American Laws on Digital Preservation

Adam Jansen, CRM, MIT, CDIADKives Consulting

adam@dkives.com

Digital Preservation Workshop -- Mar 2009

Agenda:• Public Sector Laws• Private Sector Laws• Court Rules• Case Law

FEDERAL RECORDS ACT OF 1950FEDERAL RECORDS ACT OF 1950Public Sector

Records Act

• NARA responsible for – Assisting agencies– Regulating disposition schedules– Operating records centers– Preserving permanent records

• Records may not be destroyed unless on retention schedule

• Retentions Schedules mandatory instructions of what to do

TITLE 44 - PUBLIC PRINTING AND TITLE 44 - PUBLIC PRINTING AND DOCUMENTS DOCUMENTS

Public Sector

Chapter 33 Disposal of Records

• Section 01 - Definition: “records” includes all books, papers, maps,

photographs, machine readable materials, or other documentary materials, regardless of physical form or characteristics, made or received by an agency of the United States Government under Federal law or in connection with the transaction of public business and preserved or appropriate for preservation by that agency or its legitimate successor as evidence of the organization, functions, policies, decisions, procedures, operations, or other activities of the Government or because of the informational value of data in them.

Chapter 31 Records Mgmt

Section 01:“The head of each Federal agency shall make and preserve records containing adequate and proper documentation of the organization, functions, policies, decisions, procedures, and essential transactions of the agency and designed to furnish the information necessary to protect the legal and financial rights of the Government and of persons directly affected by the agency’s activities.”

Chapter 31 cont.

Section 06 - Unlawful removal/destruction:“The head of each Federal agency shall notify the Archivist of any actual, impending, or threatened unlawful removal, defacing, alteration, or destruction of records in the custody of the agency of which he is the head that shall come to his attention, and with the assistance of the Archivist shall initiate action through the Attorney General for the recovery of record”

Chap 31 cont.Section 05 Safeguards:

The head of each Federal agency shall establish safeguards against the removal or loss of records he determines to be necessary and required…Safeguards shall include making it known to officials and employees of the agency—(1) that records in the custody of the agency are not to be

alienated or destroyed except in accordance with sections 3301–3314 of this title, and

(2) the penalties provided by law for the unlawful removal or destruction of records.

Chapter 36 –E-gov Services

• Section 01 –definition:“electronic Government” means the use by the Government of web-based Internet applications and other information technologies, combined with processes that implement these technologies, to—

• (A) enhance the access to and delivery of Government information and services to the public, other agencies, and other Government entities; or

• (B) bring about improvements in Government operations that may include effectiveness, efficiency, service quality, or transformation;

Chap 36 cont.• Creates director position to oversee transition for:

“interoperability” means the ability of different operating and software systems, applications, and services to communicate and exchange data in an accurate, effective, and consistent manner;

“integrated service delivery” means the provision of Internet-based Federal Government information or services integrated according to function or topic rather than separated according to the boundaries of agency jurisdiction;

Chapter 41- Access to E-info

Section 01 -Superintendent of Records shall:(1) maintain an electronic directory of Federal electronic information;(2) provide a system of online access to the Congressional Record, the Federal Register, and, as determined by the Superintendent of Documents, other appropriate publications distributed by the Superintendent of Documents; and(3) operate an electronic storage facility for Federal electronic information to which online access is made available …

E-GOVERNMENT ACT OF 2002E-GOVERNMENT ACT OF 2002Public Sector

E-Gov Act• Develop and promote electronic Government services and processes

by establishing an Administrator of a new Office of Electronic Government within the Office of Management and Budget.

• To promote use of the Internet and other information technologies to provide increased opportunities for citizen participation in Government.

• To promote the use of the Internet and emerging technologies within and across Government agencies to provide citizen-centric Government information and services.

• To reduce costs and burdens for businesses and other Government entities.

• To promote access to high quality Government information and services across multiple channels.

• To make the Federal Government more transparent and accountable.

FEDERAL INFORMATION SECURITY FEDERAL INFORMATION SECURITY MANAGEMENT ACT OF 2002MANAGEMENT ACT OF 2002

Public Sector

FISMA• Requires that agencies have in place an information systems

inventory• All information and information systems should be categorized

based on the objectives of providing appropriate levels of information security according to a range of risk levels

• Federal information systems must meet the minimum security requirements

• Risk assessment validates the security control set • Agencies should develop policy on the system security planning

process• System's controls must be reviewed and certified to be

functioning appropriately

NOTE: Security experts described FISMA as "fundamentally flawed" primarily a paperwork exercise

CHAPTER 36 CODE OF FEDERAL CHAPTER 36 CODE OF FEDERAL REGULATIONSREGULATIONS

Public Sector

36 CFR § 1228.270 E-Records

Transfer of Records:• The approved media and media-less transfer forms

are open reel magnetic tape; magnetic tape cartridge; Compact-Disk, Read Only Memory (CD-ROM); and File Transfer Protocol (FTP

• Formats: The records must be written in ASCII or EBCDIC

• Database: Data files and databases must be transferred to the National Archives as flat files or as rectangular tables; i.e., as two-dimensional arrays, lists, or tables

36 CFR 1234• Agency heads responsible for:

– Integrating the management of electronic records with other records and information resources management programs of the agency.

– Establishing procedures for addressing records management requirements, including recordkeeping requirements and disposition, before approving new electronic information systems or enhancements to existing systems.

– Specifying the location, manner, and media in which electronic records will be maintained to meet operational and archival requirements

– Maintain technical documentation on…physical and technical characteristics of the records, including a record layout that describes each field including its name, size, starting or relative position, and a description of the form of the data

36 CFR 1234 cont• Section 22 Creation of text Documents

“Before a document is created electronically on electronic recordkeeping systems that will maintain the official file copy on electronic media, each document shall be identified sufficiently to enable authorized personnel to retrieve, protect, and carry out the disposition of documents in the system. Appropriate identifying information for each document maintained on the electronic media may include: office of origin, file code, key words for retrieval, addressee (if any), signator, author, date, authorized disposition (coded or otherwise), and security classification (if applicable). Agencies shall ensure that records maintained in such systems can be correlated with related records on paper, microform, or other media.”

36 CFR 1234 Cont.Section 24 Email:• Identifies users by codes or nicknames …shall instruct staff on how to retain

names on directories or distributions lists to ensure identification of the sender and addressee(s) of messages that are records.

• acknowledgments or receipts … shall issue instructions to e-mail users specifying when to request such receipts or acknowledgments for recordkeeping purposes and how to preserve them.

• Calendars that meet the definition of Federal records are to be managed in accordance with the provisions of General Records Schedule 23, Item

• Preserve the transmission and receipt data specified in agency instructions• Permit transfer of permanent records to the National Archives and Records

Administration• Agencies that maintain their electronic mail records electronically shall move

or copy them to a separate electronic recordkeeping system unless their system has the features specified

• Backup tapes should not be used for recordkeeping purposes

36 CFR 1234 cont

Section 28 – Security– (a) Ensures that only authorized personnel have

access to electronic records.– (b) Provides for backup and recovery of records to

protect against information loss.– (c) Ensures that appropriate agency personnel are

trained to safeguard sensitive or classified electronic records.

– (d) Minimizes the risk of unauthorized alteration or erasure of electronic records.

– (e) Ensures that electronic records security is included in computer systems security plans

36 CFR 1234 contSection 30 Storage Media:• Agencies shall select appropriate media and systems for

storing agency records that:– (1) Permit easy retrieval in a timely fashion;– (2) Facilitate distinction between record and non-record

material;– (3) Retain the records in a usable format until their

authorized disposition date; and– (4) If the media contains permanent records and does not

meet the requirements for transferring permanent records to NARA as outlined in 1228.270 of this chapter, permit the migration of the permanent records at the time of transfer to a medium which does meet the requirements.• “Avoid use of Floppy disks”

HEALTH INSURANCE PORTABILITY HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996AND ACCOUNTABILITY ACT OF 1996

Public/Private Sector

HIPPA

• Establishes regulations for the use and disclosure of Protected Health Information (PHI)

• An individual who believes that the Privacy Rule is not being upheld can file a complaint

• Privacy Rule pertains to all PHI, including paper and electronic, the Security Rule deals specifically with Electronic Protected Health Information (EPHI)

HIPPA/EPHI• Lays out three types of security safeguards required for

compliance: administrative, physical, and technical:– Admin - written procedures for privacy and establish

dedicated officer oversight– Physical - secure access to all data sources– Technical - Information systems housing PHI must be

protected from intrusion, ensuring that the data within its systems has not been changed or erased in an unauthorized manner• Data corroboration, including the use of check sum, double-

keying, message authentication, and digital signature may be used to ensure data integrity, Covered entities must also authenticate entities it communicates with, documentation of their HIPAA practices

GRAMM-LEACH-BLILEY ACTGRAMM-LEACH-BLILEY ACTFINANCIAL SERVICES MODERNIZATION ACT OF 1999FINANCIAL SERVICES MODERNIZATION ACT OF 1999

Private Sector

G-L-B

Safeguard rule:• Denoting at least one employee to manage

the safeguards, • Constructing a thorough risk management on

each department handling the nonpublic information,

• Develop, monitor, and test a program to secure the information

• Forces financial institutions to take a closer look at how they manage private data and to do a risk analysis on their current processes

PUBLIC COMPANY ACCOUNTING PUBLIC COMPANY ACCOUNTING REFORM AND INVESTOR PROTECTION REFORM AND INVESTOR PROTECTION ACT OF 2002ACT OF 2002

Private Sector

Sarbanes-Oxley, Sarbox or SOX

• Enron, Tyco International, Adelphia, Peregrine Systems and WorldCom

• Applies to public company boards, management, and public accounting firms. It does not apply to privately held companies

Sox Section 302

• Internal Control Certificates– “responsible for establishing and maintaining

internal controls” and “have designed such internal controls to ensure that material information relating to the company and its consolidated subsidiaries is made known to such officers by others within those entities

Sox Section 404

• Assessment of internal control:– External auditors are required to issue an

opinion on whether effective internal control over financial reporting was maintained in all material respects by management

FEDERAL RULES OF EVIDENCEFEDERAL RULES OF EVIDENCECourt Rules

Title VII Rule 803

Hersey ExemptionsRecords of regularly conducted activity. A memorandum, report, record, or data compilation, in any form, of acts, events, conditions, opinions, or diagnoses, made … if kept in the course of a regularly conducted business activity… all as shown by the testimony of the custodian or other qualified witness, or by certification …unless the source of information or the method or circumstances of preparation indicate lack of trustworthiness.

Article IX Rule 902

Self Authentication:Certified domestic records of regularly conducted

activity. The original or a duplicate of a domestic record of regularly conducted activity that would be admissible…if accompanied by a written declaration of its custodian or other qualified person…certifying that the record:

(A) was made at or near the time of the occurrence(B) was kept in the course of the regularly conducted

activity; and(C) was made by the regularly conducted activity as a

regular practice.

Article X Contents of Writings, Recording and Photographs

• Rule 1004 – AdmissabilityThe original is not required, and other evidence of

the contents of a writing, recording, or photograph is admissible if…All originals are lost or have been destroyed,

Original defined (1001) as the writing or recording itself or any counterpart intended to have the same effect…If data are stored in a computer or similar device, any printout or other output readable by sight, shown to reflect the data accurately, is an "original".

FEDERAL RULES OF CIVIL FEDERAL RULES OF CIVIL PROCEDUREPROCEDURE

Court Rules

Rule 34 – Producing DocumentsA party may serve on any other party a request :• to produce and permit the requesting party or its

representative to inspect, copy, test, or sample the following items in the responding party's possession, custody, or control:– any designated documents or electronically stored

information — including writings, drawings, graphs, charts, photographs, sound recordings, images, and other data or data compilations — stored in any medium from which information can be obtained either directly or, if necessary, after translation by the responding party into a reasonably usable form

– The request: may specify the form or forms in which electronically stored information is to be produced

Rule 34 - Response

Producing the Documents or Electronically Stored Information. Unless otherwise stipulated or ordered by the court, these procedures apply to producing documents or electronically stored information:– (i) A party must produce documents as they are kept in

the usual course of business or must organize and label them to correspond to the categories in the request;

– (ii) If a request does not specify a form for producing electronically stored information, a party must produce it in a form or forms in which it is ordinarily maintained or in a reasonably usable form or forms;

COURT CASES BUILDING CASE LAWCOURT CASES BUILDING CASE LAWCase Studies

Zubulake v. UBSWarburg• Zubulake became a discovery case when the

plaintiff, who had collected over 450 pages of e-mails during her employment, observed that the defendant had produced only one hundred pages of e-mail evidence

• Zubulake recognized that the traditional duties of preservation extend not only to that information that the disclosing party may use to support its case, but also to evidence relevant to the claims or defenses of other parties to the case

[229FRD422]

Lombardo v. Broadway Stores

• A party to litigation will be sanctioned for destroying electronic evidence even when paper print-outs are readily available

[2002Cal.App.LEXIS662]

Bills vs. Kennecott Corp

• The cost of recovering and sorting inadvertently misplaced email back-ups falls upon the party who failed to manage their electronic records, not upon the requesting party

[108 F.R.D. 459, 462 (D. Utah 1985)]

Adams v. Dan River Mills

• concluded that the plaintiff was not limited to production of paper copies of computer data, but could also obtain the information in useable computer format

[54 FRD 220 (WD W.Va. 1972)]

Rowe Entertainment, Inc. v. William Morris Agency, Inc

• Backup media is often the subject of discovery because it offers insight into information from earlier points in time that may no longer exist on individual computers. Since this historical data may be relevant to litigation, it is discoverable. Creative Artist Agency had 523 backup tapes, but only 261 of them had been catalogued

[205 FRD 421, 425–26 (SDNY 2002)]

Convolve, Inc. v. Compaq Computer Corp

• Preserving electronic evidence can be more difficult than preserving paper because due to automated routines. Preservation is not limited to avoiding willful acts of destruction; it is necessary to halt automatic processes as well

[2004 U.S. Dist. LEXIS 16164 (SDNY 2004)]

Vodusek v. Bayliner Marine Corp

• Spoliation is not an affirmative defense that must be pleaded, but a rule of evidence to be administered at the discretion of the trial court

[71 F.3d 148, 155–56 (4th Cir. 1995)]

re Air Crash at Detroit Metro

• If both a paper record and electronic records are requested to be produced during discovery, then both must be produced

• If electronic records no longer exist, must pay reasonable costs to recreate records in orginial form

[130 FRD 634 (E.D.Mich. 1989)]

NARA Guidelines

• Web Pages– HTML or XML– No .php, .asp, .shtml– External links disabled• Documented what the links were

So what’s Missing???

• How?• Standards?• Best practices?