Tag Archives: Data management policies

Why Turning Over Thumb Drives to the Cops Can Be Hazardous To Your Defense

There is an article in Cyber Security Docket talking about the SEC’s new strategy of issuing subpoenas for electronic storage devices or ESDs. Rather than asking for documents, they are asking for devices.

Without getting into a legal argument about whether the Securities Exchange Act of 1934 (almost a century old) contemplated thumb drives or not – I will leave that argument to the author of that article, who thinks the answer is no, I think that the columnist points to an important point for everyone.

Assuming the thumb drive is not encrypted – or if is encrypted that you do not plan to turn over the password – electronic devices contain a wealth of information that is not obvious.  That is why the current rules of civil procedure require a party to a lawsuit to turn over evidence in a form requested by the other party during discovery as long as that form exists.  If they want to discover a Word document, you cannot convert that to a PDF or print it out and be compliant, if the other side says they want the Word formatted document.

Turning over a device during discovery is even worse.  Not only do you have all of the artifacts inside the document from old versions of the document, but now you have artifacts on the disk – deleted files, for example, which you are giving over to the other side.

The bad news is that you cannot just go off and start wiping disks when you get notified that you may be party to a lawsuit.  Companies have tried that and judges don’t take to kindly to that.  They often tell the juries that the jury should assume the evidence that was deleted likely would support the other side – otherwise the party would not have deleted it.  If it supported the party’s case, they would want it to be in evidence.

On the other hand, if, as a matter of corporate practice, you have a document retention policy, document destruction policy, media destruction policy, media wiping policy, etc. and you regularly follow those policies, then the company cannot be accused of spoliation – the intentional destruction of evidence.  One caveat to that – once you have been notified that you are likely party to a lawsuit or likely to be charged with a crime, you have to suspend those policies if it is possible that following those policies will destroy evidence.

Still, you greatly reduce the chances of the wrong stuff falling into the wrong hands – including hackers – if you have and follow these policies religiously.  If you don’t have these policies, you should.

During the Microsoft antitrust trial, Microsoft turned over LOTS of emails that hurt their case.  If those things were never said in email in the first case or, at least, were expunged in a timely manner as part of Microsoft’s document retention and destruction policies, they would not exist and they would not have to turn them over.

And this applies to turning devices over to business partners as well.  Splurge.  Unwrap a new flash drive if that is how you are distributing the content to partners.  They are VERY cheap. Just put the content that you want to share on the drive.  If the partner gives the drive back to you, destroy it.  DO NOT REUSE it.  Trust me, this could be way cheaper than the consequences of saving a few bucks by reusing flash drives.



information for this post came from Cyber Security Docket.