Chain of Custody Transaction Certification GazillaByte LLC March 2013

ABSTRACT:
It is widely understood that a chain of custody record must be maintained for corporate information as it is transferred between the various information management shareholders; what is less understood, is the importance of demonstrating that the chain of custody has not been breached and that measures are in place to ensure that any breaches are detected. In the past, information has only been considered lost when someone required it, looked for it and couldnt find it. While corporate governance laws such as Sarbanes-Oxley and privacy laws such as HIPAA are not prescriptive in their mandating of information management practices, they are clear in their definition of who bears the responsibility for information loss and disclosure. This white paper discusses how Chain of Custody Transaction Certification provides a critical framework for information management best practice and compliance.

Introduction
Increasingly, it is being recognized that information, and more importantly access to information is the differentiator between failure and success. The recipe for resilient success is now understood to be more than simply being at the right place at the right time; to be successful one must be at the right place at the right time, with the right understanding and the right information. Information is the building block for knowledge, and therefore any loss of information is a severe risk to the potential of all future success. For a number of reasons, ranging from information protection to information disclosure (agreed or required), information is transferred between stakeholders. As these transactions occur, it is critical that a complete chain of custody record be maintained, and that quality control mechanisms are in place to ensure the chain of custody record is accurate and reflective of reality. While the mechanisms for establishing a chain of custody framework are nothing new, these mechanisms have been traditionally built upon the flawed premise that information is not lost unless it cannot be found. This very definition of loss is not consistent with the original objectives of establishing a chain of custody. Chain of Custody Transaction Certification (CCTC) inverts the contemporary nature of a chain of custody, in that it places a burden of proof upon each stakeholder in the chain of custody to make representations that they have taken ownership of each individual item. The effect of CCTC is to conservatively redefine loss as anything which has not been accounted for, rather than simply what has been searched for and cannot be located. In addition to redefining the terms of loss, CCTC provides a formal mechanism for chain of custody quality control and most importantly a trigger for the immediate resolution of loss.

GazillaByte LLC 2012 | Chain of Custody Transaction Certification

The consequences of information loss

The consequences of information loss are often poorly understood, and therefore rarely clearly defined. This lack of definition is a primary contributor to negative information management outcomes, which regularly result in information loss. The difficulty in defining the consequence of information loss is that the value of information is often circumstantial and relative to a prediction of the potential value of that information. As an illustration, a computer backup is often seen as having little to no value until the primary copy is lost. In this case, the primary copy has diminished value, based upon the existence of a backup, while at the same time; the backup has little to no value based upon the existence of the primary copy. In the event that the primary copy is lost, the backup transitions from having a low value to being invaluable. It is therefore critical that all information be seen, not for its point in time value, but for its absolute potential value. Taking into account the potential value of all information, information loss can result in: 1. 2. 3. 4. Irreparable and irreversible loss of business function. Loss of future business potential. Breaches in client confidentiality resulting in litigation and loss of reputation. Fines and criminal proceedings.

GazillaByte LLC 2012 | Chain of Custody Transaction Certification

How Certification works

The Certification mechanism involves three stakeholders: 1. The information Owner 2. One or more information Custodians. 3. The Transaction Certifier.

On an agreed schedule: 1. The information Owner provides a complete inventory of all certifiable items, along with who should be in custody of each item to the Certifier. 2. The Certifier creates a list of items whose custody differs from the previous certification period. 3. The Certifier sends an electronic document that is digitally signed with the Certifiers digital certificate to each of the information Custodians, listing all items they are to return and all items they are to take custody of. 4. After an agreed period all information Custodians provide a complete list of all items they have in their possession to the Certifier. 5. Based upon the representations made by the Custodians to the Certifier, if all items held by the Custodian correspond with the directives of the Owner, the Certifier will issue a digitally signed electronic certificate document to the Owner and each of the Custodians. 6. In the event that a certificate cannot be issued, the Custodian will be issued a detailed formal explanation for denial of certification and given an agreed period of time to represent that they have remedied the identified problems. 7. If the Custodian fails to obtain certification the Certifier will issue a Notice of Intent to Certify Loss to the Custodian and the Owner giving the Custodian an opportunity to remedy their representation of custody. 8. If the Custodian fails to remedy the problem in their representation of custody the Certifier will issue a Certificate of Loss to both the Owner and Custodian.

GazillaByte LLC 2012 | Chain of Custody Transaction Certification

Why Certification works

Certification works because it places the burden of proof upon of the information Custodians to make representations that they have accepted custody of each and every information item. This is a fundamental shift in the nature of the relationship between the information Owner and the information Custodian, in that it no longer requires the information Owner to prove that the information Custodian is in breach of their contractual obligations. Certification not only clarifies the obligations of the information Custodian to demonstrate that they are in compliance with the management agreement, but it also provides leverage for the information Owner to remedy problems in the chain of custody, and should necessity dictate, protect their interests by terminating the agreement with the information Custodian. While the certification process is clearly defined, the way that it is contractually implemented between the Information Owner and the Information Custodians is completely at the discretion of the parties. The parties may agree on any number of terms and triggers which relate to certification, these can include: 1. An agreed certification schedule. 2. The number of remedy opportunities an information Custodian may be allowed before being denied certification of the transaction. 3. Circumstances under which an information Custodian may be able to charge for transactions where certification was denied. 4. The course of action which must be taken when certification is denied. 5. The number of times an individual item can fail certification before it is certified as permanently lost. 6. The payment of restitutions for items which are certified as permanently lost. Not only do these contractual measures bring a higher degree of certainty to the contract between the information Owner and the information Custodians, they provide an agreed measure to the agreement which inherently provides a high degree of quality control.

GazillaByte LLC 2012 | Chain of Custody Transaction Certification

About GazillaByte
GazillaByte LLC is based in Colorado USA where it develops and supports its flagship TapeTrack tape management software. Today TapeTrack is used by over 4000 enterprises around the world. These companies range from the top of the Fortune 500 through to newly created technology companies that you are yet to hear of. To learn more about TapeTrack, visit the product website at www.tapetrack.com, or call GazillaByte LLC on +1-720-583-8880 to organize a free 90 day no obligation trial of our unique technology.

GazillaByte LLC 2012 | Chain of Custody Transaction Certification