Archiving

Challenges on the Horizon for Companies if the ADPPA does not make it into Law

Bill Tolson ADPPA, Archiving, CCPA, GDPR, Information Governance, privacy

The US House Energy and Commerce Committee approved the proposed American Data Privacy and Protection Act (ADPPA) by a 53-2 margin on July 20, 2022. With this accomplishment, the ADPPA has made it further along the federal legislative process than any other data privacy regulation in US history.

Both republicans and democrats in the House and the Senate support the bill, and its passage could radically change the privacy landscape in the US. Still, if not passed or its preemption clause is removed, companies doing business in the US could look at a highly complex environment to operate in.

If the ADPPA is signed into law, it will preempt all other state data privacy laws, which means businesses operating in the US would have one data privacy law to comply with instead of separate regulations from each state with differing definitions, timelines, and requirements. So, a business currently subject to the new Connecticut, California, Virginia, Utah, or Colorado laws law would instead need to comply with the single ADPPA. This preemption provision of the ADPPA would greatly simplify data privacy compliance in the US.

Preemption is a significant stumbling block in the ADPPA. Many states, namely California, don’t want their laws to be superseded by the ADPPA.

As technology advances and data privacy becomes increasingly important to individuals, the states are stepping up to create their data privacy laws. By the end of 2022, 5 states had enacted data privacy laws. However, in the first month of 2023, approx. 9 state legislatures had filed new data privacy bills. How many will be passed is anyone’s guess, but by the end of 2024, the majority of states will have passed data privacy bills.

If the ADPPA does not become law with the preemption provision, what does that means for businesses? With the prospect of most states having their own (differing) data privacy laws soon, companies collecting personal information will face more significant complexities and spiraling compliance costs.

Data privacy laws are designed to protect personal information from being misused or mishandled. By granting individuals greater control over how their data is collected, secured, used, and shared, the data privacy laws are expected to help to ensure that personal information remains secure and that businesses are held accountable for how they handle data.

Consider this; for an organization collecting personal information, they will need to individually track the individual’s state of residence, the consent that was received, when it was received, the individual state laws around the length of time it can be retained, and the differing state law definitions and exemptions.

Additionally, each state data privacy law includes specific data subject rights such as the right to query the company about the detailed personal information that has been collected on them as well as the right to have their personal information erased – if no other laws stop the erasure such as federal data retention requirements (financial services) and involvement in litigation. These rights are absolute, meaning an organization must fully comply – not just give it their best effort.

Companies will need to invest in new technologies and procedures in order to comply with the various state laws. In addition, they will likely need to hire additional staff to monitor compliance and ensure they follow all applicable individual laws. Implementing such measures will be expensive, especially for small businesses.

These new data privacy laws include data security requirements. New data security requirements could consist of implementing additional security measures like encryption (I hope), multi-factor authentication or, eventually zero-trust architectures. This will also ultimately mean providing more transparency into customer data use.

Furthermore, businesses will face greater legal liability if they fail to comply with state-level data privacy laws. Companies that fail to comply could face fines, civil penalties, or even criminal charges brought by the state Attorney Generals if found to violate the law. This could result in a significant financial hit for businesses as well as bad publicity, especially for companies that are not prepared for such an eventuality.

Finally, businesses will also experience a loss of customer trust if they fail to comply with state-level data privacy laws. As customers become more educated about how their data is being used, they may be less likely to trust a business if they feel their data is not adequately protected. This could lead to a loss of existing customers and a decrease in overall sales and profits.

Overall, the outcome for businesses if each state passes a data privacy law and the federal ADPPA law is passed and does not include preemption could be significant. Companies will no doubt face increased compliance costs, stricter regulations, greater legal liability, and a loss of customer trust if they are not in compliance with the law.

As such, businesses should be sure to prepare for these potential outcomes and ensure they comply with any applicable data privacy laws. Doing so can help to ensure their data remains secure and their customers remain confident in their data privacy practices.

Advertisement

Data Privacy Laws: An Inflection Point for Information Managers

Bill Tolson Archiving, CCPA, GDPR, Information Governance, privacy

I have written about this topic several times, but with recent changes, I wanted to jump into it again. The basic premise is that with the rising numbers of data privacy bills becoming law, the Information Management/Records Management profession will face managing much greater amounts of corporate data.

The progression of cloud-based computing and data management has led to an explosion of data collection, data selling, data analysis, and data hoarding (the opposite of data minimization) by companies worldwide. As a result, there has been growing concern about data security and privacy needs to catch up with the new cyber-theft technologies leading to the inevitable implementation of new data privacy laws. These more recent data privacy laws, such as the EUs GDPR and California’s CCPA/CPRA, are becoming an inflection point for the information management profession.

The Impact of Data Privacy Laws

Data privacy laws require companies to obtain consent from individuals before collecting and using their personal information (PI). They also require companies (if requested) to disclose how they will use this data and to allow individuals to access, correct, or delete their data upon request. Failure to comply with these laws can result in significant fines, legal action, and bad press.

The EU’s GDPR and California’s CCPA/CPRA data privacy laws have significantly impacted how companies collect and use data. They have forced companies to be more transparent about their data collection and use practices and to ensure that individuals have greater control over their PI. In addition, these laws have increased awareness of data privacy issues among individuals, leading to more informed decisions about how they share their personal information as well as increasing numbers of data subject access requests (DSARs) to be filed with companies.

With more states passing data privacy laws, data collectors are being forced to adapt to an increasingly complex data privacy landscape. Imagine being required to track each individual’s PI based on individual state data privacy definitions, rights, and requirements, including when consent was given and for what specific use.

Data Privacy Laws and Information Management

New privacy laws are beginning to have and will continue to significantly impact information management practices. Companies must now take a more strategic and inclusive approach to data collection and management, considering the potential legal and financial risks associated with non-compliance. This is leading to a necessary shift in the way companies think about and manage data, with a greater emphasis on data inclusion, governance, and compliance.

Data inclusion refers to the need for data not currently centrally managed by information management applications, such as that data held locally by employees on their individual workstations and laptops, to be included in ongoing information management activities.

Could employees be storing content that includes PI on their laptops?

Data governance refers to the policies, procedures, and technologies that enable organizations to manage their data assets. This includes data quality management, data security, and data privacy. With the implementation of data privacy laws, companies must now incorporate data privacy into their data governance strategies, ensuring that personal data is collected, used, and stored in a compliant manner.

Because of the new laws, companies will now be forced to manage ALL data within their environment, including all data held locally on employee devices.

Why?

Data subjects now have the right to query companies on what of their PI the company is storing, whether it has been sold, how it’s being used, and for what purposes. Data subjects now also have the right to have their PI permanently deleted (if there are no regulatory or legal requirements to keep it). These rights are absolute, meaning an organization must completely comply with data subject requests, not just give it their best try – all within a specific timeframe.

For example, what if Bob Smith filed a data subject access request (DSAR) asking if the company was storing any of his PI, and if so, requesting it is deleted? How would IT search all employee devices for all PI on John Smith?

Because of these new data privacy rights, companies will be forced to either somehow ensure all PI cannot be stored on local employee workstations or actively manage all employee data centrally. Besides the cultural impact on employee data, IT having access to all data on a laptop, indexing it for easy search, and applying retention/disposition policies will be a significant undertaking.

Consider that organizations currently manage 5-10% of all the corporate data, only that they consider “regulated records.” Now, IT and information management professionals will be looking at 10 to 20 times more data to manage with more complex and granular policies.

New ways to manage all corporate data

Data privacy laws have also led to the development of new technologies and solutions to manage personal data. For example, consent management platforms enable companies to obtain and manage consent from individuals for collecting and using their personal data.

Data mapping tools will help companies identify where personal data is located within their central enterprise and how it is used. But do these data mapping tools have the ability to scan individual employee laptops?

Additionally, “manage in place” applications rarely reach out to individual workstations – making total PI management impossible.

The Future of Information Management

Data privacy laws are just the beginning of a new era of information management. As technology continues to evolve, the amount of data collected and used by companies will only increase. This will require new strategies and solutions to ensure that personal data is managed in a compliant and secure manner.

One area of focus for the future of information management will be the use of artificial intelligence (AI) and machine learning (ML) to automate data privacy compliance. AI and ML can be used to analyze data collection and usage patterns, identify potential risks, and automate data subject access requests. This will enable companies to manage personal data more efficiently and effectively while reducing the risk of non-compliance.

Another area of focus for the future of information management will be the development of new technologies and solutions to protect personal data. This will include using blockchain technology, which can be used to create secure, decentralized systems for managing personal data. It will also include developing and using new data encryption technologies such as field-level encryption, secure multiparty computation, data masking, and homomorphic encryption – which allows encrypted data to be used without needing to decrypt.

This means that PI will need to be encrypted in transit, at rest, AND while in use, ensuring that the company and individual data subjects cannot be extorted by threatening to release their PI on the dark web.

These new security measures will help protect personal data from cyber theft, ransomware, and extortionware.

Effective data privacy is dependent on evolving data security

Data privacy laws are the new inflection point for the information management profession. The laws have forced companies to take a more strategic approach to data collection and management, incorporating data privacy and security into their data governance strategies. They have also led to the development of new technologies and solutions to manage personal data anywhere in the enterprise.

The amount of data collected and used by companies will only increase. Additionally, as data privacy laws and technology continue to evolve, organizational risk will continue to rise. This new environment will require new strategies and solutions to ensure that personal data is managed in a compliant and secure manner.

However, AI and ML will partially automate data privacy compliance, including who can move PI, where, and who can access it. AI will automatically recognize PI in documents, encrypt it with the correct permissions, and store it in special, secure repositories.

Additionally, AI/ML-assisted granular data security capabilities and more pervasive data encryption use will ensure cyber-theft and extortionware will be less successful, which will, in turn, possibly reduce cyber-liability insurance rates.

But information management professionals will quickly be dealing with a great deal more data to manage.

Data Sovereignty and the GDPR; Do You Know Where Your Data Is?

Bill Tolson Archiving, CCPA, GDPR

Blog02142019As more companies move their data to the cloud, the question of data sovereignty is becoming a hotter topic. Data sovereignty is the requirement that digital data is subject to the laws of the country in which it is collected or processed. Many countries have requirements that data collected in a particular country must stay in that country. They argue that it’s in the Government’s interest to protect their citizen’s personal information against any misuse. Continue reading

The Right to be Forgotten Versus The Need to Backup

Bill Tolson Archiving, CCPA, GDPR, Information Governance, privacy , ,

Blog02072019A great deal has been written about the GDPR and CCPA privacy laws, both of which includes a “right to be forgotten.” The right to be forgotten is an idea that was put into practice in the European Union (EU) in May 2018 with the General Data Privacy Regulation (GDPR). Continue reading

Do You Have A “Leaver” Data Problem?

Bill Tolson Archiving , , ,

Everyone leaves the company eventually. Better opportunities, reduction in workforce actions, termination, or your manager has the IQ of un-popped popcorn…, no matter the reason, everyone eventually leaves. In the UK, these people are referred to as “leavers.” In the U.S. they’re called departing employees or ex-employees, and depending on the circumstances, more colorful names. However, the way company handles these departing employees can mean the difference between business as usual or major customer satisfaction issues, project delays, higher eDiscovery costs, and higher costs.

When an employee is terminated or informs the company they are leaving, the HR organization usually has a checklist of things to do before the employee departs. This includes (but is not limited to):

  1. Return credit cards
  2. Turn in all expense reports
  3. Turn in laptop
  4. Turn in external hard disks
  5. Turn in cell phone
  6. Returning building and office keys and access cards
  7. Removing access/User ID to all electronic systems

Pretty standard stuff to ensure the employee does not walk off with company equipment or confidential information. However, this process does not address the most valuable company asset…information.

Is Departing Employee Data Valuable?

At its base level, companies employ people to create, process, and utilize information. What happens to the GBs of data the employees create and store over their time at the company? True, much of that information is stored on the employee’s laptop but how long do those laptops sit around before they’re re-imaged and re-tasked? In a blog last month, I touched on this specific problem

“Not long ago I received a call from an obviously panicked ex-coworker from a company that I had left 6 months prior. They were looking for the pricing/ROI calculator that I had developed more than a year prior. A large deal was dependent on them producing a believable ROI by the next morning. I told the ex-coworker that it and all of my content should be on my laptop and even suggested a couple of keywords to search on. Later that day, the same person called back and told me that the company’s standard process for departing employee’s laptops was to re-image the hard disk after 30 days and distribute it to incoming employees – the ROI model I had spent over a man-month developing was lost forever.”

Now consider the numerous other places an employee can store data; file shares, cloud storage accounts (OneDrive, Dropbox), cell phones, SharePoint, One Note, PSTs, etc. Now also consider how you would find a specific file containing a customer presentation in a short period of time…

If not managed as a valuable company asset, much if not all of that expensive employee data is, if not lost, is extremely difficult if not impossible to find when needed.

Chaotic Data Management Makes You a Target

Let’s address another problem associated with ex-employee data… eDiscovery.

You’re a General Counsel at a medium sized company and you receive an eDiscovery request one afternoon asking for all responsive data around a specific vendor contract between Feb 4, 2009 and last month. Several ex-employees are named as targets of the discovery.

This is a common scenario many companies face. The issue is this; when responding to discovery, you must look for potentially responsive data in all possible locations, unless you can prove that data could not exist due to existing processes. The legal bottom line is this: if you don’t know for sure that data doesn’t exist somewhere, then you must search for it, no matter the cost. Opposing Counsel have become very adept at finding the opposing parties weakness, especially around data handling, and exploiting it to force you to send more money so that you will settle early.

Discovery response also carries with it a time constraint. This time required to respond has caused many companies to spend huge amounts of money to bring in high priced discovery consultants to ensure discovery is finished in time.

Both of these issues can be readily addressed with new processes and technology.

Process Change and Technology

Worthless data can be extremely valuable when you can’t find it. Most companies I have worked for were very good about the employee exit process. But so far I have never had an HR (or other) person ask me specifically for all of the locations my data could be residing.

The laptop and cell phone are turned in and quickly re-imaged (losing all data), file shares with work files and PSTs are eventually cleaned up destroying data, and email accounts are closed. Very quickly, all of that employee data (intellectual property and know-how) is lost.

In reality, all it takes to solve this problem is first to develop an exit process that ensures the company knows where all employee data is before they leave, and second, migrate all of that ex-employee data to a central repository for long term management. Many companies are finding that a low cost “cool” cloud archive is the best and lowest cost answer.

Leavers2.jpg

Just because an employee has departed doesn’t mean their intellectual property has to as well. Keep that ex-employee information available for business use, litigation, and regulatory compliance well into the future.

The Industry’s First “Leaver” Archive

Microsoft Azure is that low cost cool data repository.   Archive360’s Archive2Azure provides the management layer for Azure to allow this departing employee data to be migrated into Azure, encrypted, retention/disposition applied, and custom indexing processes enabled to provide centralized ultra-low-cost cool storage so that grey, low touch, ex-employee data can be managed and searched quickly.

Emails considered “abandoned” if older than 180 days

Bill Tolson Archiving, Information Governance , , , , , , , , , ,

The Electronic Communications Privacy Act – Part 1

Email PrivacyIt turns out that those 30 day email retention policies I have been putting down for years may… actually be the best policy.

This may not be a surprise to some of you but the government can access your emails without a warrant by simply providing a statement (or subpoena) that the emails in question are relevant to an on-going federal case – criminal or civil.

This disturbing fact is legally justified through the misnamed Electronic Communications Privacy Act of 1986 otherwise known as 18 U.S.C. § 2510-22.

There are some stipulations to the government gaining access to your email;

    • The email must be stored on a server, or remote storage (not an individual’s computer).This obviously targets Gmail, Outlook.com, Yahoo mail and others but what about corporate email administered by third parties, what about Outlook Web Access, remote workers that VPN into their corporate email servers, PSTs saved on cloud storage…
    • The emails must have already been opened. Does Outlook auto-preview affect the state of “being read”?
    • The emails must be over 180 days old if unopened

The ECPA (remember it was written in 1986) starts with the premise that any email (electronic communication) stored on a server longer than 180 days had to be junk email and abandoned.  In addition, the assumption is that if you opened an email and left it on a “third-party” server for storage you were giving that “third-party” access to your mail and giving up any privacy interest you had which in reality is happening with several well-known email cloud providers (terms and conditions).  In 1986 the expectation was that you would download your emails to your local computer and then either delete it or print out a hard copy for record keeping.  So the rules put in place in 1986 made sense – unopened email less than 180 days old was still in transit and could be secured by the authorities only with a warrant (see below); opened email or mail stored for longer than 180 days was considered non-private or abandoned so the government could access it with a subpoena (an administrated request) – in effect, simply by asking for it.

Warrant versus Subpoena: (from Surveillance Self-Defense Web Site)

To get a warrant, investigators must go to a neutral and detached magistrate and swear to facts demonstrating that they have probable cause to conduct the search or seizure. There is probable cause to search when a truthful affidavit establishes that evidence of a crime will be probably be found in the particular place to be searched. Police suspicions or hunches aren’t enough — probable cause must be based on actual facts that would lead a reasonable person to believe that the police will find evidence of a crime.

In addition to satisfying the Fourth Amendment’s probable cause requirement, search warrants must satisfy the particularity requirement. This means that in order to get a search warrant, the police have to give the judge details about where they are going to search and what kind of evidence they are searching for. If the judge issues the search warrant, it will only authorize the police to search those particular places for those particular things.

Subpoenas are issued under a much lower standard than the probable cause standard used for search warrants. A subpoena can be used so long as there is any reasonable possibility that the materials or testimony sought will produce information relevant to the general subject of the investigation.

Subpoenas can be issued in civil or criminal cases and on behalf of government prosecutors or private litigants; often, subpoenas are merely signed by a government employee, a court clerk, or even a private attorney. In contrast, only the government can get a search warrant.

With all of the news stories about Edward Snowden and the NSA over the last year, this revelation brings up many questions for those of us in the eDiscovery, email archiving and cloud storage businesses.

In future blogs I will discuss these questions and others such as how does this effect “abandoned” email archives.

Dark Data Archiving…Say What?

Bill Tolson Archiving, Information Governance , , , , , , , ,

Dark door 2

In a recent blog titled “Bring your dark data out of the shadows”, I described what dark data was and why its important to manage it. To review, the reasons to manage were:

  1. It consumes costly storage space
  2. It consumes IT resources
  3. It masks security risks
  4. And it drives up eDiscovery costs

For the clean-up of dark data (remediation) it has been suggested by many, including myself, that the remediation process should include determining what you really have, determine what can be immediately disposed of (obvious stuff like duplicates and any expired content etc.), categorize the rest, and move the remaining categorized content into information governance systems.

But many “conservative” minded people (like many General Counsel) hesitate at the actual deletion of data, even after they have spent the resources and dollars to identify potentially disposable content. The reasoning usually centers on the fear of destroying information that could be potentially relevant in litigation. A prime example is seen in the Arthur Andersen case where a Partner famously sent an email message to employees working on the Enron account, reminding them to “comply with the firm’s documentation and retention policy”, or in other words – get rid of stuff. Many GCs don’t want to be put in the position of rightfully disposing of information per policy and having to explain later in court why potentially relevant information was disposed of…

For those that don’t want to take the final step of disposing of data, the question becomes “so what do we do with it?” This reminds me of a customer I was dealing with years ago. The GC for this 11,000 person company, a very distinguished looking man, was asked during a meeting that included the company’s senior staff, what the company’s information retention policy was. He quickly responded that he had decided that all information (electronic and hardcopy) from their North American operations would be kept for 34 years. Quickly calculating the company’s storage requirements over 34 years with 11,000 employees, I asked him if he had any idea what his storage requirements would be at the end of 34 years. He replied no and asked what the storage requirements would be. I replied it would be in the petabytes range and asked him if he understood what the cost of storing that amount of data would be and how difficult it would be to find anything in it.

He smiled and replied “I’m retiring in two years, I don’t care”

The moral of that actual example is that if you have decided to keep large amounts of electronic data for long periods of time, you have to consider the cost of storage as well as how you will search it for specific content when you actually have to.

In the example above, the GC was planning on storing it on spinning disk which is costly. Others I have spoken to have decided that most cost effective way to store large amounts of data for long periods of time is to keep backup tapes. Its true that backup tapes are relatively cheap (compared to spinning disk) but are difficult to get anything off of, they have a relatively high failure rate (again compared to spinning disk)  and have to be rewritten every so many years because backup tapes slowly lose their data over time.

A potential solution is moving your dark data to long term hosted archives. These hosted solutions can securely hold your electronically stored information (ESI) at extremely low costs per gigabyte. When needed, you can access your archive remotely and search and move/copy data back to your site.

An important factor to look for (for eDiscovery) is that data moved, stored, indexed and recovered from the hosted archive cannot alter the metadata in anyway. This is especially important when responding to a discovery request.

For those of you considering starting a dark data remediation project, consider long term hosted archives as a staging target for that data your GC just won’t allow to be disposed of.