While at the ARMA 09 Conference [1] last week, I learned about a range of issues related to records management, and I must admit I don't think about this end of content management as much as I probably should. The fact is that records management runs the gamut from paper records to electronic ones, and more recently even records stored in the cloud. In fact, at a lively session hosted by the extremely knowledgeable and personable Alan Pelz-Sharpe [2] of CMS Watch [3], there was a wide-ranging discussion about managing records, and whether you should be using cloud applications at all if you're serious about records management.
There is a great deal of anxiety and even mistrust among record keepers when it comes to the cloud, and the consensus seemed to be against records storage in the cloud, at least until the technological and legal issues get worked out.
A step back to enterprise 2.0
As I was thinking about the viability of the cloud from a records management perspective, I remembered the "Night in the Cloud" event [4] at Enterprise 2.0. There, Doug Cornelius [5], who is Chief Compliance Officer at a real estate private equity firm based in Boston had a lot to say on the subject. You can read his thoughts in this post [6] (and more here in this follow-up article [7] by Alexander Howard [8] on SearchCompliance.com), but the gist is that while Cornelius won't dismiss the cloud as an option, he's not ready to give it his stamp of approval either. At a minimum, he suggests that you have all of your contractual ducks in a row, and that means putting the vendors' feet to the fire by asking the hard questions about data ownership, data maintenance and data governance and retrieval.
A common theme
In fact, asking those questions was a common theme at the cloud session (which was called "Weathering the storm--The future impact of cloud computing on records management"). Pelz-Sharpe was careful to point out the advantages of using cloud services including the fact, you only pay for what you use. In tough economic times, with all companies looking to do more with tight budgets, a cloud option has the potential to reduce your computing overhead in a big way, but at the same time it takes your data out of your control from behind the firewall and on to somebody else's servers.
This means, should regulators or lawyers come knocking on your door, it's unclear how easily you can get at your data, even though you surely still have all of the same legal obligations regardless of whether the data lives on your server or your vendor's server. And Jim Cuff from Iron Mountain [9], a member of the panel, said you need to know exactly what the vendor's legal obligations are to you before you get a subpoena.
No clear answers
Ben Hawksworth, a consultant from Ernst & Young, who also spoke during the "Weather the Storm" session, pointed out that--as is often the case--the technology is developing faster than the law or regulators can keep up with it, so the bottom line is that there are no clear precedents in place as to how regulators or the courts will react when you explain that you're using a cloud vendor and it could take a while to get at the data. One participant wisely pointed out, however, that we've faced these kinds of issues with each new technology, and issues come up, you sit down and work out solutions and you move on.
To some extent, it depends on the kind of company you are running. Jason Robman, who is director of legal solutions and corporate counsel at Recommind [10], says that highly regulated companies like financials and pharmaceuticals are facing a much stiffer test when it comes to compliance and governance issues. He wrote to me in a email, "The jury is still out on this model especially for regulated entities, law firms and other companies that transmit customer data. Most companies are taking a wait and see attitude."
The fact is there are no easy answers here, because to a large extent record keeping in the cloud is still very much uncharted territory, and until we see some test cases, we can't know how the government or courts will react to these technologies and the issues inherent in them. For now as Robman says, it may be best to tread slowly and think very clearly about the issues involved from a record keeping and governance perspective, and make sure potential vendors are prepared to answer your questions to your satisfaction before you move any data outside the firewall. - Ron [11]
Links:
[1] http://www.arma.org/conference/2009/
[2] http://www.cmswatch.com/Analyst/10-Pelz-Sharpe
[3] http://www.cmswatch.com/
[4] http://enterprise2blog.com/2008/06/move-all-your-it-to-the-cloud-cloud-computing-providers-try-to-convince-cxos-to-take-the-plunge/
[5] http://www.compliancebuilding.com/
[6] http://www.compliancebuilding.com/2009/06/22/compliance-and-cloud-computing-at-enterprise-2-0/
[7] http://searchcompliance.techtarget.com/news/article/0,289142,sid195_gci1360185,00.html
[8] http://twitter.com/Digiphile
[9] http://www.ironmountain.com/
[10] http://www.recommind.com/
[11] mailto:rmiller@fiercemarkets.com