John Montana

John Montana I'm a lawyer specializing in information governance

09/26/2016

Montaña & Associates is pleased to announce that we're partnering with RecordPoint. Stop by ARMA, booth 638. http://story.cd/AAFXXM

06/30/2016

Brexit and its effect on Information Governance

There’s a hoary old saying that you learn in law school: "the law is a seamless web". What's meant by this is that, although you study law as a series of discrete, siloed topics, it's all really one big thing, and all interrelated.
Brexit and IG in the Headlines
Great Britain's decision to depart from the EU is illustrative of this. At first glance, it wouldn’t seem to have a whole lot to do with information governance, but even a cursory closer look reveals that quite the opposite is true. Just consider a few of the front-page topics that are of concern, without even getting into technical details:
• The EU is a free travel zone where EU citizens can live in any country that they choose, much like the US. When Great Britain leaves the EU, that will no longer be true in Britain for the many non-British EU citizens who not reside there. Presumably, all of those folks will need to apply for residency cards and work permits and all the other things you want to do when you go to a different country and want to live there and work there. And of course, the many millions of British expats who now live in other EU countries will be faced with the same sort of thing. Assuming that all of these people manage to get their residency permits and work permits – and maybe some won’t, which is another post - employers will be faced with managing these new records that previously they did not have, as well as dealing with whatever paperwork was necessary to facilitate assisting their employees in obtaining these newly required permissions, and undergoing employment audits and all of the rest of the burden that comes with having foreign employees.
• In like manner, businesses have been relatively free to locate where they choose within the EU. Again, no more. But, a great many businesses from other EU countries already have very significant operations in Great Britain, and likewise, many British companies have very significant operations in other EU countries. The legal status of those operations must now be sorted out, at what will no doubt be great expense, and generating a great many records as part of the process. And of course, on an ongoing basis, there will now be registration requirements and reporting requirements and all of the other things that come with conducting an ongoing business any foreign jurisdiction.
• Travel between Great Britain and the EU will become more complex as well. Great Britain is currently part of the Schengen Area, within which travel is passport- and visa- free. Once again, no more. Travelers between Great Britain and EU countries will have to go through passport control and get a visa stamp and all the rest of it, and all of that will generate lots of new records for someone.
Beyond the Headlines
The above was merely the headline-grabbing set of issues. On a technical level, things are complicated in many other areas as well. Consider:
Privacy – Privacy law in the EU originates as EU directives that are ultimately translated international law. Even assuming – and it may or may not be a good assumption – that Great Britain maintains its current privacy regime on the books, it will not, in the future, be subject to future directives emanating from the EU, and so inevitably, privacy law in Great Britain will diverge from that in the EU.
The issues arising from this could be quite considerable. Consider that, under the newly promulgated Data Privacy Framework, a country cannot be deemed to have privacy protections in place that are comparable to those of the EU, unless it is specifically listed as such by the EU, and data transfers elsewhere are prohibited. Until now, companies in Great Britain did not have to worry about this because Great Britain was part of the EU. But soon, it won't be. And unless and until the EU elects to put Great Britain on the list of accepted countries, personal data transfers to Great Britain will be prohibited. Anyone who works for a multinational and has to deal with the current version of that problem respecting the United States versus EU will appreciate the colossal problem that could be. And likewise, if substantive British privacy law begins to vary significantly from EU law, as almost certainly it will over time, there'll be yet one more variation of everything that somehow has to be folded into policies and procedures, technology applications and everything else that inevitably gets dragged into these things. And again, anyone who has had to deal with this appreciates how very complicated and challenging it can get. Companies now based in the UK that have never had to deal with the US/EU privacy challenge will be in for a rude shock as they discover how very difficult it is to manage that set of compliance issues.
Workplace Health and Safety – once again, this is an area where much of the regulation originates at the EU level, and then works its way down into national regulation through statutes and regulatory enactments. No longer a member of the EU, Great Britain will no longer be bound by these, and whether or not current regulation of EU origin remains in effect, Great Britain will not be bound by future EU directives, so inevitably, its regulatory course will diverge from that of the EU. And of course, any associated records and information governance requirements likewise diverge.
Customs, Accounting and Tax – is a member of the EU, Great Britain is part of a common customs union with the other EU countries. That means free movement of goods, and no customs paperwork between those countries. And as a member of the EU, Britain also shares other common requirements and characteristics in its management of tax and accounting, including such things as VAT tax that are the subject of a common tax code, and which are calculated and collected as part of a common collections scheme. When Britain exits the EU, all of these arrangements no longer apply. So, not only will Great Britain have to negotiate trade agreements with the EU, but as a foreign jurisdiction, all sorts of tax and accounting issues that currently do not affect it is against the EU will suddenly come and play. So too will similar arrangements with other countries that are predicated upon EU membership. So not only does all of this affect Great Britain but it affects other countries, and businesses within those countries as well, because Great Britain must now be treated as an entity separate from the EU for many purposes for which it is now effectively part of that greater entity. It could well be that managing the split would require the breakup of some large entities, with the many information management and governance issues posed by that.
The above are only a sampling of the many technical issues that are still to be sorted out. There are many, many other technical legal issues, a great many of which are directly relevant to information governance, and to businesses with a presence in Great Britain and other EU countries, and which will affect the ways those companies do business and manage records.
The Uncertain Future Course
And worse, all of the above is fraught with a great deal of uncertainty. Since this has never been done before, there isn’t a framework or roadmap to go by, so no one really has any idea of what the outcomes are likely to be – or how to get there. The only authority is a single high-level treaty that leaves all of these many technical details to negotiations. So now we enter into a long period where businesses and individuals do not have clear guidance as to how to proceed. And, this period could go on for quite a while – Britain is already stalling for a bit, waiting for a new government to come to power, which will take at least several months, and the negotiations themselves cannot start until Britain begins the formal secession process, which they appear in no hurry to do. Even once the negotiations start, they are likely to go on for months or years, just to get a first-generation solution up and running, You can bet it will need modifying, so there’ll be a second period of uncertainty while the new regulatory regimes are being vetted and corrected, issues litigated and resolved and new precedents developed; and all of that will certainly take years more.
And it could get even more complicated. Other countries are making noises about leaving the EU as well. Scotland and Northern Ireland – and even the city of London – have made it clear that they would very much prefer to remain part of the EU. So, London is seeking greater autonomy, which may result in different regulatory regimes more in harmony with the EU, while Scotland is rumbling outright about secession from Great Britain and rejoining the EU, and Northern Ireland is rumbling about leaving Great Britain and joining the Irish Republic, and with it the EU. And of course, there’s the secession movement in Catalonia, that I’ve not even mentioned.
Everything I've just discussed is revisited again in some way or another for each of these scenarios, should they come to pass. Businesses could be in for a very complicated next few years indeed. Hold on to your hats.

06/15/2016

The Dilemma of Democracy and Information – Double Edged Swords from out of Pandora's Box

A number of recent stories illustrate the possibilities and perils of 21st-century information technologies. I recently discussed Hillary Clinton's email troubles, but there are other recent stories that continue and illustrate this trend.

In the last couple of days, we've learned that the database of the Democratic National Committee has been hacked, apparently by hackers associated with the Russian government. And apparently, they were able to root around in there for a year or more before they were detected, and collect messaging and email traffic, the DNC’s database on Donald Trump, and who knows what else. Likewise, there is at least some evidence that Clinton's server may have been similarly hacked. She received, and apparently replied to, a phishing email sent from the account of an advisor and may have clicked a link that unleashed a phishing program. And later, some email from an advisor wound up on a website purportedly associated with the Russian government. Exactly what transpired is unclear, but obviously, some damaging possibilities exist.

These, among many other examples, illustrate some of the perils of modern information technologies. They are certainly very useful for communicating and for gathering very large amounts of data, and for analyzing that data. But, not everyone who wants to see that data is a good guy or has a right to see it, so if it gets hacked, a great deal of damage can be done.

So, now we've got all this big data, and we’re properly concerned, as illustrated above, that it can be misused, so we impose an assortment of controls and privacy rules and maximum retention periods upon it to prevent that misuse.

But then, in the aftermath of the recent terror attacks in France and Belgium, we learn that the authorities' ability to track terrorist suspects and investigate terror attacks is hampered by the lack of information flow between the investigative bodies of the various European states. Their privacy laws restrict this flow to protect individual privacy, but an unintended consequence of that is that among the people whose privacy is protected are terrorist suspects and actual terrorists. So, they are able to use the shield of the law to hide from the law. And even when it’s there and theoretically available, the information often doesn’t get used the way it could be and probably should be – Orlando shooter Omar Mateen was the object of the FBI’s attention for terrorist ties, and had what appear to be several other red flags in his past, but passed at least two background checks easily, had a security guard license and was able to purchase fi****ms legally.

These are only the most recent examples of this – on the privacy front, the National Security Agency (NSA) had a number of programs for very large scale data collection about all sorts of things that on one hand, significantly impinged upon the presumed privacy rights of a great many people, but on the other hand, if you ask anyone in the know, they will tell you that these programs probably prevented a number of terrorist attacks in the United States. These programs have been significantly curtailed, which may well yield more terrorist incidents in the United States similar to those in Europe. We've already seen a few. It's impossible, for me at least, to confidently blame them on the curtailment of the NSA programs, but it's certainly at least possible, and maybe likely, that the curtailment of those programs will result in more terrorist activity in the United States. On the data security front, the number of really large-scale data breaches is too large to list here: several at Sony, Target, Anthem, MySpace, an assortment of government agencies . . . the list appears endless.

It does not seem as though there can be a perfect solution to these problems. Collective security necessarily requires the limitation of some individual rights, including rights of privacy. And making information available enough to be actually useful necessarily limits the amount of security and protection that is placed upon it. So in both of these cases, any choice you make necessarily involves some limitation on some others of these factors – it simply cannot be avoided. We could undoubtedly create very safe and secure countries if we were willing to tolerate very totalitarian and intrusive methods to achieve them – universal phone taps and email and messaging monitoring, expanded search and seizure rights by the authorities, restrictions on travel and so forth. But we will not do this, because we won't tolerate the complete abridgment of what we see as our innate rights in the name of collective security. Nor will we really tolerate complete information security – we like to have our credit card on file with Amazon, because we like to be able to purchase things very easily. As it is, we're annoyed if they make us type in a CAPTCHA or the 3 digit verification code on the back of the card. We've gotten so used to the convenience of these transactions that these very minor things start to become irritants. It's hard to imagine most people tolerating a great deal more in the way of verification in the name of information security. Nobody ever thanks the government for long airport security lines either, even though they're about to get on a plane that might be blown up otherwise. It just doesn't work that way.

Call all of this the Dilemma of Democracy and Information. Those of us fortunate enough to live in democratic societies value that fact and the rights that this gives us very highly. And we want to protect those rights. But when they wrote the Magna Carta or the United States Constitution, that was a pretty straightforward thing to do, comparatively speaking. 21st century information technologies have very much complicated this discussion. Our rights have become inextricably intertwined with the information that is being collected about us and the conclusions that can be mined from that information. And the information that is being collected grows constantly in both size and complexity, as does the ability of the collectors to mine it. So we cannot really talk about our rights without necessarily involving that information collection, and what will be done with that information.

And therein lies our dilemma: if we insist on complete privacy for ourselves and our information, we necessarily sacrifice some things – including some lives – in return for that privacy. And if we insist upon complete security for our information, we likewise sacrifice some things that we might otherwise have. And there is no perfect answer here, only a set of trade-offs, each of which is imperfect. Whatever we decide, we have elected to sacrifice some of one important thing, and in return, get more of another important thing.

So we enter into a great debate: how much of what in our information lives are we willing to trade, and what must we get back in return to justify that trade? We individually can and do enter into that debate every time we surrender information to a website, apply for a government benefit or do a hundred other things. But there are a thousand other ways information is collected about each of us that we have little or no control over, so someone else is making that choice for us – a legislature, a government agency, an employer, a social media site. To avoid these is to withdraw from society, and most of us are unwilling to do that.

And that means we must continue that debate as societies, making collective decisions that will necessarily be imperfect but that cannot be avoided. Our goal should not be to avoid the debate – it cannot be avoided, because inaction is a kind of action. What we must do is avoid the temptation to take simplistic or black and white positions. There is no easy position, nor can we go back. The information technologies that allow us to do these things, and the way virtually all of us do use them, makes it impossible to go back. The Pandora’s Box of information has been opened, never again to close.

The way forward, however imperfectly, lies in front of us.

06/09/2016

The Hillary Clinton Email Scandal – Lessons Learned, Part 2

In my last post I looked at the Clinton email scandal from the State Department's point of view. It's equally worthwhile to look at it from Clinton's point of view. That’s what we’ll do today.

In addition to the facts that I bulleted yesterday, there's one central fact that needs to be added: Clinton wanted some email to remain private and unavailable to others. Her version of it is that this notion applied to her private email, and not to any public business. Her detractors argue that she was trying to hide improprieties in her public business instead. Which of these is the case is immaterial for purposes of this discussion. The central fact is that she wanted to keep something private and unavailable, and from her perspective, the State Department email system was the weak link. So, she took the weak link out of the loop by creating an email system that was controlled directly by her and her subordinates, rather than the bureaucracy of the Federal Government.

From a professional perspective, and leaving aside the questions of motive, it's a case of a very aggressively conceived and very aggressively implemented records and information or information governance policy. And it has all of the basic concepts of an information governance policy and procedure embedded in it: a strategic goal, a plan to implement that goal, the acquisition, implementation and configuration of technology to implement that goal, and one or more repositories that wound up being subject to the overall strategy and process. Classic information governance.

The retention of the server upon which the emails resided after Clinton left Government service is likewise part of that information governance policy. So too is the deletion of emails selected by Clinton and her staff prior to returning the server to the government, and the wiping of the server. These are all tactics that are, analytically speaking, part of a standard information policy and process. Keeping one's records secure, and then securely destroying them upon expiry of their retention period is again classic information governance. And that being the case, there are standards upon which the process can be judged.

The Generally Accepted Recordkeeping Principles

So how does she score on the GARP (officially “The Principles”) maturity model? Let's see:

Accountability: An organization shall assign a senior executive who will oversee a record-keeping program and delegate program responsibility to appropriate individuals, adopt policies and procedures to guide personnel and ensure program auditability.

Clinton probably gets a 4 or 5 here. Her program was certainly overseen by a senior executive, and she was certainly careful in delegating responsibilities to trusted subordinates, and they all rode herd on the thing pretty carefully, so she gets top marks for accountability.

Integrity: a record-keeping program shall be constructed so the records and information generated or managed by or for the organization have a reasonable and suitable guarantee of authenticity and reliability.

Here again, Clinton probably gets a 4 or 5. So nearly as we can all tell, the thing was managed pretty tightly, and was obviously heavily relied upon by Clinton and her staff, so reliability and authenticity was a key.

Protection: a record-keeping program shall be constructed to ensure a reasonable level of protection to records and information that are private, confidential, privileged, secret or essential to business continuity.

Now we begin to see some of the weaknesses in Clinton's information governance. We know that the server was hosted by a relatively unsophisticated commercial service, and that her technical staff were by no means world-class experts in data security. We also know that there were hacking attempts on her server, although we don't know if they were successful or not. All in all, not strong. We have to give her a 2 here.

Compliance: the record-keeping program shall be constructed to comply with applicable laws and other binding authorities, as well as the organization's policies.

This one's tough. Her score depends on who you view as the organization. If the organization in question is the State Department, she gets a very poor score – it's very clear that the whole arrangement violated existing policies and procedures. If however, you view the organization as Clinton herself, then she gets a higher score, because she had a set of policies she wanted implemented, and she implemented them very aggressively. The other problem here is the Federal Records Act. At the very least, she delayed for several years in turning over any Federal Records found on her server to the appropriate custodians, and at worst, she has deleted some federal records. And then of course there is the question of various levels of confidential information ending up on her server, which also is at least a violation of State Department policy, and may possibly be a violation of law. Best case, she gets a 3. Worst-case, a 1.

Availability: an organization shall maintain records in a manner that ensures timely, efficient and accurate retrieval of needed information.

Another tough one. Available to whom? If to Clinton and her staff, a slamdunk 5. If to anyone else, a 1.

Retention: an organization shall maintain its records and information for an appropriate time, taking into account legal, regulatory, fiscal, operational and historical requirements.

Again, from Clinton's standpoint, another easy 5. By her own criteria, she knew what she wanted to keep, and she kept it as long as she felt she needed to keep it. From the State Department's standpoint, much tougher: since Clinton and her staff decided what to keep and what not to keep without consulting the State Department, it's really tough for them to determine whether the choices made were appropriate. Let's give them a 3.

Disposition: an organization shall provide secure and appropriate disposition for records that are no longer required to be maintained by applicable laws and the organization's policies.

Yet another 5 for Clinton. She had a retention and disposition policy and she ruthlessly implemented it. And her version of the implementation of that policy is that she complied with applicable law. From the standpoint of the State Department and other interested parties, the situation is less clear. Again, since Clinton and her staff made the decisions without consultation with other parties, those other parties cannot know whether the appropriate decisions were in fact made. On the other hand, they don't know that the decisions made weren’t appropriate either. So, we have to give them a 3 again.

Transparency: the processes and activities of an organization's record-keeping program shall be documented in an understandable manner and be available to all personnel and appropriate interested parties.

No matter how you slice it, Clinton gets poor marks on this one. Although her program was clearly understood by her own personnel, as a matter of law and public policy, "appropriate interested parties" includes a wide array of other people including the Federal Government and all sorts of interested outside parties. That's what the Freedom of Information Act is all about. We have to give her a 1 here.

Hillary’s GARP Score

So how does she grade out? From Clinton's perspective, she gets an average score of 3.625 to 3.87 out of 5. Not bad – most organizations would love to achieve a maturity score as high as that. But, clearly there are also some areas where she could have done a much better job. From the State Department's standpoint, not so good – a 2.5, which is subpar - and, we might observe, right in keeping with the Inspector General's report. And it could be worse. For the Principles of Accountability and Integrity, we assumed Clinton's position. Looking at it from the State Department's position, the scores would be very low for these, dragging down the overall score quite a lot. Give them a 1 on both of these, and their score comes down to a dismal 1.125.

Lessons Learned

What does all of this teach us? Well, an obvious teaching point that arises out of the disparities in Clinton's score versus the State Department's score is that how the value and effectiveness of a program is judged is very much dependent upon what you see as the goals of it, and who you see as the legitimately interested parties. There are widely divergent opinions on both of these, and on the legitimacy of Clinton's own take on them. And this is true for everyone else: are the legitimately interested parties the Board of Directors? The shareholders? Regulatory agencies? Public interest groups? The public? Some combination of them? Every organization has to make these choices, and it can make them in an aggressively self-serving way, or in a way that serves a broad public interest, or anyplace in between. And none is necessarily right or wrong – it really depends upon many factors. And that choice may have consequences down the road, as we are seeing with Hillary Clinton's email.

There are also compliance issues here that are unavoidable. Clearly, Clinton took a very aggressive stance in her interpretation of State Department policy, the Federal Records Act, Secrecy laws and other relevant authority. As of this writing, we do not know whether that interpretation actually violated any laws, but it seems clear at least that it violated State Department policy. So she was skating pretty close to the line. And Clinton is a lawyer, and many of her staff are lawyers, and they had all had information security briefings, so it's hard for her to make a convincing case that they were unaware of this.

Defensibility

All of which brings us to the question of defensibility. At the end of the day, whether it's defensible disposition or defensible management and retention, the choices you make must be legally defensible. And here, she may have skated too close to the line. It's unlikely that, at the time she implemented this policy, Clinton anticipated the current set of adverse consequences, which are at the very least severe reputational damage, and at worst might wind up being criminal charges and a conviction. And that is another obvious teaching of this – as a policy becomes more and more aggressive, it gets closer to that line of defensibility. At the time you make the decision, it's important to understand where that line is, and the consequences of getting close to it. You had better be sure that you understand and are willing to live with the consequences of however closely to the line you choose to skate, otherwise you may fall through the ice. And at that point, as in this case, it’s to late to go back and make a different choice.

Where to Go From Here

How does this work out in terms of practical implementation? Well, the GARP Principles are a pretty good place to start. The maturity model certainly tells you where you need to improve, but then it's a question of acting upon that information. The weaknesses in Clinton's program are illustrative of the challenges of acting on that information. Here are a few:

You need to have experts with unbiased viewpoints in on the decision-making. Clinton had a lot of lawyers in on her decision-making, but it's probably fair to say that they weren't unbiased. In fact, there’s evidence in the Inspector General’s report that opinions from unbiased subordinates was suppressed. So all decisionmakers shared her viewpoints and they shared her agenda, and that probably colored the ultimate decision-making, and thereby the ultimate outcomes. And that was probably a mistake.
You need the technical expertise to implement your strategy and goals competently. In retrospect, Clinton could have done a much better job on the technical security aspects of her setup, but she could also have used more expert – and unbiased - guidance on the legal and records management aspects of the arrangement. Effective use of that guidance would probably have permitted her to substantially achieve her goals while avoiding much of the downstream fallout that she is currently experiencing.
If you're going to take an aggressive stance with respect to the interpretation of guidance, legal authority and policies and procedures, you need to thoroughly consider the justification for that stance early on in the process. Clinton very clearly did not do this, and her subsequent ad hoc and inconsistent justifications for her actions have only sharpened suspicions about her motives. She’s not the only one this has happened to, she’s just the one on the front page.
The bottom line is that any such program needs careful planning, expert implementation and competent professional oversight. Although the issues with Clinton's email are front and center in the public eye, they are really no different analytically then the issues faced by other organizations that implement governance strategies and processes without thinking them through. And like Clinton, organizations that fail to consider these things can and do have problems later.

The Hillary Clinton Email Scandal – Lessons Learned, Part 2

Address

P. O. Box 1418
Englewood, CO
80150

Telephone

+18005167460

Website

Alerts

Be the first to know and let us send you an email when John Montana posts news and promotions. Your email address will not be used for any other purpose, and you can unsubscribe at any time.

Shortcuts

Share

Category