If you don’t know Samantha Lofton, you should. A quietly impressive and generous Records and Information Management professional, she established her superb reputation through education and practical experience.
From an entry-level position in the Clinical Research Industry to Firmwide Records & Information Manager for Greenebaum, Doll & McDonald PLLC, she built her sophisticated Records program from an idea using industry standards and best practices.
In addition to being a life-long student of RIM, she also serves the membership of ARMA International of its elected Directors. Swiftly emerging in the Records field as one of the foremost experts in the relationship between information management programs and cloud storage solutions, I had the good fortune to sit down with her recently to talk about one of her favorite topics.
Q: Samantha, you’ve taken on multiple roles for your firm. What prompted you to pick up this topic?
Lofton: I’m interested in this topic because of the industry trend towards marketing of cloud storage solutions to businesses and clients as a good alternative to reducing cost associated with data storage, IT infrastructure, architecture, application and other associated data warehouse and maintenance costs.
In a review of cloud storage as a method to reduce storage costs, organizations must also consider the Records & Information Management implications -- how will they manage and control information in the cloud to ensure information security and privacy (including authenticating user access and identity in the cloud)? How will they administer and manage litigation holds, discovery requests, and retention and destruction requirements?
Q: What sources did you find the most helpful in preparing your readiness for the topic?
Lofton: There are many white papers on the topic, such as the UC Berkeley article "Above the Clouds: A Berkeley View of Cloud Computing" (02/10/2009). I like articles where several government officials weigh in regarding the relationship between privacy and security because they cite both the risk and the benefits of the cloud storage approach. I also find helpful any articles on pilot projects and initiatives where cloud storage is considered as a viable alternative to maintaining applications and data stores for the US Government. My research isn’t restricted to domestic instances only, though. Other sources I use include:
- Canadian Privacy Commissioner paper " Reach for the Cloud(s): Privacy Issues related to Cloud Computing" priv.gc.ca/information/pub/cc_201003_e.cfm
- World Privacy Forum: Privacy in the Clouds: Risks to Privacy and Confidentiality from Cloud Computing by US lawyer Robert Gellman www.worldprivacyforum.org/pdf/WPF_Cloud_Privacy_Report.pdf
- EU, European Cyber-Security Agency ENISA "Cloud Computing Security Risk Assessment" and related documents
- Cloud Computing in the Canadian Environment www.cloudbook.net/canadacloud-gov
Q: Cloud computing and records management have specific obligations to each other. What do you find most intriguing about the dynamics of the relationship?
Lofton: The biggest issue that an organization faces when deploying cloud computing is the obligation to ensure that the company’s policies surrounding retention, privacy and security are administered and validated in the cloud. Vendors must have the ability to meet their potential client’s needs relating to the authentication of users, data access and the physical storage of data in the cloud.
Organizations can look to ARMA International’s Generally Accepted Recordkeeping Principles (GARP) to ensure that those principles are incorporated to the organizations information governance plan which extends to the cloud. The GARP Principles include: Accountability, Integrity, Protection, Compliance, Availability, Retention, Disposition and Transparency.
Q: How does a cost benefit analysis of cloud computing partner into a more profitable Records program?
Lofton: Should an organization choose to deploy cloud computing, the cost savings associated with this alternative can be allocated to other RIM and technology initiatives within the organization. Cloud computing alternatives also eliminate some of the barriers to costs associated with building an advanced IT infrastructure to support applications internally.
Q: How does this relationship between cloud computing and RM pair with mobile devices?
Lofton: Mobile devices allow users to access their data from virtually anywhere in the world. When traveling abroad e-mail may be on a dedicated server that bridges through another wireless network in order to connect to your cloud storage vendor. The Records and Information Manager should ask, how long do you back up what is on your servers? What version(s) would be discoverable in the cloud? What are the available encryption options? The security of these devices, should a user lose such a device, must be managed remotely.
Q: Records and Information Managers are always conscious of contractual obligations and you purposefully mention it in your presentations. What questions stand out to you as important in the dialogue between company and potential vendor?
Lofton: There are various requirements that organizations must comply with such as SOX, HIPPA - HITECH etc. The key is to ensure that your vendor will protect your data with the same care you would. If a vendor does not meet your organization’s standards with a planned approach and response, then they are not the right vendor for you. I advise colleagues to ask at least the following:
- How will the vendor protect the data and authenticate users?
- How will they notify us if a third party makes a discovery request?
- What is their disaster recovery process and how will they ensure our data is available in the event of a disaster?
- What is their process for permanent removal of data?
- Where is data physically stored and could the physical data wharehouse be moved to another country and if so how much notice will we be given?
- Are they applying USDOD 5015 standards to their data security protocols—indeed, are they USDOD 5015 certified?
- What is their approach to compliance audits and Litigation Holds?
- In the case of a data breach, how will we be notified?
- Are they willing to enter into a BAA Business Associate Agreement with us to protect private health information and follow procedures to be HITECH ACT compliant?
Lofton: As organizations move toward adopting cloud computing approaches such as Software as a service (SAAS), Infrastructure as a service (IAAS) or Platform as a service (PAAS), they will look to organizations such as ARMA International, AIIM and technology associations for best practices.
I am interested particularly in a checklist of items to consider when outsourcing to cloud storage, as well as trends and case studies of organizations using cloud storage, including international privacy issues surrounding physically moving data stores from one country to another.
Editor's note: Mimi Dionne also recently interviewed Susan Scrupski. Read that Interview in Interview: Susan Scrupski and Her New Socio-Collaborative Virtual Network Part 1