Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Data Storage Sony IT

The Importance of Deleting Old Stuff 177

An anonymous reader writes: Bruce Schneier has codified another lesson from the Sony Pictures hack: companies should know what data they can safely delete. He says, "One of the social trends of the computerization of our business and social communications tools is the loss of the ephemeral. Things we used to say in person or on the phone we now say in e-mail, by text message, or on social networking platforms. ... Everything is now digital, and storage is cheap — why not save it all?

Sony illustrates the reason why not. The hackers published old e-mails from company executives that caused enormous public embarrassment to the company. They published old e-mails by employees that caused less-newsworthy personal embarrassment to those employees, and these messages are resulting in class-action lawsuits against the company. They published old documents. They published everything they got their hands on."

Schneier recommends organizations immediately prepare a retention/deletion policy so in the likely event their security is breached, they can at least reduce the amount of harm done. What kind of retention policy does your organization enforce? Do you have any personal limits on storing old data?
This discussion has been archived. No new comments can be posted.

The Importance of Deleting Old Stuff

Comments Filter:
  • Dear Nazis (Score:3, Insightful)

    by Anonymous Coward on Tuesday January 13, 2015 @08:09AM (#48801653)

    Official Nazi Memo

    Please do not keep documents about Concentration-Camp details more than 3 Months.
    If the gold in the inmates' teeth have been molten and the lamp-shades with their skin have been shipped all data about it can be shredded and burnt.
    Once the Jews, the intellectuals and the gipsies have all been cremated, the documents about it can be safely destroyed.
    We don't have to keep statistical data about the efficiency of the Zyklon B showers more than 1 month either, it's cheap enough.
    Immediately dismantle showers and crematorium after use, we wouldn't want the public getting a bad impression.

    PS. Do not make jokes about Leni Riefenstahl in your official communications.
    No jokes about Sonja Henie as well.
    Also, do not propose Jesse Owens as the next James Bond.

    PPS. Don't talk to Goebbels about Company secrets, he keeps a diary.

    PPPS. If anybody asks, Treblinka was a summer camp. //For the sarcasm-detector: this is a test

    • Re:Dear Nazis (Score:5, Insightful)

      by turbidostato ( 878842 ) on Tuesday January 13, 2015 @08:16AM (#48801695)

      "Please do not keep documents about Concentration-Camp details more than 3 Months."

      Wow! Godwin law acomplished in the very first comment. That's a feat!

      But then, I think you have a point: It seems to me that Sony's problems don't come from retaining old emails but from these emails being embarrasing to start with.

      Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

      • Re:Dear Nazis (Score:5, Insightful)

        by gstoddart ( 321705 ) on Tuesday January 13, 2015 @08:31AM (#48801805) Homepage

        Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

        In fairness to him, that's pretty much the industry position on data retention, and what the lawyers will tell you.

        See, you are legally obligated to hold onto some things for a given period. Deleting it before then can get you into legal trouble if you suddenly find it needed.

        Similarly, if you are under litigation and things have been requested, you are legally obligated to hold onto it because you're not allowed to delete stuff which is relevant to an on-going court case.

        And, finally, once the base retention period has happened, and once your legal team confirms this stuff is legal to delete -- you want to get rid of it as soon as you possibly can, so that it's not lingering about to bite you in the ass.

        This has been true of the legal landscape for document/records retention for at least a decade, because older information which should have been deleted can be a liability to your company.

        The problem can be that employees hold onto stuff for their records, either as a CYA or a record of things they've worked on. And if that stuff pops up in discovery, even if the corporate version has been purged, it's legally admissible. But it's much harder to convince your employees they need to delete their copies of something, because their own personal interest means they care less about your corporate needs -- because who wants some ass of a manager coming back and blaming you for something you objected to?

        I think this is pretty much standard records keeping since SOX came into play.

        But don't think for a minute that it's just him saying essentially this same thing. This has been pretty standard stuff for quite some time, even if most people are clueless about it.

        • Re: (Score:2, Insightful)

          by Anonymous Coward

          See, you are legally obligated to hold onto some things for a given period. Deleting it before then can get you into legal trouble if you suddenly find it needed.

          Similarly, if you are under litigation and things have been requested, you are legally obligated to hold onto it because you're not allowed to delete stuff which is relevant to an on-going court case.

          There's a difference in holding on to for legal (or whatever) reasons and keeping online. The former doesn't necessitate the latter.
          It's quite a bit easier to remotely hack an Exchange server than a bunch of offline tapes or drives stuffed in a safe ...

        • Re:Dear Nazis (Score:5, Interesting)

          by war4peace ( 1628283 ) on Tuesday January 13, 2015 @09:32AM (#48802229)

          I keep all my e-mails in an offline folder. 13 GB and counting.
          Saved my arse more times I am willing to count. After the first 15 or so occurrences, people generally leave me alone when I tell them "I could dig into my old e-mails for that information".

          Deleting old stuff is definitely worse than keeping it secure, preferably encrypted using a separate tool and password.

          • I keep all my e-mails in an offline folder. 13 GB and counting.

            I do the same, except I auto-delete obvious spam, so mine is less than 1GB.
            I don't see any real harm to Sony from the e-mail disclosures. Was anyone really surprised that the Sony execs thought Angelina Jolie was a spoiled brat? Who cares?

          • by bkr1_2k ( 237627 )

            What world do you work in where so much goes wrong so often that you've had 15+ occurrences where you had to "check my old email" to keep from being in a bad situation? Wherever it is, I'll stay the hell away.

            I keep all my old emails, for the same reason, but I've used them once or twice in nearly 20 years.

            • Re: (Score:3, Informative)

              by Anonymous Coward

              Not the op but keep away from corporate security. While it seems like most of us are assholes, its because you get used to looking past the smiles of the assassin's coming for you that week.
              I find I need to go pull something out of a mail archive 3-4 times a year, when someone tries to blame me for something being insecure, and in my notes I have details of how I tested it, found it bad, highlighted same and some manager overrode my concerns because there was a business need to do so taking a decision they

            • It's all about corporate culture. When the majority of your colleagues and management chain don't read their e-mails and forget a phone conversation immediately after hanging up, there will be many occasions when they come back to you after a couple months and ask "why wasn't I told about this???". So you show them they were told, but their incompetence stood in the way. They're mostly looking for scapegoats and I show them I can't be one.

              You might be lucky by working for a company with proper employees. Me

        • Comment removed based on user account deletion
          • by skids ( 119237 )

            In some countries keeping data, especially customer data, longer then needed can cause legal problems as well.

            Just about anywhere where a discovery motion can compell you to spend your own staff's time and effort answering questions about whether or not you have data X and please give data X to the lawyers, you want a data retention policy so that when you get that letter, you can just say "it's our policy to delete stuff older than Y, so X is long gone." Otherwise your techs are fumbling around in desk drawers and tape archives for old backups so you can say "yep, we looked."

        • Can't you just have a hard drive failure? Works for the IRS........ A rolling program of scheduled hard drive failures should minimise the amount of embarrasment.
      • Re: (Score:3, Funny)

        If you have nothing good to say,
        You might want to keep your mouth shut
        You never know if there'll come a day
        'Cuz the backups never go away
        You'll regret calling your boss a real slut.

        Burma Shave

      • "Please do not keep documents about Concentration-Camp details more than 3 Months."

        Wow! Godwin law acomplished in the very first comment. That's a feat!

        But then, I think you have a point: It seems to me that Sony's problems don't come from retaining old emails but from these emails being embarrasing to start with.

        Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

        That'd be his job as a security professional. Corporate ethics is another role that is obviously necessary, but that is not the subject of IT/enterprise security. It would be a stretch (and a very disingenuous one) to make inferences about Schneie's ethics from his professional position in the matter (in the context of security) alone.

        • Re:Dear Nazis (Score:4, Insightful)

          by turbidostato ( 878842 ) on Tuesday January 13, 2015 @09:39AM (#48802295)

          "It would be a stretch (and a very disingenuous one) to make inferences about Schneie's ethics from his professional position in the matter (in the context of security) alone."

          I don't think so. The man is the slave of his words and the master of his silence. Schneier is completly free to give whatever advice he deems appropriate and of course everything somebody says (given it has not been put out of context) reveals his ethos, specially if, as it is the case, it is full of behaviour indications:

          "[in regards to the attack against Sony Pictures] there's another equally important but much less discussed lesson here: companies should have an aggressive deletion policy.
          [...]
          Everything is now digital, and storage is cheap -why not save it all?
          [...]
          Saving data, especially e-mail and informal chats, is a liability.
          [...]
          If Sony had had an aggressive data deletion policy, much of what was leaked couldn't have been stolen and wouldn't have been published."

          Schneier could said just as easily something like this instead:

          "[in regards to the attack against Sony Pictures] there's another equally important but much less discussed lesson here: companies should have an aggressive policy enforcing high ethical standards.
          [...]
          Everything is now digital, and storage is cheap -why not save it all?
          [...]
          Allowing psycopaths in your company, is a liability.
          [...]
          If Sony had had an aggressive ethos policy, much of what was leaked wouldn't have been published or, if so, it would just showed what a high standards company it is."

          See? Still Schenier pointed the former, not the later.

          • Well said, turbidostato, well said!

            See also a book by a founder of MasterCard which even included a section on the importance of "open books [for accounting]" that can be inspected by all employees and customers:
            "Honest Business" By Michael Phillips
            http://www.amazon.com/Honest-B... [amazon.com]
            "An inspirational guide to ethical business practice explains how to create and manage a small business that emphasizes openness, personal integrity, and community involvement as the keys to success."

            Another related thing is Dee H

            • Curious that Schneier sees that "The problem is a [...] CYA attitude among police that results in a knee-jerk escalation of reported threats...." but still sees no problem in the same CYA attitude when it is the corporations the ones supporting it.

        • What's that saying that's used to justify spying on everyone? "If you have nothing to hide then you have nothing to fear".

          You can't divorce security from ethics, because so much of security does not make everyone safer, it often makes a small group safer from the public, and that may not be in the public interest. Security against viruses is good for everyone but the few who want to use viruses to the detriment of the infected. Security against "pirates" is much more controversial, as "pirates" too oft

        • That'd be his job as a security professional. Corporate ethics is another role that is obviously necessary, but that is not the subject of IT/enterprise security. It would be a stretch (and a very disingenuous one) to make inferences about Schneie's ethics from his professional position in the matter (in the context of security) alone.

          tl;dr He's only following orders.

          Ethics, either for organizations or individuals, isn't something that can be slapped on as an afterthought. It's either part of every role, e

      • Re: (Score:1, Insightful)

        by Anonymous Coward

        Fuck Godwin's law. That applied in the 1990's and 2000's when we lived in "end of history" times and Seinfeld nonchalance was a national attitude.

        It's 2015. We've got religious fanatics abroad, corporations looting at home, western democracies in practical paralysis, and some kind of identity-political, fascism 2.0 popping up like mold all over the web.

        The Nazi's were a lesson from history. Time to brush off the textbooks.

      • Re:Dear Nazis (Score:4, Insightful)

        by DarkOx ( 621550 ) on Tuesday January 13, 2015 @09:25AM (#48802181) Journal

        Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".

        I think you know we now live in a world where you can make a fairly benign statement and their exists a very real possibility someone with an axe to grind may strip it of its context and use it against you. I think you also know that behavior is normative. What is appropriate conversation with say all male company over beers after work, may not be appropriate while still in the office, might not be appropriate if a female colleague has joined you for those beers etc. That stuff might still land on the corporate backup server etc, if someone decides to use their corporate smart phone to video some of your night out. While none of it was ever said while on the clock, or in any official communication never the less through stupidity its found its way onto company assets; suddenly its discoverable etc.

        So now that innocent comment between to men who were meeting not as employees of Innertrode, but just to buddies having drinks about how the waitress had a nice ass, can be used to demonstrait a pattern of hostile culture or whatever in some unrelated lawsuit. That is the world we live in. It could work the other way around too, your corporate stuff might get tied up in legal proceedings involving them personally that did not need to involve the company. This alone is why BYOD should be strangled in its cradle anytime someone brings it up. You don't want peoples personal lives tied to corporate assets. You don't want your file/e-mail/backup/messaging server to be evidence in their divorce proceedings, drug trafficking trial, etc.

        Essentially my mothers advice is still the best, if you don't want someone to read don't write it down. Don't write it down, don't record it, don't photograph it. Do not keep in your diary under lock and key, do not keep it on your file server protected with AES-256, just don't record it. Also its not destruction of evidence you can't be guilty of deleting something that never existed.

        So my advice is NO BYOD period, people putting personal assets on corporate networks should be escorted to HR to receive their pink slip and then out of the building; that should be the policy. As to data retention, yes a good data retention policy is important, but even more important is education on how corporate IT assets should be used, what type of language is never appropriate, not used for personal stuff, etc.

        • To summarize: NO personal calls while at work, no personal IMs, no website browsing, no contact with the outside world except purely for business reasons.
          You're describing a company I would never want to work for. Ever.

          Disclaimer: I access Slashdot from work right now and nobody gives a shit.

        • "their exists a very real possibility someone with an axe to grind may strip it of its context and use it against you."

          And then, having full records showing both that the issue has been taken out of context and what a scumbag was the one doing so, is an asset, not a liability.

          "What is appropriate conversation with say all male company over beers after work, may not be appropriate while still in the office"

          Or is it that while a common behaviour it was not appropriate over the beers either? And then, even if

        • "I think you know we now live in a world where you can make a fairly benign statement and their exists a very real possibility someone with an axe to grind may strip it of its context and use it against you. "

          Nothing new; see Cardinal De Richelieu (1585 -- 1642): "Give me six lines written by the most honorable person alive, and I shall find enough in them to condemn them to the gallows."

          As a socially-minded countess who lived through WWII told me once somewhat tounge-in-cheek yet also very seriously (parap

          • "Nothing new; see Cardinal De Richelieu (1585 -- 1642): "Give me six lines written by the most honorable person alive, and I shall find enough in them to condemn them to the gallows.""

            Yes. And the best defense here is:
            1) Don't allow for Richelieu-level authority (aka dictators) to rise.
            2) When confronted with this six line text, be ready to offer the jury the other 594 lines of text that were deleted so they can see them in context.

            Regarding point 2, remember that even if you have in place an "aggressive d

      • by Jawnn ( 445279 )
        Insightful? Really? For a post that truly did miss Bruce's point? That point was, BTW, that if you don't have a good reason for keeping something, don't. Make that a policy and enforce it. Anything, not just evidence of corporate sleaze, can become a liability. Only a fool would keep potentially dangerous garbage when she didn't have to.
        • "Only a fool would keep potentially dangerous garbage when she didn't have to."

          Only a fool would throw away potentially valuable information when she didn't have to.

          So, back to square one, right?

      • 'Schneier's position seems to be "don't worry about your poor ethics, just cover your tracks".'

        -1, self-refuting

        This is an example of why you would want to expire a perfectly ethical message, since while you can control what you preserve you cannot control how much context someone else must use.

    • by Anonymous Coward

      Frosty godwin

    • by Zeio ( 325157 )

      Exactly right. Dont make things secure, dont keep the bad guys out. Dont make all this information searchable for future use.

      Delete and change history? That's what we've come to? Delete evidence and history like this is some sort of Enron shredding party.

      Meanwhile people who are directly damaged by Google-NSA by not being able to have the right to be forgotten cant escape, but companies can erase their past?

    • Nonsense. The lamp shades were a myth and Zyklon B was actually gift gas!

      https://en.wikipedia.org/wiki/... [wikipedia.org]

  • Air-gap. (Score:4, Insightful)

    by ledow ( 319597 ) on Tuesday January 13, 2015 @08:15AM (#48801687) Homepage

    Retain everything.

    Just make sure that anything past your legal retention limit is only retained offline.

    How hard is that? Standard practice as far as I'm concerned - when you hit the limit on what you need to store, archive it to get your space back but keep the archives around just in case you need them later (e.g. lawsuits, etc.). There's nothing stopping you putting your old tapes, or old NAS disks, into storage because by the time the data is about to retire, so are the old units that stored it.

    Not saying keep them around forever, but just keep what you don't NEED to keep offline. Otherwise you're just chewing disk space for no good reason anyway.

    Then when you do come across your (encrypted) backup tapes in the archives in a few years time, you know you can safely ditch anything there should you be short of space, and that you can probably restore anything that might be there if the lawyers send you in. And nobody can access it but you. Hell you could store it live, but encrypted, and just archive the encryption key for each year that you don't need.

    Air gap and encryption, people. Seems like it should be pretty basic stuff to a company as HUGE as Sony.

    • Re: (Score:2, Insightful)

      by Drethon ( 1445051 )
      I work for a contracting company, our data retention limit is the end of time. Though knowing that all of our e-mails are kept stored for possible contract issues also means I try not to send highly embarrassing e-mails on work e-mail...
    • It's called digital hoarding, and I've got the bug too. =)
      Keep it all! Create a git repository in the root of your documents folder and keep every version of every file you've ever saved, or use a remote cloud backup with versioning. Either way use a remote cloud backup plus external hard drive backup!
      Only this way can you be sure to never lose any thought you ever had.
      I jest, but not really.

      • Comment removed based on user account deletion
        • Re:Air-gap. (Score:4, Insightful)

          by kent_eh ( 543303 ) on Tuesday January 13, 2015 @08:49AM (#48801927)
          my old emails (especially) are kept in the "CYA" file heirarchy.
          It has served my intrerests a few times. "why didn't anyone warn us?"..."I did in this e-mail from 6 years ago (attached)".
        • by ledow ( 319597 )

          For personal stuff? Yes, I have the same.

          "Old laptop files" etc. feature heavily on any new disk I buy.

          Similarly, for email, I can query nearly 15 years worth of email from the narrow-down search in my mail browser. You don't even notice - given how quickly it can do it - but, damn it's useful when you've forgotten the login to that website you signed up to years ago and never thought you'd need ever again.

          But at work, disk space is always tight because hundreds of users try to do the same on one network.

        • I have every file from every computer system from every OS upgrade/re-install. In Windows the heirarchy looks like this: C:\old c\old c\old c\old c\old c

          Oh, I need that file from 1996? Well duh, it's under C:\old c\old c\old c\old c\old c\old c\old c\old c\old c\stuff\ 2001? C:\old c\old c\old c\documents and settings\shakrai\my documents\

          Works in Linux too, where it's just /oldroot/oldroot/oldroot/

          How idiotic is that.
          Why not give them year names or anything/something to help you navigate quickly.
          Why struggle with trying to figure out the relative 'old' path. That's just plain dumb.

          • Because if the number of times you need something times the time it takes for you to search for it is less than the time it takes to organize it carefully, then it's not worth organizing.

            Part of my "filing" system is literally a pile of papers in a box, stacked in roughly-chronological order. Insertion is O(1); retrieval is O(n) (maybe faster if I know how old the thing I'm looking for is). I insert much more often than I retrieve, so it works just fine.

    • There are Legal Reasons to keep everything. If something goes wrong, you better be able to show up evidence or you may be in trouble for appearing to hide data.

      There are political reasons too. Where I work can be very political, with a lot of finger pointing. If you can dig up data to prove that someone did it. You can stop all the nonsense and get back to work. If you delete your record that you have done something years ago, something that you may have disagreed with but was told to do it anyways. Cha

      • Re:Air-gap. (Score:4, Insightful)

        by jbmartin6 ( 1232050 ) on Tuesday January 13, 2015 @08:41AM (#48801875)
        You aren't going to appear to hide data if it is part of your data retention practice. If you can say that you were deleting everything over five years old long before any issues came to light, that isn't going to be a problem. Now if you start deleting it the day before you get the subpoena, you've got a problem.
        • by putaro ( 235078 )

          This is very true. Another issue is not that there's anything embarrassing or bad, but the sheer work of producing documents for a lawsuit can be be very expensive. If you do keep emails or other records beyond the legal retention limits they can still be subpoenaed, but if you destroy them on a regular schedule, well, can't produce what you don't have.

    • by rgmoore ( 133276 )

      Just make sure that anything past your legal retention limit is only retained offline.

      That won't help much against an attack by an insider, who will have access to the off-line repositories. Of course doing that would reveal that it was an insider attack rather than an outside hack, but the damage would still be done.

      • Just make sure that anything past your legal retention limit is only retained offline.

        That won't help much against an attack by an insider, who will have access to the off-line repositories. Of course doing that would reveal that it was an insider attack rather than an outside hack, but the damage would still be done.

        It will also fairly quickly point out who the attacker is since the offline copies are usually locked up securely that only a very few people have access to, access that is logged.

    • Comment removed based on user account deletion
    • by rssrss ( 686344 )

      IAAL: I always told clients that it is far better not to have a written record of what you said and did. It is always to your advantage to have to rely on your self serving memories than to have your memory contradicted by written evidence.

      There are some documents that you must retain by law. You should work with your counsel and accountants to identify those categories of documents and to retain them. But not one day longer than necessary.

      That said. notes and drafts are very seldom subject to legal retenti

      • IAAL: I always told clients that it is far better not to have a written record of what you said and did. It is always to your advantage to have to rely on your self serving memories than to have your memory contradicted by written evidence.

        There are some documents that you must retain by law. You should work with your counsel and accountants to identify those categories of documents and to retain them. But not one day longer than necessary.

        That said. notes and drafts are very seldom subject to legal retention guidelines. Once a document is finalized, notes and drafts should be destroyed.

        Finally, the easiest document to deal with is one that was not created. Business processes should be engineered to avoid document creation to the extent possible.

        Very true. It has bitten people more often than not having the written record.

        Though you're final drafts should also have a note about their taking precedence over any previous versions, drafts, notes, etc so as to establish their finality on the matter to prevent issues like with SCOG v Novell where SCOG claimed that the drafters knew the intentions that were suppose to be reflected yet the document clearly stated that it was the final work as intended.

    • Seems like it should be pretty basic stuff to a company as HUGE as Sony.

      You're not thinking evil enough...this is advice for businesses. A subpoena can bridge an air gap.

    • Just make sure that anything past your legal retention limit is only retained offline.

      Do you think that because it is no longer required for you to keep certain documents, that it will prevent a subpoena from demanding them if they exist?

      So, every time there is a lawsuit, you have to re-plug all of those air gaps archives to search for whatever documents the opposition deems relevant. There went February's IT productivity.

      NO. As soon as you don't need it, delete it automatically. Make it a written policy. After X years, everything is deleted unless it is placed in a certain archive manually.

  • by Anonymous Coward on Tuesday January 13, 2015 @08:17AM (#48801705)

    My company deletes emails after 90 days unless you jump through burning hoops to save a limited number of them. And has IM logging forced to disabled. This REALLY sucks when you want to go back to refer to something. And is so transparently a CYA move.

    How about instead of deleting everything people just are not a-holes? And if they can't help themselves maybe they should be exposed. Instead they make us all work in circles as we forget our past.

    • by Anonymous Coward

      Totally agree. We have a similar policy, and so much context and useful background has been lost to the auto delete monster.

      Yes ideally we should all be using better ways of managing information, but here in reality email chains are one of the main ways information moves around this company.

    • "My company deletes emails after 90 days unless you jump through burning hoops to save a limited number of them. And has IM logging forced to disabled. This REALLY sucks when you want to go back to refer to something. "

      Is sending a BCC to a personal account and a filter to forward incoming mails to the same account also forbidden?

  • Comment removed (Score:5, Interesting)

    by account_deleted ( 4530225 ) on Tuesday January 13, 2015 @08:20AM (#48801717)
    Comment removed based on user account deletion
  • She never forgets anything I say. ever.
  • Research data (Score:4, Interesting)

    by Enry ( 630 ) <enry@@@wayga...net> on Tuesday January 13, 2015 @08:30AM (#48801799) Journal

    Research data usually needs to be kept for 7-10 years after the conclusion of the grant, then usually stored much later after since the people involved have left and nobody knows what to do with it. In our research of a 2PB file server, over 1/2 of the data hadn't been touched in over a year. The desire there is to move the data to cheaper tape backup and free up spinning disk. The problem with that is it's cheaper to buy more spinning disk than it is to buy a brand new tape array that will last for 10-15 years and be able to store a few PB of data. Think of it as initial vs. incremental cost.

    But the part about employees leaving and not knowing what to do with their data is a big one. I'm sure there's leftover data from when I parted ways with my previous employer - I was there for 11 years and did a lot of work for them during that time, with data scattered all over the place. But since I'm gone there's no way they can ask me to come back and help, so all they have is what's left and if they delete any of that they have no idea what they're going to lose.

    • Research data really ought to just get published with the paper. Then (A) it's easier to peer-review / reproduce / verify the research, and (B) storing it becomes somebody else's problem. As Linus said, "Only wimps use tape backup: real men just upload their important stuff on ftp, and let the rest of the world mirror it ;)"

  • This is why I kept telling people to delete emails. Don't save everything, get rid of it. Set Outlook to auto delete on exit and don't give people the option to delete.

    But no, they whine and whine that they need to keep stuff even though they haven't looked at it in five years and the project it referred to is gone.

    Delete, delete, delete.

    • Cute. Meanwhile, if they live under any kind of fascist government regime, they usually have minimum seven-year retention policies on many kinds of data, or risk facing prison sentences.

      I know, if she didn't want her emails stolen, she shouldn't have been using such a cute ad-dress.

    • "This is why I kept telling people to delete emails. Don't save everything, get rid of it. Set Outlook to auto delete on exit and don't give people the option to delete."

      Exactly! There is no philosophical wisdom in there that could benefit mankind.
      Only dickpics.

    • I keep personal emails. However, I've worked at companies where they had a strict email deletion policy at 3 months. If the emails don't exist they can't be used in investigations against them. And it makes sense. After 3 months most people forget what they were conversing about anyway and can't provide the necessary context for emails, so they can be highly misleading and are a significant liability for the company.

      • by pla ( 258480 )
        After 3 months most people forget what they were conversing about anyway

        Yes, they do, except I draw a different conclusion from that than do you.

        I get questions literally on a weekly basis along the lines of "Why the hell did you do it that way?"

        I find it somewhat satisfying to answer by simply forwarding the asker an email, usually their own, in which they insisted I do it that way, typically over my objections that it wouldn't work correctly "that way."
  • by 0123456 ( 636235 ) on Tuesday January 13, 2015 @08:34AM (#48801823)

    I don't do or email anything that would "cause enormous public embarrassment" to the company if it got out.

  • I worked for one corporation with a 30 day email retention policy, and the servers were configured that way. After that, anything of importance was supposed to be printed and filed for future reference. And this was in the 90s. Of course, people still had email on their desktops, etc., but I'd guess it let them respond to lawsuits' discovery in a more limited manner than trawling through all email ever sent by anyone about anything, limiting risk of embarassment. I follow the logic, but pragmatically speaki

    • I get about 10GB of email a year, and do my best to purge what I can up front, but also try hard to save everything. Most of the girth is due to file attachments... And yes they really should have been saved to the file server, but sometimes it is missed. Little obscure pieces of information often come up as being useful years later-- one recent example was trying to figure out how certain financial information was derived 5 years ago.

      But the bottom line is 99% of the information stored will never be used

  • by Karmashock ( 2415832 ) on Tuesday January 13, 2015 @08:34AM (#48801829)

    You don't need to keep everything on line. That was the thing that was so stupid. They had everything online with a common key to access everything.

    First, Sony knew they had a problem over a year ago. They're refusing to admit it but everyone knows.

    Second, they way Sony laid out their network was dumb. They should have compartmentalized and archived.

    Third, when you know you are getting hacked don't just sit there with your thumb up your ass. Do something about it.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Sony have had problems in 2008 via SQL injection attacks. 2011, same thing, but this one resulted in the PSN going down for a month. 2014, oops, another SQL injection attack, but this one was covered up, Sony have managed to get the marge media outlets to remove items mentioning.

      • I've noticed. It is sort of sad how corrupt the media has become. They don't even realize it themselves. You talk to them, and I do talk to newspaper people on occasion... and they just don't see it.

      • Someone needs to make a wiki-page about all those times Sony has been hacked.
        They're already too many to keep track of in your head
  • by Floyd-ATC ( 2619991 ) on Tuesday January 13, 2015 @08:38AM (#48801863) Homepage
    If huge corporations started following some basic legal and ethical guidelines, they wouldn't have to worry so much about old documents getting leaked. If your business strategy is to f##k your customers and/or your partners, sooner or later you will pay for it, documents or no documents.
    • What, Sony respect their customers?

      BWAHAHAHA

      That's a good one!

      Corporations only care about short-term profit; they forget their long term reputation because it can't be written down in the books.

    • If huge corporations started following some basic legal and ethical guidelines, they wouldn't have to worry so much about old documents getting leaked. If your business strategy is to f##k your customers and/or your partners, sooner or later you will pay for it, documents or no documents.

      This is an appealing idea, but it's just not true in the world we live in. People make mistakes, say things they shouldn't, joke about things they shouldn't. Worse, attorneys are masters at finding evil implications and subtexts even where they don't exist. It's very easy for companies who are really trying to be good corporate citizens, serve their customers well, treat partners fairly and generally behave well to end up shafted by something that turned up in discovery in a malicious lawsuit.

      To reduce th

  • by jbmartin6 ( 1232050 ) on Tuesday January 13, 2015 @08:43AM (#48801899)
    This is the most effective form of security, and often the hardest. If you have nothing of value, there is no risk. Of course that ideal state is impossible but that doesn't mean opportunities to reduce risk by reducing the impact are overlooked.
  • Was when I worked for the RI Secretary of State's office. The Archives divisions prepared all sorts of data retention schedules and we used them.
  • A philosophical argument for those cheap Western Digital external disks.

  • I work in a school. When a term or a year closes, I do a big deletion of email that becomes moot at the end of that term or school year. A year-end cleanout often ends up with my inbox being chopped about 75%. If you have frequent senders who send mails with temporary topicality, you can sort by sender and get rid of their older mails.
  • Every company I worked for had a specific retention policy. What they didn't have is any automated means of enforcement.

    While a central server hack will get the stuff that's most easily handled automatically, lawsuits get to dig into the ugly bits that are still hanging out on the laptops of the employees waiting to be discovered.

  • Risk management? (Score:4, Insightful)

    by mark_reh ( 2015546 ) on Tuesday January 13, 2015 @09:17AM (#48802111) Journal

    I think a lot of company communication retention policies are based on risk management. They are afraid to delete anything in case they get sued. Depending on the industry they may be required to retain data by law.

    It seems this can work equally in their favor or against them.

    I have worked for a lot of big companies and realized from day one of email that there is literally zero privacy. Once you hit the send button you have no idea who is going to read what you wrote. I have always refrained from putting anything in a company email (or in a personal email accessed via company networks) that could come back and bite me in the ass. No jokes, no comments about coworkers, the boss, or management in general, no comments about the futility of the project I'm assigned to, etc. Keep it strictly business. Likewise for telephone conversations where one or both ends are in the company phone network. Likewise for web browsing and searches.

    Anyone who thinks any form of communication at their place of employment is private is an idiot. Always assume every word said, written, or typed will be heard/read by someone who was not intended to be part of the communication, either now or in the future.

  • My company has a policy - anything left in your inbox more than a year gets deleted.

    If you think it is necessary to save it, create another folder and move it there.

    My personal emails I just keep forever, but work stuff get's deleted.

  • Why didn't you burn the tapes?

    He says because he was under medication...

  • Don't be a dick. Should be easier to manage than a complicated document-deletion-strategy.
  • The Sarbanes-Oxley Act says you should retain company/corporate documents, and emails are company documents despite the triviality on the comments within.

    So by all means delete the emails, and then when the SEC comes knocking and asks about the deleted emails you've got to convince them they were only pics of cute kittens off the internet and not insider dealing. So to cover yourself you backup and retain everything for a period as designated in company policy.

    So ensure you have a short retention policy.

  • After all the e-mails that were flouted around in the Microsoft Antitrust case, you would have thought that businesses would have caught on by now. Having an active retention policy and following it does provide some collective amnesia because in any litigation situation if the information still exists it's discoverable. Personally I don't want someone delving around my e-mails from 20 years ago but unfortunately it has happened to me. The last thing you want is to be sitting in a deposition while opposi

  • by Espen ( 96293 ) on Tuesday January 13, 2015 @09:56AM (#48802499)

    The big problem with this is that storage is too cheap. ie. it's cheaper to keep buying more storage than to spend the time deciding on what to retain and what to delete.

    And this was a point made 5 years ago, not by me, but a senior exec from storage division of a technology giant developing new ways of increasing hard disk capacity!

  • by mschiller ( 764721 ) on Tuesday January 13, 2015 @10:30AM (#48802827)

    Rules:
    1) Don't delete other people's stuff. IT workers / Lawyers I'm looking at you. You should never delete something without a specific verbal or written OK from the document owner. When you automatically delete my stuff I find ways around your scripts.. It does no good, because I WILL retain my records indefinitely. So just stop wasting my time and leave my stuff alone.... The only justifiable reason to delete my files is: the Server harddrive is full. But it costs less to buy a freaking hard drive, than to decide what documents can be deleted...
    2) Document Retention Policy: Min: Legally required length of time Max: FOREVER. See Rule #1. You should NEVER touch my inbox, Network Drive, or any other place I store documents with an automated script, deletion of files should only occur by hand by the document owner...
    3) Don't do unethical things. You don't have to worry about what's in the document if you did the right thing in the first place... You should fire any employee who is unethical and as a corporation take responsibility if those unethical things embarrass the company. This is what reviews (code, business, technical etc) are for, you're supposed to check that your employees are following good practices... Then that circumspect code, business practice etc, would've never seen the light of day in the first place. When a corporation fails that they shouldn't hide it, they should admit it and take their licking...

    My email contains important technical information that I may need for years after I composed that email. When you delete it for me. You waste valuable company time as I recreate the exact same information I already "knew" which may have never made it into a formal document.

    JUST STOP IT. There is nothing illegal about keep business documents forever. There is something highly unethical (and possibly illegal!) about a practice that stems from the idea of destroying evidence. So stop it. The ethical, right, and more reasonable thing to do is enforce from the IT perspective the minimum retention policy. After that, (ie when you delete) should be based on business need: 1) I really will never need this again and 2) The storage costs don't justify the (low) possible future return. Since storage is CHEAP, #2 should pretty much never come into play...

    • My email contains important technical information that I may need for years after I composed that email.

      Why the hell are you storing important technical information on an email server? That's a much bigger wtf than IT and legal doing their jobs.

      • Simple...

        Email = Memo or Engineering Notebook from yesteryear

        Let's say your in the early design phase for an engineering program

        You've come up with 5 different ways to approach a problem. You prepare some thoughts about how to solve the problem in those 5 ways. You type them up (say 1 page per an idea) and send them to your colleague for their thoughts. They aren't formal documents and you aren't holding a meeting over it (so theres no powerpoint slides). But you've done some calculations, thought abou

    • Sorry, if it is on the company's servers, then it is the company's data and not yours. You are not as important to the company as you think you are. If you *actually* are, then they will put you in an exception list. If the policy is causing the company to lose a lot of money from all the "waste of valuable company time", then it will either change the policy or go out of business.

    • My email contains important technical information that I may need for years after I composed that email. When you delete it for me. You waste valuable company time as I recreate the exact same information I already "knew" which may have never made it into a formal document.

      The counterargument is that it's cheaper for you or someone else to reinvent that wheel than it would be for lawyers to pour over terabytes or petabytes of data that have been stored forever in the event of a lawsuit discovery.

  • What I see is the opportunity for evidence of wrong doing to be leaked to the public.

    Sony is "embarrassed"? Sony is a corporation, not a human. As such it cannot be embarrassed.

    But it can be found guilty of it's crimes, as can any other corporation.

    Let the madness begin!
  • Perhaps people will now be more circumspect in what they put in emails. As Martin Lomasney allegedly said, ""Never write if you can speak; never speak if you can nod; never nod if you can wink."
  • Once you type words into a computer, whether as email text or documents, you have to assume they will be retrievable by someone at any point in the future. Even if your company has automated retention policies, somebody could easily forward or save whatever you write, an email server somewhere could retain what you sent, a backup system could archive it.

    Document retention policies are like school zero-tolerance rules. They are stupid to begin with, and they don't achieve the desired result.

Keep up the good work! But please don't ask me to help.

Working...