1. Risk Management of Digitized Data
Sherry Gordon, Office of the Attorney General
This presentation is my personal opinion and not necessarily that of the Attorney General or the Office of the Attorney General.

2. Risk
Identify Risk Tolerance – your department has a mission that may involve taking certain risks, but others are not advancing mission or even threatening mission
Access Expertise – Finance and Administration, Environmental Health and Safety, IT Security, Internal Audit, HRS, Research Compliance, Purchasing, People in your Department
Be Cognizant of Limits – Sort out what you can and cannot control – don’t waste resources trying on the things you cannot control. You may want to use resources to plan mitigating such events.

3. Risk
Identify Hazards and Risks You can Control – Web page, , external digital storage, tech security
Evaluate Risks – How likely is risk to occur and negative impact/damage if it does; define “red flags” for risks
Take Action to Manage Risk – SOP Policy, Contingency Planning/ Identify solutions, Oversight, Training
Monitor Risk – Review cost-benefit of risk mitigation; look for newly arising risks

4. Identifying Risk – Where do I start?
Ask (questionnaires, staff meeting, or individually)
Some questions to consider:
How are the web pages designed and vetted for copyright infringement?
Do you have a way to identify and avoid responding to phishing?
Are there “two signatures” for financial and resource purchase, receipt, payment, and inventory?
Are portable digital storage devices encrypted?
What information can you store on your desktop or laptop?
How do you secure it?

5. Identifying Risk (continued)
Research
Observation
Expert evaluation

6. Probability of Occurring Reasonably Certain to Occur
Prioritize the Risk
Impact
Probability of Occurring
Reasonably Certain to Occur
Likely
Possible
Unlikely
Catastrophic
Extremely High
High
Moderate
Critical
Low
Minimal

7. Consider Breaches of Personal Information / Confidential Data
Sensitive or confidential information at risk
Loss of data: consider proactive mitigation
Natural disaster (flooding, etc.)
Accidental (stolen or lost external drives for example)
Intentional

8. Breaches and Risks to Confidentiality
Internal
Vulnerable storage – caches, history, recycle bins, the Cloud
Lack of security – unencrypted, weak password, access to the data too widespread
Taking data and confidential records home
The Cloud includes data sharing and transmission (does vendor have enough security)

9. Electronic Discovery and Spoliation
Obligation to preserve documents, including electronically stored information and electronic documents, when a person/entity reasonably anticipates litigation
Documents must be preserved through expiration of the statute of limitations (including as extended by the claim period) which is measured generally by the last act underlying the claims. In many contexts (such as employment) this can be a lengthy period.

10. How Do You Save the Electronic Record?
Duty to preserve
Save traditional paper and electronic documents (without altering the latter’s metadata);
Save Outlook documents as PST files to avoid overloading Outlook files;
Determine which experts, if any, are needed to help identify, preserve, collect, process, and produce electronic evidence.

11. Electronic Documents – Know Where You Have Them
Servers
Online storage
Individual hard drives (work and possibly personal computers if used for state business)
Thumb drives, backup drives, external storage devices
Tablets, hand-held devices
Text messages, pictures on cell phones

12. Avoid Unprofessional Messages
Public record can be letter, Web page, , voice message, browsing history
Information maintained in electronic form is a public record – including the metadata
Most people have a cell phone which can record conversations “on the sly” – such records hard to use in court, but easy to post to Internet

13. Top Four (4) s
4. [Employee] has started another brouhaha about his leave reports. I think it is much to-do about nothing. FYI.
3. Understood, however, please understand that [he] was, in our opinion, making whatever self-serving statements he could, notwithstanding reality, because he got caught with his hand in the cookie jar again.  I do not believe that these were genuine perceptions.  They were defensive, self-serving statements.   
2. Holy Cow! I didn't ever imagine you would call the police.

14. Top Four (4) s
1. I do not agree.   Asking for a high level of fluency in English, when 99.9 percent of the work of the office is in English, is not discriminatory, because we are not requiring “English only,” “unaccented English,” or “native fluency.” 
The work of [this office] is in English, not Spanish, Portuguese, Chinese or French. 

15.  Discrimination
I do not agree. Asking for a high level of fluency in English, when 99.9 percent of the work of the office is in English, is not discriminatory, because we are not requiring “English only,” “unaccented English,” or “native fluency.” The work of [this office] is in English, not Spanish, Portuguese, Chinese or French.

16. Web Page Risk Not Accessible Defamation
Infringement (being on the Web does not mean “public domain”)
Image Rights
Public Perceptions

17. But do you want to pay $3690 per picture?
Copyright Trolls
We all want variety and interest on webpages, PowerPoints, and publications;
But do you want to pay $3690 per picture?

18. Demand letter Invoice for $3690 was attached
“As evidence of Masterfile’s copyright in the image related to this matter, I have attached a copy of Masterfile’s Certificate of Registration VA , issued to Masterfile by The Library of Congress, United States Copyright Office for the registration of Masterfile’s rights-managed image ”
Invoice for $3690 was attached

19. Questions