E-mails Felled Missouri Gov. Matt Blunt; Will You Be Next?

November 16, 2008

If e-mails are the smoking gun of the 21st Century, yesterday’s articles in the St. Louis Post-Dispatch paint a picture of a governor’s administration brought to its knees by electronic weapons of mass destruction. (www.stltoday.com/stltoday/news/stories.nsf/missouristatenews/story/C0EBA8398C4CF4DE86257502007997A1?Open Document)

Emails from Blunt’s office obtained by the Post-Dispatch via a lawsuit brought under Missouri’s Sunshine Law refute a number of claims by the Blunt Administration that never really passed “the smell test.”

Blunt subordinates claimed that fired Blunt attorney Scott Eckersley never raised concerns with his superiors that the Blunt administration was deleting e-mails it was required by law to keep. The e-mails established that Eckersley did.

Members of the Blunt administration denied doing government business using campaign e-mail accounts. Again, the e-mails obtained by the Post-Dispatch refute that denial.

The e-mails reviewed by the Post-Dispatch also include personal e-mails authored and received by Blunt administration officials, including former chief-of-staff Ed Martin.

It’s remarkable that the governor and officials at the highest level of state government apparently believed that the truth would never see the light of day. But I wonder how many other CEOs and high-level managers in both the public and private sectors are in the same predicament. While private concerns, of course, are not subject to Sunshine Law requests, the same type of data that doomed the Blunt administration is subject to subpoenas and other legal process directed to private concerns.

The question is, who will learn from the demise of Gov. Blunt?

DISCLOSURE: Prior to founding The Chval Law Group in January 2008, I was employed by Attorney General (now Governor-elect) Jay Nixon as the chief of the Attorney General’s High Tech and Computer Crime Unit. I had no involvement in any investigation of or litigation involving the e-mail or data retention practices of Governor Blunt’s office.


What To Do With A Departing Employee’s Computer?

November 15, 2008

Computing resources are hardly like paper clips for most small and medium businesses. When an employee leaves, most businesses want to put those valuable resources back to work as quickly as possible.

But simply turning over those devices – whether desktop, laptop, PDA, etc. – to another employee could have disastrous results. The media may contain saved passwords or sensitive information that the new user should not be able to access.

One possible preventative measure involves wiping the device’s hard drive clean before re-issuing the device. But doing so may destroy electronically stored information required by law to be preserved. Even if none of the data on a wiped hard drive is subject to legal retention requirements, if a former employee later institutes legal action against the business, electronic data which may have helped the business defend itself may have been lost forever.

Some experts advise installing a new hard drive and preserving the old one. A downside to that approach, however, is the likelihood of retaining information long past the time your data retention policy (you do have one of those, right?) would otherwise permit its deletion. Potentially making the matters even worse is that, in the event of future litigation, searching dozens or possibly hundreds of preserved hard drives could significantly inflate the cost of data review and production.

Here are a few considerations regarding departing employees and their company-issued computing devices:

(1) Never re-issue digital media without effectively purging sensitive data.

(2) Have procedures in place to identify data subject to retention (pending or anticipated litigation, regulatory compliance, etc.) when an employee leaves.

(3) Determine whether circumstances surrounding the former employee’s tenure or departure warrant preservation of data, and if so, preserve that data in a forensically-sound manner.

It’s very unlikely any departing employee’s data is either all properly deleted or all properly retained. Developing and implementing procedures to determine what to keep and what to delete will go a long way toward saving your business some big headaches.