In-house corporate lawyers know the best way to never get caught is to eliminate your paper trail in subtle enough way to avoid the appearance that you’re eliminating your paper trail. This is where a corporate email archive deletion policy comes in.
If you delete relevant emails, after you have been sued, that is spoliation and it will get everyone down the line, especially you as an in-house lawyer, in a lot of trouble. BUT if you have a regular corporate policy of periodically deleting emails, and you happen to delete crucial evidence even on the day before a suit is anticipated, then it’s not spoliation.
While general counsel will claim publicly that these policies are in place to streamline their email systems, everyone knows they are really there to delete potentially incriminating evidence in future lawsuits.
Companies know that incriminating evidence always exists in emails because emails document the conversations and decision-making that goes on in all organizations. But they need a justification other than “We don’t want to get caught.” So that’s how you get corporate doublespeak like “e-mail stabilization and modernization” programs, with its vague suggestion that there is a technical reason to delete old emails, as if a company’s entire email system might crash under the weight of old emails stored on a server.
via Tech Crunch – The Only Reason Companies Delete Emails Is To Destroy Evidence
Sometimes, to steal millions of dollars worth of private data, all you need to do is ask nicely…
The facts alleged in Baidu’s complaint are enough to send both giggles and shivers down the spine of any techie or information security officer. The intruder contacted Register’s tech support chatline and asked to change the e-mail address for the Baidu account. The intruder gave an incorrect answer to the Register representative’s security verification question, but the representative nonetheless e-mailed a security code to the on-file Baidu address for the intruder to repeat through the chat service. Not having access to Baidu’s e-mail, the intruder repeated back a code that Register.com claimed was similar to the correct one (that is, if you consider 96879818 a similar number to the correct code, which was 81336134!).
According to Baidu’s complaint, the representative did not compare the two numbers, but rather went ahead and processed the intruder’s request to change the e-mail address on file to email@example.com. (Not only is this a rather odd-looking address for the third largest search engine in the world, but, as the court noted, “’gmail.com’ is the domain name of a competitor of Baidu….”). The intruder then went to the Register.com site and requested a new username and password by clicking on the “forgot password” button. The system generated an e-mail to the intruder’s address enclosing Baidu’s username and a link allowing the intruder to change the password for the account and gain access. Baidu’s operations were interrupted for five hours, and, according to the complaint, Register did not even begin to address the problem until two hours after first being contacted by Baidu.
via With Security, You Can’t Always Hide Behind Disclaimers