� Ensure the processing of information is pursuant to FOIA requirements

� Allow for the tracking and reporting of information pursuant to FOIA

TEN

Federal Recordkeeping

� Agencies should have proactive records planning before using a cloud service

� Ensure the ability to have timely and actual destruction of records in accordance with mandated records schedules

� How to deal with permanent records

� Process for transitioning to a new CSP 34

Overview

� Translates the paper to tactical questions to ask when reviewing or creating a cloud contract

� Maps to the ten areas of focus within the paper

� Tactical approach for Agencies to use

Appendix A: Questionnaire

35

All necessary stakeholders should be included when creating cloud computing contracts.

� OCIO� OGC� Privacy� Records� E-Discovery� FOIA� Acquisition staff

This will enable Federal agencies to more effectively procure and manage IT as a service

White Paper: Key Takeaway

36

� White Paper� https://cio.gov/cloud-computing-update-best-practices-for-

acquiring-it-as-a-service/ � CIO Council

� www.cio.gov� Federal Cloud Computing Initiative

� www.info.apps.gov� FedRAMP

� www.FedRAMP.gov� NIST

� http://www.nist.gov/itl/cloud� NARA

� http://www.archives.gov/records-mgmt/bulletins/2010/2010-05.html

Cloud Resources

37

Questions?

� Allison Stanton, Director of E-DiscoveryU.S. Department of Justice, Civil Division

(allison.stanton@usdoj.gov)

38