[ISN] Shred It!

From: InfoSec News (isn@private)
Date: Tue Jun 14 2005 - 23:05:01 PDT


http://www.theregister.co.uk/2005/06/14/secfocus_enron/

By Mark Rasch, SecurityFocus
14th June 2005 

The worst thing you can do, of course, is to almost destroy these 
documents. There is an axiom in the world of electronic documents and 
records - "delete doesn't and restore won't." Indeed, forensic 
document recovery and reconstruction is a multi-million dollar 
business. Most companies have an ill-used document retention and 
destruction policy. In the wake of the United States Supreme Court's 
ruling in the Arthur Anderson case, a significant question was raised 
about how companies should draft and apply their policies regarding 
document retention and destruction, as well as the liability of all 
parties - including computer security professionals - for assisting in 
the destruction of electronic records. Unfortunately, rather than 
clarifying the situation, the Supreme Court's ruling may embolden 
those who wish to use security professionals for at best unethical and 
at worst illegal purposes.


Document destruction policies

Almost every large institution, government, commercial, or non-profit 
organization has some form of express or implied document retention or 
document destruction policy. Retention policies are much easier to 
develop than those for the destruction of documents. Essentially, any 
document that is required to be maintained by law (such as accountant 
audit papers, tax records, records relating to securities laws, 
contracts, etc.) should be retained for the time and in the form that 
is mandated by law. While this is simple in theory, it is more 
difficult in practice, as individual documents may be covered by a 
host of laws or regulations in a myriad of jurisdictions.

For paper records, in a sense, it is less complicated. Typically, an 
employee retains paper documents either in a file or a pile until it 
is time to clean up. Then perhaps they will come into work wearing 
jeans, armed with a huge dumpster, and individually review files 
(carefully or not) and toss whatever does not appear needed or 
required (does one need those three year old copies of People 
magazine?). Thus, for paper records the default is only to store or 
archive that which appears to be needed, although this tends to depend 
on the vagaries of the individual - some being hopelessly 
disorganized, some suffering advanced Clean Desk Syndrome, and some 
being the ultimate pack rats.

For electronic records, however the problem is much more complicated. 
First, as information security professionals, we are always concerned 
about maintaining the availability of information. Thus, we stress the 
need for frequent backups of data - onto external tape or hard drives 
and other removable media. Network data is backed up hourly, daily, 
weekly and monthly. Information is archived continuously, and 
frequently at a remote location. Thus, information exists in multiple 
locations. A typical corporate e-mail likely exists in as many as a 
dozen places - the sender's laptop (in three or four places) the 
outbound mail server, the backup of that server, the inbound mail 
server, the recipient’s computer, any CC's and of course, any 
potential printouts. Add to that the problem of telecommuters and 
people working from their personal PC's, people using USB thumb drive 
storage, and other portable hard drives (think iPod), and you are 
presented with a logistical nightmare.

Why should an organization have document destruction policies?
In the physical world, there is a very good reason to have a document 
destruction policy. There are only so many dead trees we can store - 
either at our office location or remotely. Storage is expensive, and 
it serves no purpose for documents that are no longer required to be 
kept or are no longer useful for our ongoing business. Indeed, because 
of the inability to quickly retrieve paper documents, they only 
represent a cost to the company.

However, in the electronic world, storage costs are much lower. 
Indeed, to a great extent, it may be more expensive to effectively 
delete documents than it is to simply retain them. This is because the 
backups have already been made in the ordinary course of business. To 
delete documents, a company would have to remount the backup tapes, 
examine the files, determine which are needed and which are no longer 
needed, and effectively delete those that are no longer needed. They 
would archive the ones that are potentially needed, and repeat this 
process periodically. In addition, because the documents are stored in 
multiple locations, in order to be assured that a document was, in 
fact, deleted, this process would have to be repeated on multiple 
backups, desktops, laptops, etc. If a document is only partially 
deleted, then you still are required to produce the document in 
discovery, but you have greatly increased the cost of compliance. 
Generally, it is much cheaper to just store the documents. So why have 
a destruction policy for electronic records?

To lawyers, the world is divided into two classes of people: 
defendants, and people who are going to become defendants. The thing 
that sets potential defendants apart is the fact that somebody is 
going to want their documents - perhaps a disgruntled former employee, 
an injured party, a former client or customer, a competitor, a 
regulator or prosecutor. Modern litigation is the art of discovery, 
which means making the other side pony up their records. The more 
records they have, the more expense, and the more information that 
might be potentially useful in litigation. Case-law is rife with 
offhand e-mails, memoranda and even preserved instant messages which 
become Exhibit One in a case against the company. Thus, a typical 
corporate document destruction policy might say that any document 
which is not required to be kept by law, or needed for the ongoing 
business of a company is to be deleted and destroyed after - oh, say, 
15 seconds? Another reason for a document destruction policy is to 
protect privacy. Recent cases of theft or unauthorized access to 
massive databases of personal information point out the potential 
liabilities to companies for retaining such databases - particularly 
in an unsecured manner. What is worse for the companies suffering such 
breaches is the fact that the data stored may not even be needed by 
the company anymore, and may be outdated or obsolete. Thus, it 
represents only a potential liability to the company.


The Anderson/Enron case

Arthur Anderson was, of course, the accountant for the Enron 
Corporation. When Enron began to implode, one of Anderson's senior 
partners reminded employees about the Anderson document destruction 
policy, and advised them that "[I]f it's destroyed in the course of 
[the] normal policy and litigation is filed the next day, that's 
great. [W]e've followed our own policy, and whatever there was that 
might have been of interest to somebody is gone and irretrievable.' A 
short while thereafter, knowing both that Enron was imploding and that 
the relationship between Enron and Anderson would likely be under 
government scrutiny, Anderson's lawyer kept reminding the Enron team 
about the document retention policy and the need for them to adhere to 
it - nudge nudge, wink wink, know what I mean? Clearly the Enron team 
did, and they took the legal advice as a clear signal to start 
shredding thousands of documents. It was only after Arthur Anderson 
received a subpoena for the production of documents that they told 
employees to "stop shredding."


The Supreme Court decision

As read by the Supreme Court in the United States, the statute that 
Anderson was convicted of violating made it a crime to, "knowingly … 
corruptly persuad[e]" another person "with intent to … cause" that 
person to "withhold" documents from, or "alter" documents for use in, 
an "official proceeding." The problem with the conviction lay not in 
the charges, but rather with the way the jury was instructed on what 
was "corrupt." Ordinarily, to act "corruptly" implies that you do 
something more than willful and knowing, that you have some evil 
intent. The normal jury instruction regarding what is "corrupt" 
defines it as to act "knowingly and dishonestly, with the specific 
intent to subvert or undermine the integrity" of a proceeding. It 
would have been fine if the jury was told that. But, at the insistence 
of the government, the jury was told that there was no need for them 
to find that Anderson acted "dishonestly" and that it was enough if 
the accountants acted knowingly and with the intent to "impede" an 
investigation - even if they didn't know that there was a formal 
investigation.

That's where the trial court went wrong. Virtually every document 
destruction policy is designed knowingly to "impede" some 
investigation at some date. I mean, that's why we are deleting the 
documents, after all - so they won't be there in the event of some 
later demand for them, whether by civil litigants, administrative 
agencies, or a federal grand jury. But not every document destruction 
is done "corruptly." The term means something more.

The Supreme Court noted that "[d]ocument retention policies," which 
are created in part to keep certain information from getting into the 
hands of others, including the Government, are common in business. . . 
.It is, of course, not wrongful for a manager to instruct his 
employees to comply with a valid document retention policy under 
ordinary circumstances." As part of the Sarbanes Oxley legislation, 
the federal law used in the Anderson prosecution has been extended and 
modified to include not only inducing someone corruptly to destroy 
documents, but also to corruptly destroy them yourself. But it still 
must be done "corruptly," in other words, with some wrongful intent!

The funny thing about the Anderson case is that, if properly 
instructed - whether under the old law, or the new one (which doesn't 
apply retroactively, of course) - a jury could still have convicted 
Anderson. Look, they knew that an investigation was on the way. The 
law did not require that the investigation actually have been started 
for them to have acted "corruptly." The instructions about the 
document destruction policy were targeted at the Enron team with the 
knowledge and clear intent that the documents must be destroyed so 
they would not be available for a specific investigation of specific 
wrongdoing. Or, at least a jury could so conclude from the evidence. 
It was the wording of the jury instruction that offended the Supreme 
Court, since it broadened the law to potentially criminalize every 
document destruction policy.


Advice for the future

So, how should this affect my document retention and destruction 
policy? The answer is, not very much.

First, you should establish a clear and reasoned and workable policy. 
Second, to the greatest extent possible, security professionals should 
automate the process of document destruction (and ensure that the 
destruction includes all the many places where the document may exist) 
so you eliminate the inference that you deleted the documents for a 
nefarious reason. Any time you rely on employees to delete documents 
manually, you can be virtually assured that the documents won't be 
deleted - or won't be deleted properly. Your policy should ensure that 
it is applied to active and archived documents equally, and paper and 
electronic documents. Once you know, or reasonably should know that 
particular documents or categories of documents may be relevant to an 
actual or anticipated investigation or litigation, your document 
destruction policy should be suspended. While you can wait until the 
subpoena arrives (like Anderson did) before suspending the policy, 
provided that you don't act corruptly, you run the risk not only of 
criminal indictment but also a finding of what the law calls 
"spoliation" - the willful destruction of evidence or the failure to 
preserve potential evidence for another's use in pending or future 
litigation. In such a case a court could, in addition to finding you 
in contempt, allow a negative inference to be made in a civil case 
about what the missing documents would show, then order you at your 
own expense to attempt to reconstruct any missing documents, order you 
to pay fines, fees and costs, or otherwise punish you and your 
company.

The post-Enron federal law has created broad categories of documents 
that must be retained and turned over, including for example the 
accounting work papers Anderson shredded. Companies should not take 
the recent Supreme Court decision as a green light to fire up the 
shredders, however. At best, it's a yellow light turning red. So my 
advice is either don't shred, or find a list of countries that don't 
allow extradition. And remember, even though Anderson won the battle, 
don't forget who won the war.

Copyright © 2005, 


Mark D. Rasch, J.D., is a former head of the Justice Department's 
computer crime unit, and now serves as Senior Vice President and Chief 
Security Counsel at Solutionary Inc.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Tue Jun 14 2005 - 23:20:31 PDT