http://www.theregister.co.uk/2005/06/14/secfocus_enron/ By Mark Rasch, SecurityFocus 14th June 2005 The worst thing you can do, of course, is to almost destroy these documents. There is an axiom in the world of electronic documents and records - "delete doesn't and restore won't." Indeed, forensic document recovery and reconstruction is a multi-million dollar business. Most companies have an ill-used document retention and destruction policy. In the wake of the United States Supreme Court's ruling in the Arthur Anderson case, a significant question was raised about how companies should draft and apply their policies regarding document retention and destruction, as well as the liability of all parties - including computer security professionals - for assisting in the destruction of electronic records. Unfortunately, rather than clarifying the situation, the Supreme Court's ruling may embolden those who wish to use security professionals for at best unethical and at worst illegal purposes. Document destruction policies Almost every large institution, government, commercial, or non-profit organization has some form of express or implied document retention or document destruction policy. Retention policies are much easier to develop than those for the destruction of documents. Essentially, any document that is required to be maintained by law (such as accountant audit papers, tax records, records relating to securities laws, contracts, etc.) should be retained for the time and in the form that is mandated by law. While this is simple in theory, it is more difficult in practice, as individual documents may be covered by a host of laws or regulations in a myriad of jurisdictions. For paper records, in a sense, it is less complicated. Typically, an employee retains paper documents either in a file or a pile until it is time to clean up. Then perhaps they will come into work wearing jeans, armed with a huge dumpster, and individually review files (carefully or not) and toss whatever does not appear needed or required (does one need those three year old copies of People magazine?). Thus, for paper records the default is only to store or archive that which appears to be needed, although this tends to depend on the vagaries of the individual - some being hopelessly disorganized, some suffering advanced Clean Desk Syndrome, and some being the ultimate pack rats. For electronic records, however the problem is much more complicated. First, as information security professionals, we are always concerned about maintaining the availability of information. Thus, we stress the need for frequent backups of data - onto external tape or hard drives and other removable media. Network data is backed up hourly, daily, weekly and monthly. Information is archived continuously, and frequently at a remote location. Thus, information exists in multiple locations. A typical corporate e-mail likely exists in as many as a dozen places - the sender's laptop (in three or four places) the outbound mail server, the backup of that server, the inbound mail server, the recipient’s computer, any CC's and of course, any potential printouts. Add to that the problem of telecommuters and people working from their personal PC's, people using USB thumb drive storage, and other portable hard drives (think iPod), and you are presented with a logistical nightmare. Why should an organization have document destruction policies? In the physical world, there is a very good reason to have a document destruction policy. There are only so many dead trees we can store - either at our office location or remotely. Storage is expensive, and it serves no purpose for documents that are no longer required to be kept or are no longer useful for our ongoing business. Indeed, because of the inability to quickly retrieve paper documents, they only represent a cost to the company. However, in the electronic world, storage costs are much lower. Indeed, to a great extent, it may be more expensive to effectively delete documents than it is to simply retain them. This is because the backups have already been made in the ordinary course of business. To delete documents, a company would have to remount the backup tapes, examine the files, determine which are needed and which are no longer needed, and effectively delete those that are no longer needed. They would archive the ones that are potentially needed, and repeat this process periodically. In addition, because the documents are stored in multiple locations, in order to be assured that a document was, in fact, deleted, this process would have to be repeated on multiple backups, desktops, laptops, etc. If a document is only partially deleted, then you still are required to produce the document in discovery, but you have greatly increased the cost of compliance. Generally, it is much cheaper to just store the documents. So why have a destruction policy for electronic records? To lawyers, the world is divided into two classes of people: defendants, and people who are going to become defendants. The thing that sets potential defendants apart is the fact that somebody is going to want their documents - perhaps a disgruntled former employee, an injured party, a former client or customer, a competitor, a regulator or prosecutor. Modern litigation is the art of discovery, which means making the other side pony up their records. The more records they have, the more expense, and the more information that might be potentially useful in litigation. Case-law is rife with offhand e-mails, memoranda and even preserved instant messages which become Exhibit One in a case against the company. Thus, a typical corporate document destruction policy might say that any document which is not required to be kept by law, or needed for the ongoing business of a company is to be deleted and destroyed after - oh, say, 15 seconds? Another reason for a document destruction policy is to protect privacy. Recent cases of theft or unauthorized access to massive databases of personal information point out the potential liabilities to companies for retaining such databases - particularly in an unsecured manner. What is worse for the companies suffering such breaches is the fact that the data stored may not even be needed by the company anymore, and may be outdated or obsolete. Thus, it represents only a potential liability to the company. The Anderson/Enron case Arthur Anderson was, of course, the accountant for the Enron Corporation. When Enron began to implode, one of Anderson's senior partners reminded employees about the Anderson document destruction policy, and advised them that "[I]f it's destroyed in the course of [the] normal policy and litigation is filed the next day, that's great. [W]e've followed our own policy, and whatever there was that might have been of interest to somebody is gone and irretrievable.' A short while thereafter, knowing both that Enron was imploding and that the relationship between Enron and Anderson would likely be under government scrutiny, Anderson's lawyer kept reminding the Enron team about the document retention policy and the need for them to adhere to it - nudge nudge, wink wink, know what I mean? Clearly the Enron team did, and they took the legal advice as a clear signal to start shredding thousands of documents. It was only after Arthur Anderson received a subpoena for the production of documents that they told employees to "stop shredding." The Supreme Court decision As read by the Supreme Court in the United States, the statute that Anderson was convicted of violating made it a crime to, "knowingly … corruptly persuad[e]" another person "with intent to … cause" that person to "withhold" documents from, or "alter" documents for use in, an "official proceeding." The problem with the conviction lay not in the charges, but rather with the way the jury was instructed on what was "corrupt." Ordinarily, to act "corruptly" implies that you do something more than willful and knowing, that you have some evil intent. The normal jury instruction regarding what is "corrupt" defines it as to act "knowingly and dishonestly, with the specific intent to subvert or undermine the integrity" of a proceeding. It would have been fine if the jury was told that. But, at the insistence of the government, the jury was told that there was no need for them to find that Anderson acted "dishonestly" and that it was enough if the accountants acted knowingly and with the intent to "impede" an investigation - even if they didn't know that there was a formal investigation. That's where the trial court went wrong. Virtually every document destruction policy is designed knowingly to "impede" some investigation at some date. I mean, that's why we are deleting the documents, after all - so they won't be there in the event of some later demand for them, whether by civil litigants, administrative agencies, or a federal grand jury. But not every document destruction is done "corruptly." The term means something more. The Supreme Court noted that "[d]ocument retention policies," which are created in part to keep certain information from getting into the hands of others, including the Government, are common in business. . . .It is, of course, not wrongful for a manager to instruct his employees to comply with a valid document retention policy under ordinary circumstances." As part of the Sarbanes Oxley legislation, the federal law used in the Anderson prosecution has been extended and modified to include not only inducing someone corruptly to destroy documents, but also to corruptly destroy them yourself. But it still must be done "corruptly," in other words, with some wrongful intent! The funny thing about the Anderson case is that, if properly instructed - whether under the old law, or the new one (which doesn't apply retroactively, of course) - a jury could still have convicted Anderson. Look, they knew that an investigation was on the way. The law did not require that the investigation actually have been started for them to have acted "corruptly." The instructions about the document destruction policy were targeted at the Enron team with the knowledge and clear intent that the documents must be destroyed so they would not be available for a specific investigation of specific wrongdoing. Or, at least a jury could so conclude from the evidence. It was the wording of the jury instruction that offended the Supreme Court, since it broadened the law to potentially criminalize every document destruction policy. Advice for the future So, how should this affect my document retention and destruction policy? The answer is, not very much. First, you should establish a clear and reasoned and workable policy. Second, to the greatest extent possible, security professionals should automate the process of document destruction (and ensure that the destruction includes all the many places where the document may exist) so you eliminate the inference that you deleted the documents for a nefarious reason. Any time you rely on employees to delete documents manually, you can be virtually assured that the documents won't be deleted - or won't be deleted properly. Your policy should ensure that it is applied to active and archived documents equally, and paper and electronic documents. Once you know, or reasonably should know that particular documents or categories of documents may be relevant to an actual or anticipated investigation or litigation, your document destruction policy should be suspended. While you can wait until the subpoena arrives (like Anderson did) before suspending the policy, provided that you don't act corruptly, you run the risk not only of criminal indictment but also a finding of what the law calls "spoliation" - the willful destruction of evidence or the failure to preserve potential evidence for another's use in pending or future litigation. In such a case a court could, in addition to finding you in contempt, allow a negative inference to be made in a civil case about what the missing documents would show, then order you at your own expense to attempt to reconstruct any missing documents, order you to pay fines, fees and costs, or otherwise punish you and your company. The post-Enron federal law has created broad categories of documents that must be retained and turned over, including for example the accounting work papers Anderson shredded. Companies should not take the recent Supreme Court decision as a green light to fire up the shredders, however. At best, it's a yellow light turning red. So my advice is either don't shred, or find a list of countries that don't allow extradition. And remember, even though Anderson won the battle, don't forget who won the war. Copyright © 2005, Mark D. Rasch, J.D., is a former head of the Justice Department's computer crime unit, and now serves as Senior Vice President and Chief Security Counsel at Solutionary Inc. _________________________________________ Attend the Black Hat Briefings and Training, Las Vegas July 23-28 - 2,000+ international security experts, 10 tracks, no vendor pitches. www.blackhat.com
This archive was generated by hypermail 2.1.3 : Tue Jun 14 2005 - 23:20:31 PDT