Slashdot Mirror
The Importance of Deleting Old Stuff
An anonymous reader writes: Bruce Schneier has codified another lesson from the Sony Pictures hack: companies should know what data they can safely delete. He says, "One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. ... Everything is now digital, and storage is cheap — why not save it all?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on."
Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on."
Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?
"Please do not keep documents about Concentration-Camp details more than 3 Months."
Wow! Godwin law acomplished in the very first comment. That's a feat!
But then, I think you have a point: It seems to me that Sony's problems don't come from retaining old emails but from these emails being embarrasing to start with.
Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".
My company deletes emails after 90 days unless you jump through burning hoops to save a limited number of them. And has IM logging forced to disabled. This REALLY sucks when you want to go back to refer to something. And is so transparently a CYA move.
How about instead of deleting everything people just are not a-holes? And if they can't help themselves maybe they should be exposed. Instead they make us all work in circles as we forget our past.
Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. ... Everything is now digital, and storage is cheap — why not save it all?
Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company.
Never Write what you can Phone;
Never Phone what you can Say;
Never Say what you can Whisper;
Never Whisper what you can Nod;
Never Nod what you can Wink.
I want peace on earth and goodwill toward man.
We are the United States Government! We don't do that sort of thing.
In fairness to him, that's pretty much the industry position on data retention, and what the lawyers will tell you.
See, you are legally obligated to hold onto some things for a given period. Deleting it before then can get you into legal trouble if you suddenly find it needed.
Similarly, if you are under litigation and things have been requested, you are legally obligated to hold onto it because you're not allowed to delete stuff which is relevant to an on-going court case.
And, finally, once the base retention period has happened, and once your legal team confirms this stuff is legal to delete -- you want to get rid of it as soon as you possibly can, so that it's not lingering about to bite you in the ass.
This has been true of the legal landscape for document/records retention for at least a decade, because older information which should have been deleted can be a liability to your company.
The problem can be that employees hold onto stuff for their records, either as a CYA or a record of things they've worked on. And if that stuff pops up in discovery, even if the corporate version has been purged, it's legally admissible. But it's much harder to convince your employees they need to delete their copies of something, because their own personal interest means they care less about your corporate needs -- because who wants some ass of a manager coming back and blaming you for something you objected to?
I think this is pretty much standard records keeping since SOX came into play.
But don't think for a minute that it's just him saying essentially this same thing. This has been pretty standard stuff for quite some time, even if most people are clueless about it.
Lost at C:>. Found at C.
I don't do or email anything that would "cause enormous public embarrassment" to the company if it got out.
You don't need to keep everything on line. That was the thing that was so stupid. They had everything online with a common key to access everything.
First, Sony knew they had a problem over a year ago. They're refusing to admit it but everyone knows.
Second, they way Sony laid out their network was dumb. They should have compartmentalized and archived.
Third, when you know you are getting hacked don't just sit there with your thumb up your ass. Do something about it.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
If huge corporations started following some basic legal and ethical guidelines, they wouldn't have to worry so much about old documents getting leaked. If your business strategy is to f##k your customers and/or your partners, sooner or later you will pay for it, documents or no documents.
Time flies when you don't know what you're doing
I keep all my e-mails in an offline folder. 13 GB and counting.
Saved my arse more times I am willing to count. After the first 15 or so occurrences, people generally leave me alone when I tell them "I could dig into my old e-mails for that information".
Deleting old stuff is definitely worse than keeping it secure, preferably encrypted using a separate tool and password.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Rules:
1) Don't delete other people's stuff. IT workers / Lawyers I'm looking at you. You should never delete something without a specific verbal or written OK from the document owner. When you automatically delete my stuff I find ways around your scripts.. It does no good, because I WILL retain my records indefinitely. So just stop wasting my time and leave my stuff alone.... The only justifiable reason to delete my files is: the Server harddrive is full. But it costs less to buy a freaking hard drive, than to decide what documents can be deleted...
2) Document Retention Policy: Min: Legally required length of time Max: FOREVER. See Rule #1. You should NEVER touch my inbox, Network Drive, or any other place I store documents with an automated script, deletion of files should only occur by hand by the document owner...
3) Don't do unethical things. You don't have to worry about what's in the document if you did the right thing in the first place... You should fire any employee who is unethical and as a corporation take responsibility if those unethical things embarrass the company. This is what reviews (code, business, technical etc) are for, you're supposed to check that your employees are following good practices... Then that circumspect code, business practice etc, would've never seen the light of day in the first place. When a corporation fails that they shouldn't hide it, they should admit it and take their licking...
My email contains important technical information that I may need for years after I composed that email. When you delete it for me. You waste valuable company time as I recreate the exact same information I already "knew" which may have never made it into a formal document.
JUST STOP IT. There is nothing illegal about keep business documents forever. There is something highly unethical (and possibly illegal!) about a practice that stems from the idea of destroying evidence. So stop it. The ethical, right, and more reasonable thing to do is enforce from the IT perspective the minimum retention policy. After that, (ie when you delete) should be based on business need: 1) I really will never need this again and 2) The storage costs don't justify the (low) possible future return. Since storage is CHEAP, #2 should pretty much never come into play...