Case Analysis:
-1- Our topic is not business ethics, nor is it the fine points of what constitutes obstruction of justice. So we need not formulate an opinion on whether Frank Quattrone deserves what has happened to him since December 2000. However from a literary perspective, what a great drama !
When one reads the indictment, one is amazed how Frank Quattrone's fate is decided in little more than 48 hours, from December 3 to December 5, culminating with the forwarding of another's email about "file cleaning" with a mere 22 words of recommendation: "[H]aving been a key witness in a securities litigation case in south texas (miniscribe) i strongly advise you to follow these procedures."
For want of a nail, the whole kingdom was lost. This case vividly recalls the old Mother Goose rhyme. Think that at the time, back in 2000, emails were off the cuff, ill written, ill spelt messages no different, if more convenient, than ephemeral phone calls. No one yet realized the impact corporate email could have in a court of law. Today emails are still ill written but everyone knows the first target of discovery in a lawsuit against an organization is its email archive, a treasure trove of evidence for eager prosecutors looking to prove recklessness and malfeasance
-2- The first lesson of the case is of course the importance and complexity of how to dispose of information.
We have seen in previous chapters that information is precious and as such, must be protected from internal as well as external threats. Once created in a recordable format, information unfortunately remains an issue even when it is no longer wanted. Frank Quattrone's case is about the lasting power of informal documents:
- working notes made about securities offerings (including IPO's), which company policy said should have been routinely destroyed, keeping the official documents as the only record
- email exchanges between First Boston employees, including Franck Quattrone, which allowed the prosecution to document the obstruction of justice
One should not be too surprised. After all History shows clearly how the written record, on which it is based, often escapes from those responsible for the information. Some written records tend to last much longer than its authors may hope or comprehend. Haven't archeologists been digging accounting archives in Mesopotamia since the XIXth century ? Did the authors of all those clay tablets more than three thousand years ago really envision how devastating fires would cook their tallies of crops and flocks into such durable bricks ? Then again how many papyri of great value were irretrievably lost in the fire which consumed the library of Alexandria ?
One might be tempted to think that our information age better links safekeeping to usefulness but this is not so. Previous eras suffered from the exorbitant price of making a copy. While the very opposite, cheapness of replication by photocopiers and now computers, holds true now, the result is similar. It is difficult to insure both:
- safe deletion, because it is hardly possible to track down all copies made of an original, and
- practical retention, because efficient ways to track down the relevant copy among shifting mountains of data are hard to certify
-3- Since neither safe deletion nor practical retention are a given, it is imperative that organizations put in place relevant policies. As for information security, such policies stem from a combination of business sense and legal compliance. In the emails quoted in the indictment, First Boston for example refers to its "document retention policy". It is important to understand that a "retention policy" is ipso facto a "disposal policy" since keeping unnecessary information around is dangerous.
A number of issues arise in drafting and implementing such policies. In the case at hand, we see at least three of them:
- defining by the negative.
Notice how First Boston defines what is to be retained explicitly and what is to be disposed of as everything else :"if it is not [in the list of what has to be kept], it should not be left in the file". While logically precise, a definition by the negative is operationally much more difficult to carry out. How can one ask the question "is it?" if one is not even told about "it" in the first place. Forgotten items will not be properly deleted.
- dependencies on circumstances.
The case derives from the rule that disposal of all relevant documents becomes illegal, i.e. an obstruction of justice, once a lawsuit has been made against the organization. Again providing a clear operational translation of this rule is a challenge in an organization of some degree of size and complexity:
- what are exactly the relevant documents ?
Prosecutors often do not know where to look, nor even what to look for and will want a blanket definition. Defendants will disagree and call it a fishing expedition. This compounds the previous issue.
- how to alert the relevant employees ?
Lawsuits are a fact of life and rules are executed by people. Good executives try to compartimentalize their organization to avoid disturbing its workforce unnecessarily. For the prosecutor however, First Boston and Frank Quattrone just cut it too close by assuming its left hand did not know yet what its right hand knew for sure. When badly implemented, compartimentalization itself looks like premeditated obstruction of justice.
- inconsistent enforcement.
Internal policies which are routinely ignored are not uncommon in organizations, which look at them as a form of "insurance" over the behavior of their workforce. "If" something goes wrong, such policies will be dusted off to apportion the blame. Except that in the case at hand, it invalidated the purpose of the retention and by mirror effect disposal policy. The defendant appeared for all intent and purposes to rush under the policy to shelter himself from a lawsuit. Organizations should make a policy to enforce policies.
-4- Before we leave the case, we need to stress that corporate email has by now become a major part of any retention/ deletion policy.
While Frank Quattrone was found guilty of obstruction of justice, corporate email was not the reason of the indictment, it only provided evidence to the prosecutor. Since the power of corporate email as evidence has become common knowledge, it is tempting for employees to delete potentially damning emails as a new way to obstruct justice.
Putting together the different lessons learnt, it appears highly desirable that corporate email should be redefined as self-destructing after a set amount of time, say 30 of 60 days. By so doing, an organization would ensure that:
- employees would formally file the few documents deemed important enough, and such copies would fall under the normal retention policy
- all other messages, akin to transient verbal communication, would be automatically erased before any lawsuit could request them
- innocent employees would have one less way to make a careless mistake, i.e. a knee jerk deletion of their emails at learning of a subpoena
This suggestion is not fool proof. Although the law does not require defendants to carry a tape recorder at all time to keep track of their conversations once made the subject of a lawsuit, it could very well require the email self-destruction feature to be turned off, with the usual issue of when the switch ought to occur.
General Comments:
-1- As the case analysis makes clear, retention and disposal are inseparable. If a retention policy is to be genuine, what is not to be retained should be dispose of. We chose to label this chapter "disposing of digital information" merely to emphazise that proper disposal is often overlooked by organizations and yet proves to be the more difficult part to enforce.
We could as well have lumped this chapter together with the previous one on protecting digital information. While space limits justify our choice, it is important to understand that retention and disposal are intimately linked to security considerations:
- lapses in security may allow external or internal tampering with stored data, thereby invalidating information retention. See this example from the healthcare industry: Credibility damaged by proof of record tampering by David Starr (Cortlandt Forum), June 2005
- improper data disposal may allow unauthorized access to what remains potent information, a fact well illustrated by ID thieves checking garbage bags near banks or restaurants
The reasons for organizations to develop and enforce written retention/disposal policies are accordingly the same as for security:
- ensuring business continuity and performance, by making correct information always available when needed
- complying with rules mandated by law and sound business sense (for the cost of non compliance, see the verdict in the Zubulake case)
-2- Proper disposal is the harder part of any "retention policy".
The case at hand already illustrated three issues:
- clearly identify the information which should be disposed of,
- account for exceptional circumstances, such as litigation (see the Zubulake rulings) and
- enforce the policy throughout the organization.
Assume then some specific information is meant to be eliminated, as part of a routine, perfectly legal policy. The issue is that information cannot be considered erased until:
- all copies have been located and destroyed
- the destruction is irreversible
Digitization did not create this issue: paper copies can be misplaced and forgotten, or crumpled rather than shredded. But digital copies increase its seriousness significantly.
- routine measures taken to ensure data availability and data retention multiply copies. Yet in the name of user friendliness, the person responsible for the information stays unaware of this except in the most perfunctory way
- persons directly responsible for important information often like to make their own copies rather than relying on some remote and invisible overseer
as a result, no one inside an organization may know all the copies in existence, turning copy hunting into an error prone effort
- the task of locating all copies is compounded when the information has been made accessible to third parties, however briefly, and totally impossible if it has been put on the Internet
- the so called "delete" function of computer systems is a misnomer as it only deletes "access pointers" to the data rather than the data itself
data physical erasure often involves physical destruction or reformatting of the recording media concerned
-3- As usual under US law, the relevant rules and regulations which apply to a given business will depend on the nature of its activity and the federal agency which has jurisdiction over this type of activity. For example accountants responsible for auditing public companies and organizations dealing in securities fall under SEC rules (e.g. 17 CFR 210.2-06 and 240.17a-4) mandating retention of specific information. Financial institutions covered by GLBA and healthcare organizations covered by HIPAA must take care that data security and privacy as mandated by these laws cannot be compromised by record tampering. More generally, public companies are subject to the penalties of SOX relative to a sweeping definition of record tampering. This definition covers:
"any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the United States or any case filed under title 11 [bankruptcy], or in relation to or contemplation of any such matter or case"
where bold characters are used to emphasize the scope. While it is too early to get well acknowledged feedback from the courts, the phrase "with the intent to influence [...] proper administration of any matter within the jusrisdiction of any department or agency of the United States" does not seem to leave much out.
-4- The above mentioned laws and regulations address data retention and tampering. Against this background, one may think organizations are left to dispose of data as they see fit as long as it does not violate these retention mandates. This would be a grievous mistake. While business sense dictates that organizations take care that competitors do not pick up their trade secrets through unsecure disposal procedures, recent laws hold organizations to the same level of care relative to privileged consumer data.
The most explicit of these regulations is the so-called "Disposal of Consumer Report Information and Records" rule issued by the FTC pursuant to FACTA (see chapter I-2 on credit fraud). The information covered is that which comes from consumer reports output by credit report agencies. Because of the pervasive reliance on these reports in many types of industries (insurance, banking, retail...) and functions (HR, marketing essentially), this rule has wide relevance.
This rule in particular gives the following thoughtful definition. "“Dispose,” “disposing,” or “disposal” means:
- (1) the discarding or abandonment of consumer information, or
- (2) the sale, donation, or transfer of any medium, including computer equipment, upon which consumer information is stored."
highlighting the unwelcome truth that disposing of computers, a common occurrence, is also a form of data disposal. Think of the chore of reformating or otherwise erasing the hard disks of broken computers.
However any rule linked to a privacy law (GLBA, HIPAA...) will have similar requirements. For example, see 45 CFR section 164.310 (d) pursuant to HIPAA, and California civil code section 1798.81. At the very least courts will hold organizations to be negligent, even in the absence of detailed regulations, if they fall short of standard industry practices. One must remember data privacy does not exist without security and data security does not exist without proper disposal policies.
-5- Looking back over the past twenty years one is struck by what amounts to a Copernician revolution.
The rules of evidence have given rise over the centuries to a strict hierarchy among documents. This hierarchy is still with us today. Notarized documents carry maximum weight, ordinary, unsigned papers carry minimum weight. In between stand instruments bearing a recognized signature whose role is double:
- authenticate the document as approved by the signer, assuming the document could not be forged after the signature was obtained
- deny the signer the possibility to repudiate the document as approved, assuming the signature could not be forged after the document was written
When computer records started to be introduced as evidence, they were knowingly given the lowest status available. Anybody with a modicum of computer savvy can alter records, content, date and all, and authorship is generally not properly recorded. With the help of cryptography, special measures have been designed over the years to address this issue for important applications such as electronic fund transfers.
Recent laws turn this situation on its head. Now vast classes of records generated by organizations are routinely used as evidence, simple emails in the case of Frank Quattrone's indictment. The ease with which digital information can be corrupted is apparently no longer an issue. The law, acknowledging the progress of technology, holds organizations responsible for the non tampering of the data, all the data (see previous SOX quote).
At issue is not whether one need to protect or can efficiently protect transaction data, the formal data processed daily by organizations in the performance of its business processes. Organizations must be aware that, as they grow in size and resources, the courts will deem reasonable to ask them to tamper-proof even informal exchanges. The compliance officer must at least review the use within the organization of:
-6- It is worth repeating: the informal character of an electronic channel is not relevant to the record retention mandates set forth by SOX and other laws. What matters is the existence of a record. This is not to say that the regulator has not considered some limits. For SOX, the relevant criterion is on content rather than format. In announcing the release of rule 2-06, the SEC explains:
"Several commenters stated that the proposed "cast doubt" language was unworkable and would lead accounting firms to retain documents related to virtually every exchange of ideas on any topic. In consideration of the comments received, the "cast doubt" language will be replaced with a requirement to keep records that either support the auditor's final conclusions or contain information or data, relating to a significant matter, that is inconsistent with the final conclusions of the auditor on that matter or on the audit or review. Rule 2-06(c) also will state that the documents and records to be retained include, but are not limited to, those documenting consultations on, or resolutions of, differences in professional judgment."
Assuming the nature of its content determines whether an information ought to be retained or deleted, one can neither rely on the difference between fact and thought. Safeguarding facts, such as accounting entries, is not an issue. But the instance makes clear that at least some contrarian opinions of an auditor must be retained as well. This is a disturbing factor for no organization can prosper if every employee were to guard against expressing any controversial opinion lest he or she be labeled a troublemaker, risking gratuitous exposure of the organization.
We suggest organizations:
- set a distinction for internal use between "on the record" and "off the record" communication, in the same way as it is done in public relations.
- offer separate channels for the two types of communication, subjected the former to retention and the latter to systematic and complete deletion
In so doing organizations would avoid legal responsabilities as it lets each employee decides how to communicate. Assuming corporate email is selected as a "for the record" channel, such measure would have the further beneficial side effect to promote a high level of professional conduct in employees' emails. On the other hand expressed in this "designated for the record medium", opinions which voiced warnings or disagreements would automatically force a considered answer from the hierarchy since there would be in no doubt that such a document would surface in any subsequent lawsuit.
-7- The previous considerations generate a number of other, practical challenges. Here are some of them:
- edit tamper-proof documents
This is not an oxymoron. For example what do accountants do when they find a data entry error in the daily journal ? They must issue a new, correcting entry. Every tamper proof recording system will have to include some form of version management. For healthcare, see points 1 to 3 of an article by Berkeley Rice (Medical Economics), July 2005.
- safeguard the keys
As mentioned in chapter III-1 Protecting Digital Information, providing authentication and non repudiation or relying on strict access control to prevent tampering of "live records" create a need for more key management like any other security measure. The retention and non tampering of active keys as well as the disposal of old keys, e.g. when an employee leaves the organization, must be the first priority. And even more so for masterkeys.
- monitor employee's behavior
outside an "off the record" communication channel, employees must be told that every communication is recorded. However the organization should also establish rules to ensure professional usage, forbidding exchange of pornographic material for example, and monitor these communications. The organization will thus avoid the risk of being later exposed as, however unwillingly, recording objectionable content and abetting criminal behavior.
- deliver authentication and non repudiation
If the solution adopted guarantees non tampering once the document is recorded, e.g. on a write once optical disk, but presents a logical gap between author's approval and the recording operation, the organization leaves itself open to forgery claims from employees threatened by an archived document which they purportedly authored.
To indulge into some not so implausible a scenario, assume employee B wants to put employee A into serious trouble. B uses known viral code to make A's machine, unbeknownst to A, send some offensive email, or series of emails, duly stamped and archived by the organization as coming from A. With little more than an anonymous rumor, B can then lead investigators to A's mail stream. For good measure, assume the organization is the target of some federal agency. Soon A is named the defendant in some obstruction of justice lawsuit.
-8- The need to protect itself against human behavior, whether from inside or outside, whether from conspiracies or from isolated individuals, is what drives organizations to develop and implement the above discussed policies. Following our cost sharing philosophy, we also urge to link compliance with business continuity and examine the need for data availability.
Here the emphasis is on unforeseen loss of access to data. This loss can be indirect, e.g. as a consequence of a server failure from technical breakdown or external forces such as fire or flooding. When the data itself is not destroyed, we refer to the previous chapter on protecting digital information, see for example server redundancy. When the operational data is lost however, the loss can only be met by a prior copying of the data. Since data retention and disposal policies are intimately linked to the existence and management of copies, the link between data availability and compliance becomes obvious.
The solution generally involves a hierarchy of copies:
- live copies using RAID implementation, either by hardware or software
- automatic, temporary copies managed by application software, e.g. personal office tools such as word processors
- on site, on line backups
- off line archives, either on site or off site
Means to implement protection depends on the nature of the backup. Live copies are best managed through data access policies and archival backup through the use of write once recording media.
-9-For a complete understanding of data availability, one must consider that on line copies are generally managed on an incremental basis. First some known, consistent state of the data is preserved, followed by the log of sequential changes. All such log files must obviously be taken into account by compliance, lest snippets of data get exposed.
Indeed both compliance and common sense require that every copy, however partial, receives the same level of protection as the original.
We also strongly caution organizations on the increasing use of search engines at all levels of data storage: personal computer, intranet resources, public Internet. Engines like Google produce data snippets as logs do, a potential source of leaks documented by the Computer Security Lab at Rice University. While the specific security threat identified at Rice, leaking internal data to an outside attacker, has been eliminated, the principle remains: used inside an organization, search engines produce data snippets bound to be less privileged than the original unless search processing is made a native part of the security architecture.
While the casual reader should be forgiven for thinking we are paranoid, he or she needs to understand how mere data snippets can cause a significant damage, assuming a malicious person has access to them:
- if encryption is used to protect data, the best way to break the encryption key is to have the same data in both original and encrypted forms. A snippet is a good enough start for professional cryptologists.
- while most data snippets may prove meaningless, consider that an intruder is most likely to have gained access to a continous stream of such snippets. Simple keyword matching will effortlessly extract the juicy tidbits from this stream, a feature of keyloggers buried in Trojan Horses (e.g. Backdoor.Nibu.E)
-10- The rise of search engine technology is itself but another aspect of data availability. Instead of addressing human malevolence or accidental risks, search engines tackle this most common human shortcoming: knowing that some information exists but being unable to locate it in the mountain of data.
For the sake of completeness we want to point to an emerging technology to address, all be it from a different perspective, this issue of data retrievability. Rather than relying on keyword description and matching, "Digital Object Identifiers" aim to provide objects with the equivalent of a "portable telephone number", a permanent address despite changes in location, content and ownership. See the Digital Object Identifier System developped by the International DOI Foundation with the help of the Corporation for National Reserch Initiative.
Solutions:
The following development should be seen as the continuation of the previous chapter on Protecting Digital Information.
Together with its written policies, Human Resources programs and security related MIS architecture and components, the overall approach to security in an organization implicitly covers the retention and disposal of information, digital and non digital.
Special considerations will be best dealt with separately. For example policies for retention and disposal of information deserve to be identified as such. One should:
- cover all forms of electronic recording, including the most transient ones
this does not mean all records must be treated in the same way, only that the policy clearly spells out what should be done, by the owner, and what will be done, by MIS
- list the different types of life cycle to be used and assign one type to each data set identified when segmenting the data among security levels.
In particular each piece of data will receive a specific life span followed by actual disposal according to the laws and management decisions
- determine who has ownership for each piece of data during its life cycle.
Ownership includes the right to copy and to delete the data, with the duty to follow the corresponding policy. It can vary over the cycle, typically involving:
- a manager or a series of manager during the active life of the data
- a person responsible for archiving once the data has ended its active life
- clearly separate data availability from archiving and operate all backup operations as a periodic round robin, insuring no copy exists older than one period and a half.
Assuming the backup period is much shorter than any independent retention life span, this ensures "invisible" service copies does not survive archiving or destruction by much
- provide proper digital signing tools for individual managers and indicate when they should be used
- provide assistance for individual managers for proper disposal of data when necessary
As an example of policy detail, as soon as the send button is hit, email messages can be declared to be "owned" by the MIS manager in charge of corporate email and transfered to the archiving manager after a proper delay depending on the size of the organization.
Concerning data management, one should refine the two levels mentioned in the previous chapters ( "use the data" / "record the data") into three:
- read the data
- update the data record
- create new records for the data
Whenever the software allows this distinction, the creation of new copies can be restricted to the current "owner" of the original data according to its life cycle. However simple updating no longer requires the corresponding roles to enjoy this higher "creation" privilege and makes for a new "update" level, still above simple use redefined as "read only".
While data encryption is an obvious way to limit and to detect data tampering, with it comes two burdens:
- key management for archiving
Keys must obviously be preserved for the duration of retention, which can span several years. Using a permanent key would not be safe as the probability to uncover it would grow as time elapses, yet changing it periodically would not be economical in view of the size of the data archive of most organizations relative to their resources. While the obvious solution is to change keys on an incremental basis, without reprocessing the old data, this generates another rapidly growing key base, distinct from the regular access key base and as precious.
- encryption/decryption costs for live access
If encryption is also used during the active life of the data, MIS must account for time and processing power lost to decrypting (re-encrypting) live data each time the corresponding data is accessed (updated).
We wish to make an additional comment.
If the organization deems to its benefit to set up an "off the record" channel for informal, transient communications, it should consider encrypting it. But at the difference of official corporate email, the keys should be the exclusive property of the users. In this way, each individual user would be responsible for the use of this resource, with guaranteed privacy, at the price of having no remedy were he or she to forget the key or the associated password.
Tools available:
- whole solutions
Business application software is made to manage enterprise-wide data. Given this objective, most software vendors including but not limited to, Computer Associates, IBM, Microsoft, Oracle, SAP, will include data security features.
What the compliance officer needs to do is check these features, the best often priced as separate options, against the comprehensive security architecture adopted by the organization. Of special interest will be role management (see chapter III-1), data encryption mechanisms, key management, versioning, authentication and non repudiation as well as archiving. Data availability and long term storage are best dealt with in combination with hardware selection.
We strongly suggest to check for and use copy prevention features, such as direct support for our read/update/create privilege hierarchy where copying requires write privileges.
- write once media
The archtypical solution for tamper proof recording is offered by the so-called WORM (Write Once Read Many) technologies, using optical disks in a variety of formats.
Small organizations or small decentralized units of larger organizations can use ordinary CD-R recording.
For larger amount of data, high capacity WORM's are quite proprietary. For vendors, see this Google search
- storage systems
Before committing a large amount of money, one might well be advised to check software-based solutions which promises to attach "WORM characteristics" to cheaper magnetic disks or tapes. This is not a simple choice between greater safety (WORM optical disks) and price (magnetic media). The compliance officer and the head of MIS must consider that no official rule dictates a particular technological solution. Once they have accounted for all other relevant parameters, such as the need for long term on line accessibility and interface complexity, they are only required to be able to justify their decisions on the basis of current best practices for an organization of similar resources.
For vendors of storage systems, see the results from both this Google search and that Google Search, using slightly different key words. Another source is offered by lists of SMI-S compliant suppliers from SNIA, a trade association ( SMI-S is an interfacing standard).
Suppliers of storage systems as well as consultants have been quick to stress information life cycle management (ILM) as a guide for implementing a global solution. This is the perspective of this Google search.
- tamper detection
While tamper proof storage is the best solution for so called transactional or formal data, it will always be more costly than ordinary magnetic tapes and disks together with ordinary access controls.
We suggest that for less formal or less important data, solutions which detect tampering without preventing data loss in the first place might be considered in reasonable compliance. After all, even tamper proof WORM's can be shattered. If evidence of tampering can be discovered and reported quickly or if it can be traced back to a specific employee or to unnamed intruders, the organization should be able to claim to be the victim of a crime and decline legal responsability.
In some cases the difficulty of truly deleting data can come handy when tampering has been detected or is suspected: it can be possible for forensic data specialists to extract the original version of the data tampered with (see this Google search).
- RAID solutions
As mentioned earlier, Redundant Arrays of Inexpensive Disks is the preferred tool to ensure data availability. For vendors, see this Google search
- corporate email systems
Whole solutions encompass a wide range of business applications and storage systems focus on information recording. There is also room for more specialized applications, especially cost effective for managing specific informal channels. For vendors of corporate email systems, see this Google search.
tEC, the Electronic Confident, by ePrio Inc., has already been described in chapter II-2 on marketing as a solution for sending personalized emails which requires neither opt in nor opt out.
tEC can also be used to implement the kind of "off the record" communication channel described in the comments above. It offers an email function where senders get pre-approved by their desired target receiver(s). In the instance, an employee can pre-approve the members of his or her work team as well as friends and family. All communications are encrypted using private keys controlled only by each individual user and emails are sent subject to a limited time span.
Thus this tEC-based channel offers both employees a space of real privacy while at work and organizations a shield from all responsabilities derived from the use of this recordless medium. Notice that ePrio itself can neither access local data nor decrypt circulating data.
- abuse prevention and detection
The features provided by tEC are sure to cause alarm in some minds. What if employees abuse such an "off the record" channel as some are bound to do ? Here are two tools handy to answer legitimate concerns:
- application-controlled disabling of OS-wide cut/copy and paste option, to prevent leakage at the desktop
- keyloggers, to be implanted on an employee's machine under the exact same legal machinery as wiretapping
a link to an organisation, public or private, does not represent an endorsement and no compensation has been received nor sollicited by the author for its inclusion.
|