I think Patrick, as usual, makes a number of excellent points. This one,
however, stood out:
<snip>
So my concern is (and has been since the Disappearing Inc product first came
out) how two different companies find mutual ground on the exchange of this
sort of document? Do we need to agree upon international standards for
retention of DRM-protected documents? Do companies need to negotiate records
retention schedules for DRM-protected documents?
</snip>
This should be a priority for the standards efforts of an association
dedicated to keeping information available and accessible as long as
required.
My tuppence on a hot Colorado afternoon,
Jesse Wilkins
CDIA+, LIT, ICP, edp, ermM, ecmS
IMERGE Consulting
[log in to unmask]
(303) 574-1455 office
(303) 484-4142 fax
YIM: jessewilkins8511
Chair, AIIM Master Accreditation Committee
Chair, ARMA Glossary Task Force
-----Original Message-----
From: Records Management Program [mailto:[log in to unmask]] On Behalf
Of Patrick Cunningham
Sent: Wednesday, August 09, 2006 1:55 PM
To: [log in to unmask]
Subject: Digital Rights Management and Forced Retention WAS Re: [RM] FW:
Stellent Acquires SealedMedia and Bitform
This has been my question ever since Disappearing, Inc. rolled out a similar
product a number of years ago (while I always thought that was an incredibly
apt name for the company, they have since been merged into another
organization).
I think the concept of DRM governing the availability of an electronic
record in accord with an approved records rtenetion schedule is an
interesting idea. You can limit distribution of a document and ensure that
it is effectively made unavailable after the retention period is complete.
However, the "document" will still exist, albeit in an encrypted form.
Ideally, the DRM system would then want to periodically sweep through a
repository and delete those documents for which the key has expired. Problem
is, documents which have been removed from the repository may continue to
exist because the system has no way to know where they reside (or their
location is outside the network). So what about these? An email from one
relevant party to another may exist, but the content will be unknown. A Word
document exists, but it is completely encrypted. In theory, that encryption
could be broken, but it would require a considerable effort. So the question
then is, would the court simply allow an opposing attorney to infer the
content of an encrypted document, would the document producer be forced to
try and decrypt it, or would the document be considered "destroyed" within
the context of the records retention program? Arguably, you might compare it
to a case where an employee was taking home sacks of shredded paper to use
in his or her Ebay business. If litigation began and discovery was ordered,
would a company be forced to reassemble the shredded documents simply
because an employee was in possession of the shredded remains?
So that deals with enforcement of retention schedules within an
organization.
The same technology works outside the foru walls of an organization.
If two businesses have a relationship that involves the exchange of
DRM-protected documents, what happens when one party's retention schedule
calls for a shorter retention period than the other's? So Company A creates
a purchase order for a million widgets to be bought from Company B. The
purchase order is protected by the DRM system and has a retention period on
Company A's system of 90 days for some reason. Company B gets the purchase
order and ramps up production and staffing to produce the million widgets.
The widgets take a while to produce and after 120 days, the million widgets
are shipped, along with a bill for Company A. Company A gets the widgets and
the bill and calls Company B to let them know that they ordered 1000
widgets, not 1 million. Company B says that the purchase order clearly
states... uh oh. Company A says that Company B must have entered the order
incorrectly. Company B says that they entered the order correctly and it
must have been Company A's mistake. The widgets, by the way, are a custom
item and cannot be used for anything else. I believe that some lawyers are
about to get rich.
So my concern is (and has been since the Disappearing Inc product first came
out) how two different companies find mutual ground on the exchange of this
sort of document? Do we need to agree upon international standards for
retention of DRM-protected documents? Do companies need to negotiate records
retention schedules for DRM-protected documents?
Has anyone dealt with this issue yet?
Patrick Cunningham, CRM
--- Deidre Paknad <[log in to unmask]> wrote:
> The notion of using encryption to end the retention lifecycle of a
> document is an interesting one. The document still exists physically
> although it is very very difficult (expensive) to open. Is it
> therefore discoverable and what obligations if any might companies
> have to produce it in litigation? If the keys exist somewhere
> (anywhere), then are there instances where that file must be collected
> and produced? Certainly, the preservation and legal holds
> issues will be non-trivial in terms of managing the keys. Disposal
> of keys rather than the file is sort of the opposite of the DoD
> erasure standard isn't it?
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
List archives at http://lists.ufl.edu/archives/recmgmt-l.html
Contact [log in to unmask] for assistance
|
