Develop a Data Retention and Destruction Policy

If You Don't Have It, They Can't Get It

The best defense against a search or a subpoena is to minimize the amount of information that it can reach. Every organization should have a clear policy on how long to keep particular types of information, for three key reasons:

• It’s a pain and an expense to keep everything.
• It’s a pain and an expense to have to produce everything in response to subpoenas.
• It’s a real pain if any of it is used against you in court — just ask Bill Gates. His internal emails about crushing Netscape were not very helpful at Microsoft’s antitrust trial.

Think about it — how far back does your email archive go? Do you really need to keep every email? Imagine you got a subpoena tomorrow — what will you wish you’d destroyed?

Establish a retention policy. Your organization should review all of the types of documents, computer files, communications records, and other information that it collects and then develop a policy defining whether and when different types of data should be destroyed. For example, you may choose to destroy case files six months after cases are closed, or destroy Internet logs showing who visited your website immediately, or delete emails after one week. This is called a "document retention policy," and it’s your best defense against a subpoena — they can’t get it if you don’t have it. And the only way to make sure you don’t have it is to establish a policy that everyone follows. Set a clear written policy for the length of time documents are kept (both electronic and paper documents). Having a written policy and following it will help you if you are accused of destroying documents to hide evidence.

Do not destroy evidence. You should never destroy anything after it has been subpoenaed or if you have reason to believe you are under investigation and it is about to be subpoenaed — destruction of evidence and obstruction of justice are serious crimes that carry steep fines and possible jail time, even if you didn’t do the original crime. Nor should you selectively destroy documents — for example, destroying some intake files or emails but not others — unless it’s part of your policy. Otherwise, it may look like you were trying to hide evidence, and again might make you vulnerable to criminal charges. Just stick to your policy.

Destroying paper documents. Remember, your trash is fair game under the Fourth Amendment, so just tossing your old membership rolls in the garbage is not the way to go.

If you are concerned about the privacy of the documents that you throw away (and you should be!), you should destroy them before they go in the trash. At the very least you should run documents through a "cross-cut" paper shredder that will cut them in two directions and turn them into confetti, and then mix up the shreds from different documents to make them harder to put back together (documents cut in one direction by "strip-cut" shredders are very easy to put back together). If you have evidence giving you reason to believe that your trash is being or is about to be searched, you should also completely burn all of the shreds. Even if you’re not particularly worried about someone searching your trash, you should still destroy or thoroughly erase any computer equipment or media that you throw out.

If you destroy any of your papers and disks before throwing them out, you should try to destroy all of them, even the ones you don’t need to keep private. If you don’t destroy everything, anyone with access to your trash can will be able to quickly isolate the shreds of your private documents and focus on reconstructing them. Both government investigators and identity thieves often have the manpower and time necessary to reconstruct your shredded documents — even the burned ones, in some crime labs.

Your web browser's watching you, so you have to watch your browser. In a recent trial, government forensics experts were able to retrieve web pages of Google search results that the suspect downloaded years ago — his web browser had "cached" copies of the pages. It was a murder trial, and the suspect had Googled for information about breaking necks and the depth of the local lake, where he ended up dumping the body. The suspect was convicted.

Hopefully, you have much more innocent things you’d like to keep private, but the point is that your browser is a security hole that needs to be plugged. You need to take regular steps to clear out all the stuff it’s been storing, such as a history of the web sites you’ve visited and the files you’ve downloaded, cached copies of web pages, and cookies from the web sites you visit (which we will talk more about later). In particular, it’s a bad idea to have the browser save your passwords for web sites, and it’s a bad idea to have it save the data you’ve entered into web forms. If your computer is seized or stolen, that information will be compromised. So consider turning these features off completely. Not having these features is less convenient — but that’s the security trade-off. Are you worried enough about your computer’s security that you’re willing to type a few extra times each day to enter a password or a web address?

Visit our Defensive Technology article on web browsers[создать] for help with browser hygiene and other recommendations to improve security.

Your instant messenger software is probably watching you too. Many instant messaging (IM) clients are set by default to log all of you IM conversations. You should check the software's preferences so you know what it's doing, and figure out how these logs fit into your retention policy. Will you clean them out every month? Every week? Or will you take the simple route and just set the preferences so that your IM client doesn't log any messages at all? The choice is up to you, but because people often treat IM like an in-person conversation and often say things they normally wouldn't in an email, you should consider such logs very sensitive. If you do insist on logging your IMs, all the more reason to make sure they are protected by encryption[создать]. For more information, check out our Defensive Technology article about instant messaging[создать].

Minimize computer logging. If you run a network, an email server or a web server, you should consider reducing or eliminating logging for those computer and network services, to protect the privacy of your colleagues and your clients. For more information, refer to EFF’s "Best Data Practices for Online Service Providers."

When you delete computer files, really delete them. When you put a file in your computer’s trash folder and empty the trash, you may think you’ve deleted that file — but you really haven’t. Instead, the computer has just made the file invisible to the user, and marked the part of the disk drive that it is stored on as "empty" — meaning, it can be overwritten with new data. But it may be weeks, months, or even years before that data is overwritten, and the government’s computer technicians can often retrieve data that has been overwritten by newer files. Indeed, no data is ever really deleted, just overwritten over time, and overwritten again.

The best way to keep those "deleted" files hidden, then, is to make sure they get overwritten immediately, and many times. Your operating system probably already includes software that will do this, and overwrite all of the "empty" space on your disk with gibberish, dozens or hundreds of times, and thereby protect the confidentiality of deleted data. Visit the secure deletion[создать] article to learn more about how to do this in various operating systems.

In addition to using a secure deletion tool, you should consider using encrypted storage. Visit the disk encryption[создать] article for more information.

Destroying hardware and electronic media. When it comes to CD-ROMs, you should do the same thing you do with paper — shred 'em. There are inexpensive shredders that will chew up CD-ROMs. Never just toss a CD-ROM out in the garbage unless you’re absolutely sure there’s nothing sensitive on it.

If you want to throw a piece of hardware away or sell it on EBay, you’ll want to make sure no one can retrieve your data from it. So, before selling or recycling a computer, be sure to overwrite its storage media with gibberish first. Darik's Boot and Nuke is an excellent free tool for this purpose.

Make data hygiene a regular habit, like flossing. The easiest way to keep this all straight is to do it regularly. If you think you face a high risk of government seizure, or carry a laptop around with you and therefore face a high risk of theft or loss, perhaps you should do it at the end of each day. If not, you might want to do it once a week.

For example, at the end of each week you could:

• Shred any paper documents or electronic media that are scheduled for destruction under your policy.
• Delete any emails or other documents that are scheduled for deletion under your policy.
• Clear your browser of all logs.
• Run your secure-deletion software to overwrite all of the newly deleted stuff.

Have your organization put this weekly ritual or something like it in its written policy. You’ll be glad you did.

Назад | Дальше