What not to do: Data retention lessons from the CIA

The U.S. Central Intelligence Agency can provide a good example for corporate CIOs on how to handle electronic records – by not doing what the CIA had done.

Recent reports that the CIA destroyed videotapes of interrogations of two terrorist suspects may be a case in point and a timely reminder for CIOs tasked with electronic evidence preservation rules since last December.

The e-discovery rules, amendments to U.S. courts’ Federal Rules of Civil Procedure, don’t apply to the CIA, but the agency’s decision to destroy videotapes showing harsh interrogation techniques may show private companies how not to handle evidence, some e-discovery experts said.

The e-discovery rules require U.S. companies to keep electronic records when they’re faced with a civil lawsuit or the likelihood of a lawsuit. In effect, what this means is that companies should archive e-mail and other electronic records, said Ralph Harvey, CEO of Forensic & Compliance Systems, an e-mail archiving vendor based in Dublin, Ireland. “The lesson learned is you keep everything for a finite period,” he said.

In the CIA case, several lawmakers have called for an investigation into the destruction of the videotapes. The tapes, recorded in 2002, were destroyed in November 2005, when there was a heated debate about the use of harsh interrogation techniques on terrorism suspects. Some former staff members at the government-created 9/11 Commission have also questioned whether the tapes were evidence that the CIA withheld from the group, which was investigating the Sept. 11 terrorist attacks on the U.S.

In the e-discovery rules, companies can be subject to significant fines for not producing electronic evidence they’re required to keep. In May 2006, even before the new e-discovery rules went into effect, Morgan Stanley agreed to pay a US$15 million fine for failing to produce e-mail linked to several legal investigations.

“Ultimately, the issue is you don’t know how important that e-mail is to someone else,” Harvey said.

One of the most tricky issues with e-discovery is the security of the evidence a company is supposed to preserve, Harvey added. Companies need to be able to find the electronic records, and in some cases, they may need to be able to prove that they didn’t receive a certain e-mail message, he said. In nearly every case, they’ll need to assure the court that their record is accurate.

“You can’t say you’re in compliance when Bob from administration, with a slight slipup, can delete all e-mails,” he said.

Another issue the CIA case brings up is that electronic evidence can come in many forms, said Chris O’Brien, vice president of operations for Xerox Litigation Services. Right now, e-mail is the focus of e-discovery rules, but instant messages, electronic voice mail, and Web-based video conferencing could fall under e-discovery preservation rules, he said. “Anything that’s electronically preserved could theoretically be subject to discovery,” he said.

O’Brien said he’d be surprised, however, if many companies are archiving their video conferences in order to meet e-discovery rules.

Perhaps the biggest lesson is not to destroy evidence when it’s part of an ongoing investigation — in the CIA’s case, the 9/11 Commission inquiry, said Patrick Egan, a white-collar criminal defense lawyer based in the Philadelphia office of the Fox Rothschild law firm. “Always tell the truth,” he said.

Related content:

Critics force withdrawal of city’s email deletion policy

The compromising CIO – forever compromised

Lost in space

Related Download
Improving the State of Affairs With Analytics Sponsor: SAS
Improving the State of Affairs With Analytics
Download this case study-rich white paper to learn why data management and analytics are so crucial in the public sector, and how to put it to work in your organization.
Register Now