I'd say you need to do a few things 1. Inventory your data see what you have, where it is, why you are keeping it, and how big it is. 2. Use the inventory & statutes to define how long each type of data must be kept for 3 use the above information to decide what should be kept and for how long. and when purges + wipes should be preformed (don't forget about backups as well) make sure the process can be stopped "easily" in case you are subpoenaedor I believe have reasonable knowledge you will be subpoenaed 4. Follow the program, putting in some checks and balances for CYA.
On Mon, Jan 11, 2010 at 11:59 AM, Adrian Crenshaw <[email protected]>wrote: > Hi all, > I'm working on a new article that tries to answer the following > question: > > When is expunging data valid to keep avoid e-discovery costs or protect > personal privacy, and when would it be considered "destruction of evidence"? > Is having set policy of "records are delete every x days," or "free hard > drive space is wiped nightly" enough, or is more required? > > The above question is phrased from the stand point of a business, but I > must admit I’m more interested in the answer from an individual standpoint. > For those not in the know, wiping a drive after an investigation had begun > (or if you have a reasonable expectation to believe a legal investigation it > about to begin) is considered “Destruction of evidence” or “Spoliation of > evidence”. Once an investigation is likely to begin, you have what is known > as a “duty to preserve”. Two likely outcomes if you are found to have caused > spoliation of evidence are: 1. Prosecution under criminal statues concerning > destruction of evidence (check with a layer in your jurisdiction). 2. The > judge may slap you with a “spoliation-based adverse inference”, which > basically means a statement saying that since you destroyed evidence, it is > likely there was something incriminating there, and the court should assume > it would have help your adversary’s case. Now all that said there are > exceptions made for data that has been removed because of normal, routine > processes. > > I can think of many valid reasons for wiping a drives freespace > routinely: > > 1. Protect privacy from others with physical access. > 2. Fear that the machine might be stolen. > 3. Donating the machine. > 4. Reallocating the machine to someone of a different security level. > > But would that hold up in a court case? I'm having problems finding case > law. I'd imagine no matter what your reasons, prosecuters will try to get a > “spoliation-based adverse inference” judgment against you if any drive > wiping had been detected. Anyone have experience with this, or know a case > where someone did drive wiping for privacy reasons, but the prosecution > tried to make it seem like destruction of evidence that may never have been > there in the first place? > > > Adrian > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- Tim Krabec Kracomp 772-597-2349 smbminute.com kracomp.blogspot.com www.kracomp.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
