Data destruction: What they can't find can get you 20 years

By Alan E. Brill, Kroll technology Services, and Kristin M. Nimsger, Kroll Ontrack

Computerworld |

Editor's note: This article was originally posted on Feb. 5, 2003 and is being reposted as part of Computerworld's Special Report on Storage.

Every time you watch the video of a senior executive being questioned in a courtroom or in a deposition about an e-mail sent or received several years ago, you probably feel a lot like we do.

You wonder why anyone today could be so dense as to not realize that investigators and litigators have become very computer savvy. They know that a file that has been "erased" is not necessarily gone forever. They understand that e-mails and other computer files that may be lying around are often smoking guns waiting to be found and exploited.

Unfortunately, too few organizations think about this when they aren't in some form of trouble. It could be a government investigation that's being rumored, a lawsuit or class-action suit that you have heard might be filed against your company, or perhaps just a bit of housecleaning before a bankruptcy filing. Doing some discreet housecleaning certainly would seem like a good way to immunize yourself against the re-emergence of stupid and thoughtless (or incriminating) files and messages that may be lurking on backup tapes you have stored in cabinets or on your overburdened servers.


	Alan E. Brill is senior managing director of the Kroll Technology Services Group. Kristin M. Nimsger is a lawyer and product line manager in the Electronic Evidence Services business unit at Kroll Ontrack Inc. Kroll Ontrack is a wholly-owned subsidiary of Kroll Inc., a New York-based company that provides data recovery and electronic evidence software and services.

Good idea? Maybe not, and certainly not before you talk to your company's in-house counsel. In today's business environment, there are times when it is perfectly permissible to purge old e-mails, files and the like. But there are also circumstances in which doing that can earn you a 20-year stint as a guest of the Federal Bureau of Prisons.

Why? Because the legal community has recognized that computer records are key to many investigations and prosecutions.

Following the Paperless Trail

In financial and high-technology crimes and in related civil lawsuits, the computer is often the source of the best evidence. Today it's estimated that 70% of all data on corporate computers is never printed. It follows that investigators who limit their work to printed documents will see only a small part of the total picture.

As investigators were figuring this out, some of the companies under investigation were busy doing the electronic equivalent of sending computerized documents, spreadsheets, databases and e-mails through a very fast and very thorough shredder. Files that could have helped in the investigations were unavailable to either the prosecutors or to the congressional committees that looked into these corporate governance failures.

One of the recent laws passed in response to the corporate calamities of the past couple of years is the Sarbanes-Oxley Act. One of the sections of the act states that anyone who knowingly destroys documents or files that may relate to a federal investigation or a bankruptcy filing can be imprisoned for up to 20 years.

Even without the specific provisions of Sarbanes-Oxley, the legal doctrine concerning "spoliation of evidence" is out there. In its most basic form, it states that if you deliberately destroy evidence that a court order or subpoena ordered preserved, or that you reasonably know is going to be asked for, you can find yourself staring at a contempt-of-court finding or thousands of dollars in fines.

For example, if you know that your company is going to be sued for a product defect and you suddenly decide that it would be a good idea to get rid of potentially damaging e-mails received from people injured by the defect, you are setting up your company for serious sanctions from the court.

None of this should be interpreted as suggesting that you should not have a document-retention policy. Far from it. A well-written policy that calls for deleting e-mails after 30, 60 or 90 days, and for deleting other documents after given periods of time (adhering to applicable document-retention laws and regulations), is probably fine. But you must have a warning system in place by which corporate counsel can advise you to immediately stop erasing data when a lawsuit is anticipated or a bankruptcy is being considered or a company is under investigation by a federal agency. Since this can happen at any time, having a system to stop document destruction rapidly is a business process that we cannot ignore -- but it's one that most of us may not have considered. Would you want to have to stand before a U.S. magistrate and explain why destruction of documents was not halted?

What we are recommending is twofold. First, you should do an inventory to determine exactly what information you are retaining, and for how long. Based on this, you should develop and enforce a retention plan, being sure that you meet the particular rules that apply to business records and that may cover specific kinds of records relating to your industry.

Second, get a briefing from your corporate counsel on your responsibilities for safeguarding records in the event of a lawsuit, governmental investigation or bankruptcy.

Unfortunately, the area of records retention and destruction has become something of a minefield. IT staffers must use all of the resources they have to navigate through the mines safely and lawfully.

The New Rules of Storage

Stories in this report:

Data Center

It’s time to break the ChatGPT habit