Fess Up and Clean Up (was "Data Retention Policy")
-
Hello Dave,
I'm a security consultant with 16 years of computer forensic experience.
Email is a no-brainer. Any computer conversation with two or more parties can be reconstructed. I've worked several cases where one or more parties went out of their way to delete and erase data - we still recovered it.
I've worked a few cases where the subject involved worked in IT or InfoSec and took steps to erase their data. In each case we still recovered enough information to make a conclusive decision (one guy is still in prison). I worked another case where a subject used milspec technology to wipe their drive. In this case my client was motivated to use short wavelength laser interferometry to attempt to recover data. We did and it worked.
Based on the hundreds of cases I have been involved with I would state the following:
It is very difficult for a single individual working alone to hide all evidence of their activities. If the activity involves two or more people it is almost impossible to eliminate all the evidence. In all of my work having ready access to all the data has always worked to the benefit of my client. 90% of the time it has exonerated them and 10% of the time it has allowed them to quickly and quietly settle the issue.
Michael Berman
What struck me most was Michael's comment about "quick and quiet settlement", because it matched a lesson from my personal experience. Several years ago I violated insider trading rules. I had a money manager who somehow forgot that I was a NetApp insider. (Doh!) I found out during an annual review that he had purchased NetApp stock on my behalf during a quiet period and it had made a profit. I hadn't personally done anything wrong, but I still had a legal problem.
Let's contrast my experience with Martha Stewart's. As soon as I discovered the problem, I went to the SEC and said, "Here's what happened - how do we clean it up?" I had to sell the stock and pay back the profit, but notice I'm not in jail. This kind of mistake is apparently not all that unusual, and the SEC had a mechanism to handle it. In other words, we quickly settled the issue. Notice what a different path Martha Stewart went down! I don't know whether her mistake was as innocent as mine, but everything I've heard leads me to believe that she would have been much better off settling as soon as she realized there was a problem. As they say, "It's not the crime that gets you. It's the cover-up."
Here's the point from a corporate perspective. I believe that in most cases when something illegal has happened at a company, the situation is very much like my personal one. Somebody made a mistake - perhaps innocent, perhaps not - but either way, a law has been broken. The individual who made the mistake may end up fired or worse, but from the company's perspective, it's always going to be better in the long run to fess up and clean up.
In short, Michael argues that you are better off with a strong data retention policy even in situations where it does prove that you did something wrong. And of course, if the data proves that nothing illegal happened, then so much the better.
Comments