King Edward VII was widely known for his infidelities, and his wife, Queen Alexandra, had to pretend to ignore his affairs and wild escapades.
Although Queen Alexandra may have been comfortable with the King’s whereabouts after his death, organizations cannot and should not take the same comfort with respect to their electronic files. E-files that have been deleted in accordance with an organization’s document retention policy may not be where an organization thinks those files are - gone. To the contrary, the files may be dangerously lurking in the deep dark corners of the organization’s information systems.
Unfortunately, when it comes to electronic documents, common document retention and deletion policies and procedures simply may not adequately protect sensitive information from falling into the hands of others. Deleting an e-mail or electronic document may not completely remove the data from a computer or computer system. Instead, the deleted information often remains there, typically on the computer's disk drive, until it is overwritten by other information. The data can often be recovered using software tools designed for recovering deleted information.
When electronic information has not been completely deleted from a computer system, the information may be subject to discovery in litigation. Kenneth L. Stein and Richard H. An, writing for The Privacy and Data Protection Legal Reporter, http://www.law.com/jsp/ihc/PubArticleIHC.jsp?id=1167818523831, point out a number of cases where information that was thought to have been deleted from a computer system came back to haunt an organization in connection with litigation. In one such case, “forensic analysis of deleted electronic files established that the defendant had perjured himself in his sworn declarations to the court about having had no contact with a certain individual”. See YCA, LLC v. Berry, No. 03 C 3116, 2004 U.S. Dist. LEXIS 8129, at *20-24, 22 (N.D. Ill. May 6, 2004)… In another, “forensic officers were able to recover deleted computer images of child pornography, which led to a lengthy prison sentence for the defendant.” See Anderson v. McBride, No. 2:05-CV-1089, 2006 WL 2468284, at *2 (S.D. Ohio Aug. 24, 2006).
At the end of the day, a company should implement policies that both retain the documents that might be relevant to litigation, and destroys the documents and metadata that might be sensitive and private. A document retention policy that includes automatically deleting e-mails and electronic files, without also wiping the underlying data in those e-mails and files, leads to a false sense of security.
The lesson: unlike King Edward VII, who was safely interred in the chapel at Windsor Castle and hasn’t been seen since, your e-files are not dead and buried until the underlying data is wiped clean. Don’t let your metadata come back to haunt you.