In 1969, when Mario Puzo published his novel “The Godfather,” his line “A lawyer with his briefcase can steal more than a hundred men with guns” became highly quoted and recognized because of the innate truth it contained: it’s easier to rob a company through information than through violence.
He could not have imagined that, just forty years later, enough information to take over, bring down, or steal from a company could be contained on a device the size of a pack of gum. Flash drives have made it possible for corporate espionage to reach new heights, and for any disgruntled employee - from the receptionist to the president of the company - to succumb to temptation, download and walk away with the company’s data in a format so small that it can be hung on a keychain. If not accounted for in a document retention policy, flash drives present a significant risk of comprising the integrity and negating the purpose of a document retention plan.
In a posting called “Deter the Use of Flash Drives to Avoid Corporate Espionage” by James Koopman on the DCIG website, Koopman says,
The portability and high capacity of flash drives is creating headaches for many companies. The Net is swarming with stories of the ill-use, illegal activities, and security concerns as more and more of these devices are lost and stolen or used to steal sensitive information.
The site links to reports on the theft or loss of flash drives containing information as diverse as military secrets, patient data, and confidential child welfare cases, all because the drives are convenient, easy to use, take up no space, are inexpensive and easily obtainable in any electronics store.
What all this means to legal departments, of course, is that flash drives have to be accounted for when complying with record retention policies, and in planning electronic document production for litigation purposes. In some environments - the Pentagon being a notable example ("Pentagon Bans Flash Drives"), flash drives have been outlawed entirely due to security concerns.
But even if national security isn’t your bailiwick, record retention policies should take into account information stored on flash drives and all other e-document locations, as noted by Robert Miller, in “The Why and How of Document Retention Programs,” e-files can be stored using an array of portable media such as microfilm, flash drives, CDs and DVDs; or on devices such as Blackberries, Palm Pilots, laptops or even iPods. Additionally, files can be housed on systems such as workstations, servers, corporate e-mail systems, shared network drives, or even the company’s voicemail system. Clearly, the chore of locating and identifying all discoverable documents is a lot more complicated now than when they existed solely in a metal file cabinet!
It does not take a “stab” in the dark to create a sound document retention policy because specific document retention periods are set forth in several sources of law which include the Sarbanes-Oxley Act, the Federal Rules of Civil Procedure, and other federal and state statutes. You can minimize the risk of unknowingly having a “smoking gun” document act as a “silencer” at a time when you least expect it by ensuring that your company has developed a document retention policy that covers the retention and disposition of physical records and all sources of electronic records. By doing so, you’ll certainly sleep easier - and you won’t wake up to a horse’s head in your bed.