572 Part IV • The Information Management System
the date a request is made. Tiered penalties (e.g., uninten-
tional disclosures versus willful neglect) include both large
civil fines and even criminal imprisonment. There are cur-
rently over a dozen major laws within the United States
alone that require information retention and protection.
In general, most businesses have greatly underesti-
mated their digital liabilityfor actions their employees
have taken. For example, Microsoft executives clearly did
not think out the consequences when sending e-mails
about Netscape (see the box entitled “Is E-Mail Forever?”).
Digital liability management requires ensuring that
managers are knowledgeable about the risks involved in
information mismanagement, the need for precise poli-
cies, and the legal and regulatory environment that itsPost-Katrina BCP Lessons
Northrop Grumman Corporation learned a lot about Business Continuity Planning from Hurricane
Katrina—the hard way. Here are four of its lessons:
— Keep Data and Data Centers More Than 100 Miles Apart
The BCP assumption was that a backup data center facility only needed to be a minimum of
100 miles away from the facility it was backing up. But Katrina’s width exceeded this distance,
and two data centers that served as backups for each other got wiped out
— Plan for the Public Infrastructure to Not Be Available
Katrina wiped out all public communications in the company’s Gulf Coast location. In addition,
roads were washed away or closed and airports were shut down; water was also shut off or, if
not, it was polluted.
— Plan for Civil Unrest
Personnel had to be brought into the area to secure a physical facility
— If Your A team Is Not Available, Assemble a B Team
The company’s qualified technical support personnel weren’t available, so other employees
were trained to work with IT industry suppliers to assemble and test new equipment[Based on Junglas and Ives, 2007]Is E-Mail Forever?
The basis of a U.S. government antitrust case against Microsoft was that Microsoft conspired to use its
monopoly on the desktop computer market to drive Netscape (which introduced the first commercial
browser) out of business. Microsoft denied it—but were there copies of incriminating e-mails some-
where to prove otherwise? Yes—there were hundreds of e-mails, all on servers outside of Microsoft.
How can this happen? If an organization is using Open Shortest Path First (OSPF) routing, then it
is allowing the network to choose the quickest route to send its information, including its e-mail. This
means that an e-mail could pass through a number of public servers anyplace on the continent. The
sending organization has no control over these servers, and these machines are constantly backing up
the information passing through them. Thus, it is very reasonable to assume that there will be discover-
able electronic copies archived somewhere.
Recent history has also shown that companies cannot even control their e-mail on their own pri-
vate subnets. Individuals can make copies, save them, forward them, and most definitely do not
“wash” them forever off their storage devices.
So:Is e-mail forever?As users and managers, you should assume that yes—it is. In other words,
it is much more probable that a computer forensics specialist will be able to recreate the e-mail than the
creating person will be able to erase it forever from everyplace.