Friday, April 13, 2007


The heightening "DR3" tension, by which I mean the tension among document retention, disaster recovery, and discovery requests, is highlighted by the current kerfuffle over White House staffer email gone missing, and then rising like the phoenix. Interesting recount of events are reported in today's New York Times and elsewhere.

It appears that, by using the facilities (i.e. email accounts) of the Republican National Committee, as many as 50 WH staffers may have violated the Presidential Records Act. That act generally requires in perpetuity preservation of certain government documents. The RNC, however, has a document retention policy providing for the destruction of all emails after 30 days. Oops.

There have been conflicting statements in connection with these emails. They are "missing," "lost," or "deleted." Some 2400 pages of documents are reported by the NYT to have now been located and provided to Congress. Karl Rove is reported to have understood that "all" of his emails were being archived. All in all, one huge mess.

This points to two major DR3 tensions, the first of which is between document retention programs and statutory or regulatory retention laws and regulations having conflicting requirements.

The second DR3 issue is the "copies" or "backups" of documents which, according to the "document retention" program, now suddenly crop up after they are believed to have been destroyed in accordance with said document retention policy.

This parade of horribles underscores the need for C-level and other top management to be involved in the architecting and actual comprehension of document retention policies (and by this I don't mean having your IT people nod and tell you that "all is ok") and to institute some way to ensure, in a persistent manner, the proper enforcement of those policies.

Guess what, fellas and gals? This is all about information security and legal issues, and none of it is about perimeter defense.

2007-04-13 The High Cost of Backdating

For those who have steadfastly stated to me during the past 10 years that there is no way to quantify losses or potential risk of liability for time-based data manipulation, I offer the restitution arrangement agreed to by Sanjay Kumar, former CEO of Computer Associates and now convicted felon. He agreed to repay 800 million (that an 8 with 8 zeroes after the digit) for his acts, which included backdating contracts and cost Computer Associates (now CA) a bundle in earnings restatements. He actually has only $52 million to pay at the moment, but those funds are coming from his, and from his family's assets.