This issue of RIM + IG Around the World is sponsored by TAB Canada. 

    A best practice template for your imaging project
    Get a helpful guide for creating a successful document imaging project plan.

    Outsourcing records management: what you need to know
    Learn why organizations are choosing to outsource, and whether it is the right option for you.

    Tips for managing your shared drive
    Learn how to maintain a well-organized shared drive, whether local or in the cloud.

    RIM + IG Around the World: November 2017

    Nov 08, 2017
    north_america_bannerCourt Learns Ottawa Premier’s Aide Wasn’t Trained in Record Keeping
    Proceedings in a criminal trial suggest that former Ontario Premier Dalton McGuinty's chief of staff, David Livingston, had no formal training in managing government records or complying with the province's archives act.

    Livingston received advice on preserving government records from the head of IT rather than anyone in the records management field, according to testimony from Donald Fawcett, whose responsibilities include advising government officers on recordkeeping practices. Fawcett said he did not give Livingston advice and was not directed to do so.

    Livingston and former Deputy Chief of Staff Laura Miller face criminal breach of trust and mischief charges in connection with the destruction of e-mails and other government records related to the cancellation of two power plants before the 2011 provincial election. Each has pleaded not guilty.

    The charges stem from police allegations that Livingston hired a non-government IT expert, Miller's spouse, to "wipe clean" computer hard drives in the premier's office just days before McGuinty left office in February 2013.
    More . . .  

    What to Do When NARA Stops Accepting Paper Records in 2023
    NARA’s new draft strategic plan says the agency will stop accepting paper records at the end of 2022. All submissions after that date will need to be electronic. 

    There are two types of responses available to government agencies. One is the “ECM system dump.” This presumes that the ECM ensures that paper is always resolved by way of scanning or other means into electronic formats that can be provided wholesale to NARA. The second is the “electronic document technology" option, which leverages the conventional ECM model for retention, but expands it by exercising the capabilities of the medium for electronic documents: PDF.
    More . . . 

    Vermont Supremes Say Public Records on Personal Accounts Are Subject to Release 

    Late last month, the Vermont Supreme Court ruled that state employees can be compelled to turn over public records stored on their personal e-mail and phone accounts. In a 5-0 decision, justices reversed a lower court judge's ruling that documents stored on private accounts are not subject to public records requests. The high court said its decision applied only to documents that meet the legal definition under the public records act, not private correspondence.

    "The notion that state employees have a privacy interest in records that are by law public records — those produced or acquired in the course of agency business — is incongruous," Justice Beth Robinson said in the 20-page decision.
    More . . . 

    The State of E-Signature Implementation

    In this complimentary Research Report, Forrester examines 25 e-signature implementations across the United States and Europe with use cases for receivables, payables, various contracts, onboarding agreements, and travel bookings – uncovering trends in adoption, authentication, and business results. Read now!

    Advisory Committee Seeks to Fix FOIA

    A federal advisory committee hopes to make the Freedom of Information Act (FOIA) work better for agencies and for those requesting information through the law. Convened by the Office of Government Information Services at the National Archives, the FOIA group has been meeting regularly since it was established in 2014. At an Oct. 19 meeting, three subcommittees offered ideas on how agencies can do better at locating FOIA materials, managing requests, and making proactive disclosures.

    Some common threads appeared across subcommittees' recommendations, such as increasing the use of e-discovery tools, making better use of technologies to search digital records, and providing more information explaining the FOIA process online.

    "There's a whole lot of information about FOIA searches that is not publicly available," said Nate Jones, director of the FOIA Project for George Washington University's National Security Archive. "There's nothing saying, 'agency x, how do you conduct a FOIA search?' ... Without this information, it's hard to find best practices and see what's working and what's not working."
    More . . . 

    Public Barred from Legally Photographing Records

    Today, people know that it can save time and money to use their cell phones to photograph documents rather than transcribe the content or use a photocopier. In Tenneesee, though, the top entity for advising people on accessing public records is discouraging residents from taking such photos.

    The Tennessee Office of Open Records Counsel last year issued a model policy for city governments to adopt. The changes included language prohibiting citizens from using cameras of any kind to photograph records that otherwise are open to public inspection and duplication. The Shelbyville City Council adopted the change this past spring.

    The Tennessee Coalition for Open Government (TCOG) says existing state law allows photographic copies and supersedes such policies as the one adopted in Shelbyville. Will the City of Shelbyville reverse course?

    Shanna Boyette, Shelbyville city manager, said, "Administration will be reviewing the current Ordinance and will consult with legal counsel."
    More . . .

    U.S. Government Strives to Make Federal Communications More Secure 

    In October, the Department of Homeland Security (DHS) directed federal agencies to implement better security protocols on government e-mails and websites. Agencies will be required to use a DMARC technology to help prevent e-mail spoofing, which is impersonating government agencies via e-mail. DMARC stands for Domain-based Message Authentication, Reporting, and Conformance. Additionally, every federal website must be accessible through a secure HTTPS connection instead of HTTP.

    "We really think these two very simple-to-enable steps can have a dramatic influence in reducing common vulnerabilities that are commonly exploited by actors," said Jeanette Manfra, assistant secretary for Cybersecurity and Communications at DHS.

    Hackers often use spoofing to fool someone into clicking a malicious link that looks like it's from a trusted domain. Research shows that organizations using DMARC receive just 23% of e-mail threats compared with those that don't. 
    More . . . 

    Australian VPN Moves Offshore to Avoid Retention Laws
    An Australian VPN provider, 4TFY, has decided to relocate overseas to avoid the country’s new data retention requirements.

    4TFY made headlines earlier this year when its founder, Luke Millanta, launched a Kickstarter campaign timed to capitalize on the new Australian Data Retention laws that were established in April. Among them, ISPs must now retain for two years a wide range of data on anyone using a fixed-line connection, Wi-Fi, or a mobile Internet connection. Required data includes the date and time of the connection, account names, connection durations, and location data.

    The new laws marked a surge in the use of virtual private networks (VPNs) in Australia, which were presumed to be exempt from the laws. There has yet to be a court ruling on that question. But Australian VPN users are clearly concerned and have been taking their business to overseas providers rather than domestic-based ones.
    More . . .

    Best Practices for Building Your E-Signature Workflow

    An e-sign platform should offer flexible workflow options. This white paper explores those options by going step-by-step through the e-signature process. We explain why some options are better than others in delivering the best overall customer experience for a given use case, along with real-world examples.

    Alleging “Mass Surveillance,” Opponents to New Dutch Law Attain Referendum

    The Netherlands is set to have a national referendum on new mass-surveillance legislation after opponents got enough signatures to demand a poll. The referendum should take place on March 21, to coincide with municipal elections. The Dutch senate had cleared the Intelligence and Security Agencies Act in July, which expands the authorities' powers for monitoring the data that flows over the country's Internet infrastructure, while also granting them broad device-hacking powers.

    Organizers of the pushback say they don't want to scrap the law in its entirety, because there needs to be an up-to-date legal basis for targeted surveillance. They just want to take out the parts that infringe on fundamental rights and undermine people's security.

    "One of the main [new capabilities] is untargeted interception of cable traffic and automated analysis of that data, which is basically mass surveillance," said Nina Boelsums, one of the five university students who initiated the call for a referendum. "They're also authorizing hacking of third parties. It's an incentive for the intelligence agencies to collect zero-day vulnerabilities. Security experts are worried that that will actually make us less secure."

    Even if the Dutch do side against the new law, the referendum is only advisory, and Sybrand Buma, the leader of the Christian Democratic Appeal (CDA) party, which is in the Dutch coalition government, has already promised to ignore the result.
    More . . .

    NHS Was Warned to Patch System in Advance of WannaCry – But Failed To

    The UK’s National Health Service (NHS) was impacted by May’s WannaCry ransomware attack because despite local health trusts being warned to patch their systems, many failed to do so.

    A National Audit Office (NAO) investigation into the global cyber-attack, which shut down IT systems at many NHS organisations, has found the affects of WannaCry could have been prevented if basic security best practices had been applied.

    According to the NAO probe, NHS Digital, which is the health service's data and IT body, issued critical alerts throughout the spring warning organizations to patch their systems to prevent an attack like WannaCry. In April, Microsoft issued a patch to protect against EternalBlue, a leaked NSA hacking tool that uses a version of Windows' Server Message Block networking protocol to spread itself across an infected network using worm-like capabilities. This was the exploit that powered WannaCry and helped it reach networks around the world.

    Advice given in 2014 by the Department of Health and the Cabinet Office warned hospitals and GP surgeries that it was essential for them to have "robust plans" to migrate away from old software, such as Windows XP, by April 2015. Despite this, the older Microsoft operating system remained common within the NHS.
    More . . .

    Review of Privacy Shield Suggests Some Progress, But Concerns Remain

    In October, Vera Jourova, the European Commissioner for Justice, Consumers and Gender Equality, presented the first annual review of the EU-U.S. Privacy Shield. In general, the report suggests the shield helped ensure adequate protection and safeguards for personal data transferred to the United States. But the Commission stressed there was room for improvement and provided guidance to U.S. authorities.
    The Commission urged the U.S. administration to confirm its commitment to appoint a Privacy Shield Ombudsperson. It said the Department of Commerce (DOC) should search for false claims of participation in the Privacy Shield. Further, it recommended that companies should not be allowed to make public representations about their Privacy Shield certification before the DOC has confirmed it.
    “Under the current requirements, a company seeking certification must post its certification commitments and Privacy Shield notice on its website when it submits its certification application to the DOC,” said Joan Antokol, managing partner at Park Legal LLC. “As has been the case with some of my clients, it then takes some time, up to six weeks, for the DOC to approve the certification. I previously raised this point with the DOC, and apparently, the Commission challenged it too, as this process essentially requires the company seeking certification to hold themselves out as certified before the certification is officially approved.”
    More . . .

    Australia's Efforts to Combat Encryption Called "Reckless"

    Australia's Prime Minister Malcolm Turnbull and America's Deputy Attorney-General Rod Rosenstein have each spoken publicly of their wishes for the unlocking of end-to-end encryption. 

    Rosenstein has asked for something he calls "responsible encryption." In October he told an international cyber-summit audience that "companies should retain the capability to provide the government unencrypted copies of communications and data stored on devices, when a court orders them to do so."

    Politicians continue to believe, in the face of continued cogent arguments, that magic technology can reliably protect messages from eavesdroppers, yet still give easy access to law enforcement agencies whenever they demand it. 

    Politicians and law enforcement agencies in the United States and Australia are escalating the anti-encryption rhetoric.A cyber-security official from the Obama administration recently voiced concerns about the push. 

    "You see some of this in Australia as well ... the suggestion of using, like, extra-judicial and extra-legal measures to obtain the information," said Ben Flatgard. "I think that should give everyone pause for concern, when politicians suggest that we're going to demand someone give us X, Y, or Z. If there's a court order to do so, that's a different thing."
    More . . . 

    “The story is a reminder of just how much we all now rely on the hidden machineries of software engineering in our everyday lives, and just how complex these complexities are. The fact that it took 13 years for this weakness to be found and publicised shows that no one entirely understands the systems that we all now take for granted.”
                Taken from “The Guardian view on internet security: complexity is vulnerable,”
                an unsigned editorial on 
    “First, my team will identify everyone in every position within the garrison. Next, every office will have to appoint a records manager to oversee the unit program and a records coordinator who will maintain or destroy records according to Army regulations. Then, we will begin offering training to records managers and coordinators so they can learn their roles and responsibilities. Lastly, I will visit each section to inspect their current plans."
                James Francis, in “Army records management moves to 21st century,” 
                an item on the U.S. Army website. 

    "Blockchain recordkeeping solutions might also enable better privacy protection for citizens and governments by enabling more individual control over their personal data. With blockchain technology, they can determine who can access their data, for what purpose, and for how long."
                Victoria L. Lemieux, Ph.D., CISSP, in her article "Blockchain Recordkeeping:
                A SWOT Analysis," featured in the November/December issue of Information
    , available soon.

    “Keysight took appropriate and responsible steps to protect the company archives, but the most destructive firestorm in state history prevented efforts to protect portions of the collection. This is a sad, unfortunate situation — like many others in Sonoma County now. This is a time to begin healing, not assigning blame.”
                Keysight Technologies spokesman Jeff Weber, in “Hewlett-Packard historical
                archives destroyed in Santa Rosa fires,” from an article on 
    “The sanctions hit Cleopatra like a fatal snake bite, with an adverse inference that resulted in a permanent injunction and other various sanctions for violations of the Consent Order, including attorney fees. As a result of the injunction, the world will never see whatever artistry and cinematic work Cohn put into the ‘Street Survivors’ film, and all the money Cleopatra spent on the effort was gone with the wind.”
                Jason Priebe of Seyfarth Shaw LLP, in his commentary titled “Spoliation and
                Southern Rock,” on 
    “How do we build consumer or citizen confidence about protection of privacy? 50,000 people were affected by a data breach across government, releasing details of passwords and credit cards. It's not all tech related ... people often blame tech for this. It's people and the way that they use data and it'll be interesting to see the details that come out on this in the next few days.”
               Ed Husic, shadow minister for the Digital Economy, in “Australia likely to get its
               own GDPR,” an article on 

    “It turns out that Microsoft's operating system follows about every step you take on your computer. That results in an intrusive profile of yourself. What does that mean? Do people know about this, do they want this? Microsoft needs to give users a fair opportunity to decide about this themselves."
                Wilbert Tomesen, vice chair of the Dutch data protection authority, in
               “Microsoft's Windows 10 breaches data protection law, say Dutch regulator,”
                an article on 
    © 2017, ARMA International