Still Seeking the Paperless Office EU, U.S. Agree on New Data Transfer Deal

PRIVACY E-RECORDS EU, U.S. Agree on New Data Transfer Deal Still Seeking the Paperless Office

hirty-five years ago, a British- American information scien- Ttist introduced the concept of a paperless office. Today, it seems, we are no closer to attaining that scenario, according to a recent survey of UK offices. Printer company Epson surveyed more than 3,600 European employees, and 83% called the paperless office “unrealistic.” It found that hard copies are preferred over digital documents because workers feel the need to share, hand out, and edit reports. In fact, the majority of respondents felt they’d be more fter three months of in- financial information to social me- likely to make a mistake when edit- termittent talks, U.S. and dia posts. ing an electronic document than a AEuropean officials have “We have for the first time paper copy. reached a new agreement on how received detailed written assur- According to the survey, 83% digital data will be transferred ances from the United States on of office workers in Europe said a from one side of the Atlantic to the safeguards and limitations ap- ban on printing would “limit their the other. The Privacy Shield plicable to U.S. surveillance pro- productivity.” Across Europe, office agreement, which still requires gram,” Commission Vice-President workers spend nearly 19 hours ev- political approval, means Euro- Andrus Ansip told the media. “On ery year walking to and from print- pean data protection authorities the commercial side, we have ob- ers, Epson said, walking more than will not restrict data transfers as tained strong oversight by the U.S. 110 kilometers (68.35 miles) in the they had planned to if an agree- Department of Commerce and process. ment had not been reached. the Federal Trade Commission of Another survey, from informa- According to Reuters, the Eu- companies’ compliance with their tion management firm M-Files, ropean Commission said Privacy obligations to protect EU personal found that 77% of UK businesses Shield will place stronger obliga- data.” still store and manage paper re- tions on U.S. companies to pro- Per the agreement, the United cords, with 19% stating they keep tect Europeans’ personal data and States will create an ombudsman all records in paper format and 58% ensure stronger monitoring and within the State Department to storing data in both paper and digi- enforcement by U.S. agencies than handle complaints and inquiries tal formats. the previous Safe Harbor agree- forwarded by EU data protection ment. agencies, Reuters reported. There Since Safe Harbor was invali- will also be an alternative dispute dated by the European Court of resolution mechanism to resolve Justice in October 2015, about grievances, as well as a joint an- 4,000 U.S. companies that had nual review of the agreement. relied on it to collect and trans- European data protection au- fer data out of the EU have been thorities said they will also work without any legal guidelines for with the U.S. Federal Trade Com- handling information ranging from mission to police the system.

PRIVACY tors in Braunschweig, a city close privacy laws, which limit access to to Volkswagen’s headquarters in data, especially for those outside VW Cites Privacy Laws Wolfsburg, said German law al- the European Union. In refusing in Refusing to Provide lowed prosecutors to carry out raids to turn over evidence to American of Volkswagen’s Wolfsburg offices to investigators, Volkswagen has cited Documents gather possible evidence that could the German Federal Data Protec- include e-mail exchanges, the Times tion Act, as well as the German olkswagen has refused to pro- reported. Constitution, the European Con- vide its executives’ e-mails “We can’t complain about our co- vention on Human Rights, decisions Vand other communications to operation with the company,” Ziehe of the German Constitutional Court U.S. attorneys general who request- said. “We have the impression that and the European Court of Human ed the documents as part of their we have received everything that Rights, “and (for good measure) investigations into the company’s we have specifically requested.” provisions of the German Crimi- emissions scandal, according to the Germany is known for its strict nal Code,” according to the Times. New York Times.

INFO SECURITY Survey: Departing Employees Take Sensitive Data

ore than one in four employees take and/or share sensitive company data when leaving a job, according to a recent survey Mfrom secure communications solutions provider Biscom. Technology decision-makers take heed: Survey findings show that the technology a company implements plays a major role in an employee’s’ decision to take company data. For example, tools like In September 2015, Volkswa- Dropbox, Google Drive, and e-mail make it effortless to take files. gen admitted to installing software The survey also found: to cheat on emissions tests in 11 •• 15% of respondents said they are more likely to take company million diesel vehicles sold world- data if they are fired or laid off than if they leave on their own. wide. The Times reported that a •• Of those who take company data, 85% report they take material 48-state civil investigation is be- they have created themselves and don’t feel doing so is wrong. ing led by several states, including •• Only 25% of respondents report taking data they did not create. New York and Connecticut, and •• About 95% of respondents said that taking data they did not attorneys general in California and create was possible because their company either did not have Texas are also looking into the com- policies or technology in place to prevent data stealing or it ig- pany, which includes the Audi and nored its policies. Porsche brands. “The survey’s results reveal employees as a big security hole,” John An inquiry by the U.S. Justice Lane, CISO of Biscom, said in a statement. “Companies can use this Department states that Volkswa- information to understand how they can protect their data. Whether gen had “impeded and obstructed” it’s updating employee training, regulators and provided “mislead- establishing stricter company ing information.” Investigators say policies to prevent data theft, or Volkswagen’s actions limit their obtaining secure tools to store and ability to identify which employ- track company data.” ees knew about or sanctioned the Although stealing data can re- emissions cheating. Penalties would sult in significant security risks, be greater if the states and others most survey respondents reported pursuing Volkswagen in court could that they didn’t view it as data prove that top executives were theft. Despite the fact that they’re aware of or directed the activity. taking sensitive information, including company strategy documents, German investigators said Volk- customer lists, and financial data, employees don’t consider their ac- swagen is working with them under tions malicious or even wrong. The report concluded that this may be the auspices of German law. Klaus why data theft is so prevalent. Ziehe, a spokesman for prosecu-

rent state of information sharing and developed concrete resources and breach reporting requirements. to help firms better manage their According to the IIROC, the cyber risks.” guide provides a framework for de- The IIROC also noted that veloping a plan but is not “intended it is developing a cybersecurity to function as a working response program to help dealers increase plan. Rather, each dealer member their cybersecurity preparedness. should develop internal plans as In December, the Canadian govern- part of their cybersecurity strategy ment announced plans to launch that prepares them in advance for the Canadian Cyber Threat Ex- the risks they are most likely to change in 2016, Legaltech News face.” reported. It will be an independent, “Active management of cyber not-for-profit organization to help risk is critical to the stability of businesses protect themselves CYBERSECURITY IIROC-regulated firms, the integri- against attacks through informa- ty of Canadian capital markets, and tion sharing. Its founding members Canadian Organization the protection of investors,” said are Air Canada, Bell Canada, Can- Releases Cybersecurity Andrew Kriegler, IIROC president adian National Railway Company, and CEO, in a statement. “That HydroOne, Manulife, Royal Bank of Guides is why we consulted with the in- Canada, TELUS, TD Bank Group, dustry, engaged security experts and TransCanada Corp. self-regulatory organization that helps monitor Canada’s A trading industry has released INFO SECURITY two guides to help investment deal- Data Breaches Affect U.S. Consumer ers protect themselves and their clients in the event of a cyber attack. Business Decisions The Investment Industry Reg- ulatory Organization of Canada ust how much do U.S. consumers pay attention to data breaches? (IIROC) introduced “Cybersecu- Enough to consider a company’s record before choosing to rity Best Practices Guide” as a liv- Jgive it their personal information, a recent survey reveals. ing document that can be updated Law firm Morrison & Foerster released “Morrison & Foerster to include the latest practices on Insights: Consumer Outlook on Privacy,” which asked consumers governance and risk management, about their attitudes on privacy and data breaches. According to the network security, and more. The findings, more than one-in-three U.S. consumers (35%) have made 53-page guide also features a cy- a decision whether to purchase a product from a company because bersecurity incident checklist and of privacy concerns during the past 12 months. In addition, of those a sample vendor assessment, ac- consumers that identified themselves as “concerned” about privacy, cording to Legaltech News. The 82% said that privacy has adversely affected purchasing a product guide covers everything from basic or service, an increase of 28% from 2011. security for computer networks to However, the survey found that just 22% of consumers have cost-effective approaches to secur- stopped purchasing products or services from a company because of a ing computer systems without the data breach. But it did find that higher-income and higher-educated burden of additional regulatory consumers are more likely to stop purchasing after a breach. requirements. The second guide, “Cyber Inci- dent Management Planning Guide,” focuses more narrowly on actions to take when a breach occurs. The 29-page document examines the five stages of cybersecurity incident management – plan and prepare, detect and report, assess and de- cide, respond, and post-incident activity – in addition to the cur-

Heck, even our competitors have had to concede what we’ve been saying for years: Prep kills profits.

EVERY SECOND COUNTS TICK, TOCK... So, let’s say you are looking at one of those high-priced 6000 DPH (documents per hour) scanners. It doesn’t Every Second Counts really matter how fast it can scan; it matters how long that scanner operator has to wait for the work to be prepped. “YOUR SCANNER IS PROBABLY JUST TOO FAST.” There, I said it. Your scanner is either too fast, or you don’t It matters how many hours of front-end labor is required have enough preppers. That’s why it sits there waiting for to feed the beast. We have found on average that a great work. prepper can prep a box of files and documents between 750 and 1000 docs per hour. Some preppers are better, How fast a scanner feeds paper doesn’t really tell the some, well…not so much. Efficient document scanning whole story. If we only looked at the scanner’s ability to operations, it should be noted, have squeezed as much quickly scan documents, we might surmise that a scanner time as they can out of the process by eliminating a twice as fast would be twice as beneficial. Makes sense, second here, a couple seconds there. In a box of 2,500 right? Not so fast! (Pun intended!) to 3,000 documents, those seconds can really add up, and we applaud the effort. WE KNOW THE DEVIL IS IN THE DETAILS You’ve heard it many times, the devil is in the details. And BUT WHAT IF IT WERE POSSIBLE TO CUT OUT in the case of document scanning…the devil is document EVEN MORE TIME FROM THE PREP PROCESS? prep. Document prep refers to that “necessary process” of In March of 2015, OPEX customer, BMI Imaging, installed making paper documents ready to run through a scanner. one Falcon workstation in their Sacramento scanning Take a look on the old InterWeb at the plethora of facility. The results exceeded their expectations. BMI was instructional videos and PDFs touting the importance of able to reduce its cost of doc prep labor by 30% per box prepping your documents properly. They all detail the without sacrificing accuracy or quality. The addition of steps involved in prepping a banker’s box full of folders Falcon led directly to several new projects for BMI’s and archived records of one type or another. clients who had restricted budgets.

Years ago, we identified over 20 different types of prep With Falcon, BMI can attack more document scanning activities that may occur while documents are being jobs than ever before. “We are now able to offer more prepared for scanning. For example: Picture a prepper affordable document scanning services to clients with sitting close to a photocopier, surrounded by rolls and rolls challenging document preparation work,” states Whitney. of Scotch tape, with blank 8.5 x 11 sheets of paper and “Our customers are benefiting from both lower prices and patch sheets in hand. higher quality images.”

Thus begins the tedious process of removing staples and OPEX PREP-REDUCING SCANNERS paperclips, taping torn documents, photocopying delicate Our scanners provide additional business opportunities or raggedy pages, securing small or odd shaped pages and the flexibility to: onto larger ones, unfolding and removing creases from • Identify and aggressively bid projects with more pages, inserting document separators, etc. In addition to challenging paper, or more recurring-revenue these steps, there are a number of other activities transactional work (we have thousands of scanners in the dedicated to making the paper easier to feed into a high field capturing transactional documents); speed scanner. This time-consuming and monotonous • Decrease prep headcount, or increase output using the process has been widely accepted as the cost of doing same number of people; and business. • Increase your profit margin.

We’ve heard directly from our customers time and again Now that makes sense. who verify these industry reports that document prep labor accounts for upwards of 70% of the cost of document scanning. UPFRONT © 2016 Arma International

CLOUD Cloud Adoption Up Across All Industries, Survey Shows hile cloud adoption has Which industries are racing to the cloud? significantly increased W across all industries, a Industry Adoption rate % recent report from data security firm Bitglass revealed that regu- Education 83 lated industries are increasingly adopting the cloud. In those in- Communications 61 dustries, adoption jumped from 15% in 2014 to 39% in 2015, with Government organizations 53 adoption in unregulated industries (1,000+ employees) increasing from 26% in 2014 to 50% last year. Technology 51 Even heavily regulated industries are increasingly moving to U.S. government organizations 47 the cloud, the survey shows. Se- (including state and local governments and contractors) curity has always been a concern Finance 38 for these industries; however, the report states that cloud access security brokers (CASB) are filling Health care 37 that gap and enabling widespread Source: Bitglass adoption of cloud apps across all industries. CASBs offer data-centric Kunal Rupani, principal product because organizations often have security solutions, enabling firms manager at Accellion, told Le- limited resources to apply the right in heavily regulated industries galtech News. data protection to regulated and to remain compliant while using Another survey, from Ovum sensitive data or to prove adequate public cloud apps, easing the shift research, revealed that cloud compliance if the data is stored away from onsite apps, according computing adoption is expected onsite. to Legaltech News. to increase over the next decade. With all that in mind, Ovum “Regulated industries have A clear majority – 58% – of respon- says the greatest obstacle facing stricter policies in handling sen- dents said they trust the cloud for organizations, lawmakers, and sitive content like personal health all business operations. About 78% lawyers going forward will be regu- information (PHI) and personally of survey respondents said they lating cloud-held data while trying identifiable information (PII). En- plan to use cloud and software as a to balance privacy with access and cryption plays a big role in keeping service-based applications over the productivity. sensitive content from falling into next three years, even for storing Also, the survey found the the wrong hands. Traditional cloud and sharing sensitive and regu- “most challenging e-discovery envi- solutions do not offer a way to man- lated data. ronments” may be in South Korea age and control encryption keys Ovum found that data pro- or China, “which have undeveloped that on-premise solutions offer,” tection is driving cloud adoption or very restrictive climates.”

fectively by appropriately dis- courts. The DORIS Commissioner’s posing of records that have no office said it is focusing only on 1.4 archival and minimal value to million municipal boxes for now. the city Determining how to digitize the According to Politico New law-and-order papers is a more York, the city is currently scan- complicated task. To begin, the ning “millions of papers that are city will get rid of boxes containing stashed in dusty boxes in private papers whose required retention warehouses throughout the city periods have expired. There are GOVERNMENT RECORDS and in New Jersey.” The collection 169,113 that fall into that category, NYC Mayor Issues totals 2.8 million boxes that will be the agency said. destroyed. If the city can get rid of all E-Records Directive Half of those are from mayoral 700,000 boxes of records by 2017, agencies, Politico New York said, it estimates it will save $9 million ill de Blasio, New York and the other half contains records annually in rental costs for records City’s mayor, has issued an kept by district attorneys and storage. Bexecutive order to establish standards for proper electronic records management for city agencies through the Depart- ment of Records and Information Services (DORIS). The city of 8.4 million residents needs to dispose of 700,000 boxes of documents by 2017. “This transition will promote improved performance and transparency,” the mayor’s directive states. “It will be one component of a sensible, comprehensive and compliant information governance RIM SERVICES program.” Iron Mountain/Recall Merger Faces Scrutiny in UK ’The mayor’s directive includes the following guidelines: he Competition and Markets Authority (CMA), the UK’s pri- •• Ensure the preservation of mary competition and consumer authority, said it will inves- records that have continuing tigate Iron Mountain’s acquisition of Recall. administrative, fiscal, legal, T Because the companies together provide a large majority of and historical or research records management and physical offsite data protection services value available nationally, the CMA said consumers are worried about •• Make possible the useful pro- loss of competition and choice if the merger goes through. The two cessing of information companies operate from a total of 59 sites across the UK. •• Reduce records storage, equip- According to the CMA, the merger will be subject to an in-depth ment, and litigation costs, as phase 2 investigation by an independent group of CMA panel mem- well as the costs of other city bers unless Iron Mountain is able to offer evidence that reduces the resources competition concerns. •• Improve operations by docu- Andrea Coscelli, executive director, markets and mergers, and menting agency actions and decision-maker in this case, said: decisions “Our research and customer responses indicate that these are •• Engage all agency staff in close competitors in providing 2 distinct types of records and infor- uniform records management mation management services. Iron Mountain is the market leader in practices both of these markets in the UK. With limited existing competition •• Facilitate access to information and no potential new entrants identified, the concern is that the in the most efficient manner merged company could raise prices or otherwise downgrade those and at the lowest possible cost elements of their services which matter to customers.” •• Ensure agencies operate ef-

RIM SERVICES It may sound far-fetched, but researchers believe they could Microsoft Looks Under the Sea for Future Data Centers reduce the expense and the de- ployment time of new data centers from the two years it now requires to just 90 days by mass producing the underwater server containers. According to the Times, the containers could also help speed up web services. Most people now live in urban centers close to oceans but far from data centers, which are usually built in places with lots of space. If servers are placed near users, the delay is reduced. Microsoft recently conducted a 105-day test of a steel capsule – eight feet in diameter – that was placed 30 feet underwater in the Pacific Ocean off the Central Cali- icrosoft researchers believe der cold ocean water could answer fornia coast, the Times reported. the future of data centers the growing energy demands of The underwater system, which Mmay lie underwater. the computing world because Mi- was controlled from the Microsoft The company said it has tested crosoft is working on placing the campus in Redmond, Wash., was a prototype of a self-contained data system with either a turbine or a outfitted with 100 different sensors center that can operate hundreds tidal energy system to generate to measure pressure, humidity, of feet below the surface of the electricity, the Times said. motion, and other conditions in or- ocean. Because the temperature The project is code-named der to learn about operating in an is chilly down there, the move “Project Natick,” and it might re- environment where a repairman eliminates an expensive air-con- quire strands of giant steel tubes cannot venture easily or quickly. ditioning bill, one of the technol- linked by fiber optic cables to be The new undersea capsules and ogy industry’s biggest obstacles, placed on the seafloor. Or, Mi- servers inside are designed to work according to the New York Times. crosoft may suspend jelly bean- without needing repairs for as long Modern data centers hold thou- shaped server containers beneath as five years. sands of computer servers that the surface to capture the ocean The trial was successful, and create tons of heat. When there current with turbines that gen- the Times reported that the re- is too much heat, the servers will erate electricity, according to the search group has started work on crash. Putting the equipment un- Times. an underwater system that will be three times as large. It will be built in collaboration with a developer of CYBERSECURITY an ocean-based alternative-energy Cyber Attacks on Business Rising system. The developer has not yet been chosen. Microsoft engineers n 2015, 58% of corporate told the Times that a new trial computers had at least one will begin next year, possibly near Iattempted malware attack Florida or in Northern Europe, blocked, up 3% from 2014, ac- where there are extensive ocean cording to Kaspersky Lab’s Se- energy projects underway. curity Bulletin 2015. In addi- According to the Times, Micro- tion, file antivirus detection was soft manages more than 100 data triggered on 41% of computers centers worldwide, including a or removable media connected more than $15 billion global data to the computers, such as USB center system that now provides sticks or telephones. more than 200 online services.

E-DISCOVERY Canada’s Information Commissioners Call for a Duty to Document

anada’s information commissioners have asked their Crespective governments to create a legislated requirement for public entities to document issues related to their deliberations, actions, and decisions. In a joint resolution, information commissioners expressed concerns about the trend of no records responses for access to information To adapt to the new regulations, requests. According to the resolu- PRIVACY 55% of those surveyed said they tion, this weakens Canadians’ right Survey: New Data are planning new training for em- of access and the accountability ployees, 51% said they will amend framework that is the foundation Privacy Rules Expected and adapt policies, and 53% said of Canada’s access to information to Cost Companies they will prepare by adopting new laws. Without adequate records, it technologies. Of those who plan to is also difficult for public entities to recent Ovum global survey of update data privacy strategies in make evidence-based decisions, ful- 366 IT leaders revealed that the next three years, 38% plan to fill legal obligations, and preserve about 52% of respondents be- hire subject matter experts, and historical records. A lieve the new European Union (EU) 27% said they will hire a chief pri- General Data Protection Regula- vacy officer. tion (GDPR) will result in business Apparently, such measures are fines for their company, and two- needed: The survey also found that thirds expect it to force changes in many organizations fall short when their European business strategy. it comes to even basic measures Respondents – 63% – also said to protect data and meet current they think the GDPR regulations compliance requirements. For ex- will make it harder for U.S. compa- ample, just 44% of respondents nies to compete, and 70% said the monitor user activity and use pol- Canada’s information commis- new legislation will favor Europe- icy-based triggers and alerts. Only sioners have urged governments an-based businesses. Interestingly, 62% have adopted role-based access to create a positive duty for public respondents cited the United States controls. A little more than 50% servants and officials to create full as the least-trusted country for re- actually classify information assets and accurate records of their busi- specting privacy rights, followed by to facilitate controls. Only 54% said ness activities. They said this duty China and Russia. they disable PC features, such as must include effective oversight More than 70% of respondents external attached drives, while only and enforcement that ensure the expect an increase in spending in 57% block access to ungoverned right of access to public records order to meet data sovereignty re- consumer storage and file-sharing remains meaningful and effective. quirements, and more than 30% apps, such as Dropbox. The resolution is available on expect budgets to rise by more than The Ovum report recommends the websites of the Office of the 10% over the next two years as a organizations conduct a privacy Information Commissioner of result of EU regulations. Fines for risk assessment, educate their Canada (www.oic-ci.gc.ca) and GDPR violations are potentially workforces, and ask vendors ques- the Office of the Information and 2% of global revenue, which could tions about logical and physical Privacy Commissioner for British translate into billions for the data location as well as service Columbia (www.oipc.bc.ca). world’s most profitable companies. contracts.

against the operation of Barnes’ tion and did not issue a preliminary business, arguing that he had injunction against the operation of taken confidential company infor- Barnes’ company. The court did, mation and stored it in Dropbox. however, order the destruction of The plaintiff argued that the plaintiff’s remaining confiden- Barnes used the Dropbox-stored tial information that was stored on data to help start his new company the Dropbox account. and then destroyed the materials The decision highlights the im- after the plaintiff warned him “to portance of developing solid BYOC preserve any PrimePay electroni- policies to secure proprietary infor- cally stored information that he mation and protect other corporate possessed.” interests. Policies that allow for The court rejected the plaintiff’s the use of personal clouds should: argument because Barnes’ Dropbox •• Clearly describe and define INFO SECURITY account fell under the company- what data can or cannot be Personal Clouds Can approved BYOC policy: transferred to the cloud “Barnes created the Dropbox •• Include audit and enforcement Present Security [account] … so that he could trans- mechanisms to gauge policy ob- Problems fer and access files when he worked servance and disciplinary mea- remotely on PrimePay matters if sures for noncompliance n an age in which employees can he was away from the office, on •• Define the nature and extent of “bring their own cloud” (BYOC) vacation, or elsewhere and needed the company’s right to access, Ito the workplace, efforts to pro- access to the PrimePay files, all retain, and/or destroy data on a tect an organization’s proprietary with the knowledge and approval personal cloud for information information can be challenging. of [PrimePay owner] Chris Tobin.” governance purposes In a recent action, PrimePay Dropbox was a company-ap- •• Delineate the organization’s v. Barnes, the plaintiff filed a proved BYOC provider and, consid- right to disable a BYOC ac- trade secret misappropriation suit ering factors that suggested Barnes count either during or after against one of its former executives did not access the Dropbox files employment (Barnes) who had established a after leaving his employment with •• Outline any employee privacy competing business. The plaintiff PrimePay, the court found no evi- rights in the data stored in the sought a preliminary injunction dence of trade secret misappropria- cloud

GOVERNMENT RECORDS Ontario: New Fine for Destroying Govt. Records

nyone caught intentionally altering, concealing, or destroying Ontario government records now will be fined up to $5,000 (Cdn.). AAmendments to Freedom of Information and Protection of Privacy legislation at the provincial and municipal levels will require a government organization to develop, document, and preserve its records, according to The Toronto Sun. “Our government takes our record-keeping obligations very seriously we’re com- mitted to being open, accountable and transparent,” Lauren Souch, a spokesman for Government and Consumer Services Minister David Orazietti, said in an e-mail to the Sun. “We promised to open up the government completely, and we have done so to an unprecedented degree.” Organizations that must follow the new rules include government ministries, hospitals, colleges, uni- versities, school boards, municipalities, and police service boards, Souch said. The penalty comes in response to a concern raised by former Information and Privacy Commissioner Ann Cavoukian that there were no consequences in provincial legislation for the willful destruction of public records, the Sun reported. Cavoukian said there had been widespread deletion of e-mails by political staff- ers as a legislative committee sought records that would have provided more insight into the government’s reasons for cancelling gas plants in Mississauga and Oakville at a cost of up to $1.1 billion, according to the Sun. Two former senior political aides were charged but have denied wrongdoing.

GOVERNMENT RECORDS Committee Report: ‘FOIA Process Is Broken‘

recent majority staff report from the U.S. House Oversight and Government Reform Committee criticized the current admin- Aistration and several government agencies for undermining the Freedom of Information Act (FOIA). “The FOIA process is broken,” the report states. “Hundreds of thousands of requests are made each year, and hundreds of thousands of requests are backlogged, marked with inappropriate redactions, or otherwise denied.” According to the report, many agencies are lacking transparency when it comes to the FOIA process by adopting an “unlawful GOVERNMENT RECORDS presumption in favor of secrecy” when responding to requests. In some cases, huge sections of information that should have been made U.S. FOIA public – or were already publicly available – were inappropriately Complaints Rise redacted, FCW.com reported. The report cites an investigation by the State Department’s inspec- S. President Barack Obama tor general that says the department did not search for e-mail records has been quoted as saying he “as a matter of course.” According Uhas led the “most transparent to the report, “The periodic search administration in history.” But in for emails was only conducted if the past two years, the federal gov- a request explicitly referred to ernment has received more com- ‘emails’ or ‘all records.’” plaints than ever for not fulfilling The 39-page report also says public record requests, according the Justice Department and other to analysis by Syracuse University. federal agencies are contributing Syracuse found that individu- to the backlog problem by subject- als have filed record numbers of ing requests for politically “prob- federal lawsuits in 2014-2015 – lematic or embarrassing” records to an additional layer of review, 64% more than the previous two according to the Wall Street Journal. years – against government agen- Some lawmakers criticized the report, blaming GOP budget cuts cies for failing to comply with re- for the FOIA backlog and noted that previous administrations have quests made under the Freedom of not always been transparent. Information Act (FOIA). The report calls for structural reform and new legislation to help Seven years ago, shortly af- move the FOIA process toward greater government transparency. ter taking office, Obama issued Lawmakers are trying to strengthen FOIA, which is more than a memo stating that the FOIA 50 years old. The FOIA Improvement Act of 2015, sponsored by Rep. “should be administered with a Darrell Issa (R-Calif.) and Rep. Elijah Cummings (D-Md.), passed clear presumption: In the face of the Senate Judiciary Committee in February 2015. Among other doubt, openness prevails.” things, the bipartisan bill seeks to expand the automatic electronic Former U.S. Attorney General release of documents that receive multiple FOIA requests and allow Eric Holder directed agency and for consequences for agencies that miss deadlines, FCW.com reported. department heads to operate under According to UPI news, the House of Representatives recently a presumption of openness. passed the FOIA Oversight and Implementation Act, which calls for “I would like to emphasize that creating a single online portal for making FOIA requests. It would responsibility for effective FOIA limit exemptions that allow federal agencies to withhold information administration belongs to all of and would require agencies to publicly post frequently requested us — it is not merely a task as- records online. signed to an agency’s FOIA staff,” In addition, according to UPI, the changes would clarify language Holder wrote at the time. “We all allowing agencies to withhold information requested only when there must do our part to ensure open is “foreseeable harm” to an interest protected by a FOIA exemption, government.” such as privacy and national security.

PRIVACY designing privacy protections into EU Approves New Data Protection Rules all new business practices; em- ploying dedicated data protection he Securities and Exchange •• Requiring entities that han- officers; monitoring and auditing CoIn December, the Euro- dle large amounts of sensitive compliance; and documenting ev- Tpean Commission (EC) ap- data to appoint a data protec- erything they do with data and proved the final version of the tion officer everything done to comply with General Data Protection Regula- •• Allowing fines of up to €20 mil- the GDPR, ComputerWeekly.com tion (GDPR). The European Union lion or 4% of a company’s glob- reported. (EU) Parliament was to authorize al revenue for non-compliance Eduardo Ustaran, partner and it early this year, and it will be- According to the National European head of data protection come law for all 28 member states Law Review, the most signifi- at law firm Hogan Lovells, told in 2018. cant change brought about by the ComputerWeekly.com that the The new rules usurp the EU’s GDPR is that jurisdiction is not a GDPR features many require- 1995 data protection rules (Di- physical or geographical barrier ments to make businesses more rective 95/46/EC). The EC has because it is now digital, mean- accountable for their data prac- been working on the GDPR since ing that companies outside the tices. ”This is the area where the 2012 to strengthen online privacy EU will be affected by these new heavy weight of the GDPR will rights and boost Europe’s digital regulations if they collect data that be most felt in practice,” he said. economy. belongs to an EU citizen. “New responsibilities such as data Experts say GDPR is the most stringent data privacy regulation yet. The new rules apply extrater- ritorially and so will impact every entity (data processor or data con- troller) that holds or uses Euro- peans’ personal data both inside and outside of Europe, according to legal experts. “GDPR is a paradigm change in the way that data collection and use is regulated. We have moved from an era of relatively laissez- faire regulation of data in Europe to having the most stringent data “The GDPR looks to adopt pre- protection by design, data protec- laws in the world,” Ross McKean, scriptive rules around how organi- tion by default, recordkeeping ob- partner at law firm Olswang, told zations will need to demonstrate ligations, data protection impact ComputerWeekly.com. that they comply with the GDPR,” assessments, and prior consulta- Key provisions of the GDPR Vinod Bange, partner and head tion with data protection authori- include: of the UK data protection/privacy ties in high-risk cases will require •• Instituting more rigorous re- practice at law firm Taylor Wess- managerial effort and investment.” quirements for obtaining con- ing, told ComputerWeekly.com. In the absence of a new Safe sent for collecting personal “Businesses will have to genuinely Harbor rule, the GDPR does recog- data adopt governance and account- nize standard contractual clauses •• Raising the age of consent for ability standards and not pay lip and binding corporate rules as le- collecting an individual’s data service to data privacy obligations gitimate frameworks for transfer- from 13 to 16 years old otherwise they could be in for a ring EU citizen data out of the EU. •• Memorializing the “right to be surprise as the stiff new fines will Key provisions of the GDPR can forgotten,” meaning entities apply to that requirement too.” be found at: https://edri.org/files/ must delete data if it meets Experts say complying with the GDPR-key-issues-explained.pdf the specified criteria new rules will require companies and http://www.twobirds.com/ •• Requiring entities to notify EU to take steps that include map- en/practice-areas/privacy-and- regulators of data breaches ping and classifying all personal data-protection/eu-framework- within 72 hours of the breach data; performing risk assessments; revision.

who wrote a letter to the IRS stat- NARA’s acting chief records officer, ing that hiring outside contractors told FCW. “The 2016 target is an was expensive and unnecessary, as important one. We do expect all the agency already employs about agencies to meet that target. But IS 40,000 people responsible for en- we do realize that it may not be forcing tax laws. A federal judge realistic for 100% of agencies given has called the decision “troubling.” the complexities of their email sys- It’s not the first instance of tems [and] funding priorities, and the IRS failing to preserve critical of course, now we have a presi- E-DISCOVERY information. The agency also “ac- dential transition that’s looming.” INFOR cidentally” erased the hard drive Brewer said nearly 80% of IRS Erased Hard Drive, belonging to Lois Lerner during agencies “report that they have Spurning Court Order investigations into the targeting policies and procedures to man- of conservative organizations. As age their email.” A majority told espite a court order, the many as 24,000 e-mails were lost NARA they plan to implement U.S. Internal Revenue Ser- when 422 backup tapes were wiped the agency’s Capstone approach to MATION Dvice (IRS) erased a hard clean despite an agency-wide pres- e-mail management, which identi- drive belonging to a former top ervation order and congressional fies accounts of key senior officials official involved in the agency’s subpoena. In that case, a report by and key job functions for automatic much-criticized hiring of law firm the House Oversight Committee preservation, FCW reported. Quinn Emanuel Urquhart & Sul- found that the IRS failed to take livan LLP. simple steps to ensure compliance Although a litigation hold had with the order. YOUR been placed on all materials related to the IRS hiring of the outside COURT CASE firm, the hard drive was erased Agencies Must Manage anyway. The order came in response to a Freedom of Information E-mails by End of Year Act (FOIA) request submitted by ALLY Microsoft on the IRS contract with y Dec. 16, 2016, all federal Quinn Emanuel. agencies are required by the According to Law360’s report, BObama administration’s in- The approach is designed to the IRS informed the U.S. Depart- formation management policy to take some of the guesswork out ment of Justice (DOJ) in Decem- manage all government e-mail that of e-mail management and nudge ber that it wiped the hard drive in qualifies as permanent or tempo- agencies toward greater levels of OR April 2015, after the hold was in rary records in electronic format. automation. Another goal is to place, according to a filing by the That means agencies must eliminate old-fashioned practices DOJ in a Washington federal court. have in place a method of retaining such as manually dragging selected The hard drive belonged to Samuel e-mail records in an electronic sys- e-mails into folders for preserva- Maruca, former director of transfer tem that allows for managing and tion. pricing operations at the IRS Large retrieving records and supports FCW reported that NARA of- YOUR Business and International Divi- litigation needs, open-government ficials plan to release more detailed sion, who helped hire the law firm. requests, and other archival pur- criteria soon to tell agencies specifi- Quinn Emanuel was apparently poses, according to FCW. cally what they need to do to meet hired to pursue Microsoft. Even According to a report released the target. In the meantime, NARA though it had no prior experience in December 2015 by the National is trying to meet its own targets. A handling sensitive tax data, the Archives and Records Administra- 2014 update to federal records laws outside firm was hired at more tion (NARA), 93% of records man- gave the agency new oversight and ENEMY? than $1,000 an hour, according to agers who reported said they are on inspection authority. To that end, track to meet the deadline. NARA court records. The initial contract the Office of the Chief Records Offi- or ne ata olng te ear. An all t ne ata an eter el for work was $2.2 million, Law360 said it received 84 reports, for a cer has grown and reorganized, and o or rt o. Fn ot at t ong or or oman t te Next evel found. compliance rate of 94%. NARA has hired more employees Inormaton Governane Aement. oll over area o trengt an The hiring decision prompted “At this point, we’re not aware with the technical knowledge to oortnte or mrovement. In te en o ll e emoere to nreae a probe by Finance Committee of any agencies that definitively help agency records officers man- organatonal tranaren an ata ntegrt le ereang r. Chairman Orrin Hatch (R-Utah), will not make it,” Laurence Brewer, age e-mail systems. END

18 MARCH/APRIL 2016 INFORMATIONMANAGEMENT Start turning information into an asset by visiting arma.org/nextlevel

IM JULY15.indd 19 6/19/15 9:17 AM