Security Watch

Electronic Discovery: When Data Retention Is a Bad Idea

Regulatory measures are forcing companies to store heaps of sensitive data that could be exploited by the bad guys.

Since the migration of business from paperwork to electronic records, the process of discovery in legal actions has come to consist of detailed electronic searches. This has created a new industry, electronic discovery, typically outsourced to such providers as Kroll Ontrack.

Companies keep more and more business data in electronic form as the cost of storage drops and regulations like Sarbanes-Oxley require companies to preserve data for legal and accounting purposes. Michael Clark, analyst for EDDix, estimates the industry to be worth $2 billion and growing at 35 percent a year.

E-discovery services are not limited to law firms: Many companies contract such services to proactively find regulatory problems in their archives. E-discovery services examine company archives to find relevant files, preserve them for use in court and give access to lawyers who need to analyze the data as evidence. As companies seek to reduce discovery costs, discovery features may be added to storage solutions.

This is likely going to evolve into a real problem for business. If governments mandate data retention and significant retention periods (such as two years), then we will likely see more and more nuisance subpoenas. The cost of responding to or resisting those subpoenas will be significant.

Another concern about e-discovery is that, with the dramatic drop in storage media costs, IT departments may become lax about determining what data they should be storing and what should be trashed. In so doing, the more data they have stored, the more vulnerable that company will be to such problems and costs.

Some have insisted for years that IT should retain e-mail only as long as it takes to insure that it's delivered. After that, they ought to purge it. Any decision about whether or not it should be retained should be made by the sender and receiver of the e-mail. We don't want to automate that process.

Mandating retention will result in all kinds of fishing expeditions, and I think it's going to become a major problem. The subpoena that Google is resisting right now is a perfect example -- they're damned if they do and damned if they don't.

In the U.K., it's no longer a question of whether or not data must be retained, but how long it must be retained for. Consideration regarding the unintended consequences of insisting on retention seems not to have been given.

To further illustrate the potential problems, Brian Sartin of Cybertrust's Forensic Investigations organization said in a recent discussion that in a considerable number of the credit card number loss cases the team has worked on, the company in question was unaware that the credit card numbers were in the data at all. Companies might be aware of some files that would or should contain such details, but were unaware that other files were storing it also. As such, it may well believe the company has done a good job of protecting such sensitive information, yet still have it compromised. Extending this thought to e-discovery, if the files that are being archived contain information the company is unaware of, then that data may be discoverable in the future when it might otherwise not have to be.

Want More Security?

This column was originally published in our weekly Security Watch newsletter. To subscribe, click here.

And remember too that today's electronic archives are ultimately very timely and accurate in discovering information. The ability to search microfiche or paper was incredibly time-consuming and very expensive even if indexes had been created. Electronic data can be trivially searched for anything the searcher may desire.

Further, how data is stored makes a significant difference to what can be retrieved. For example, if archiving is automatic and deletion of archives happens after it has been transferred, then it may be possible to recover deleted items from the physical media the archive is created upon. Ergo, archiving should be done in a filtered fashion such that the deletion occurs by not archiving.

Data retention laws are proposed and adopted with all sorts of good intentions. It doesn't begin to dawn on those responsible for such laws the implications of what they're implementing. This is accountability carried to terrible extremes. Let's not become part of the problem.

About the Author

Russ Cooper is a senior information security analyst with Verizon Business, Inc. He's also founder and editor of NTBugtraq, www.ntbugtraq.com, one of the industry's most influential mailing lists dedicated to Microsoft security. One of the world's most-recognized security experts, he's often quoted by major media outlets on security issues.

comments powered by Disqus
Most   Popular