Digital Paper Trails: The Good, the Bad, and the Ugly

Hillary Clinton has been making a lot of headlines recently for setting up her own private email server while she was Secretary of State in the first Obama administration. Her decision not to use the government’s email server is concerning for a couple reasons: First, using a personal server for government correspondence posed a huge security risk and second, since there is no way for the government to track Clinton’s correspondence many are accusing her of suspicious activity. The permanent record your email correspondence leaves behind has become the modern day paper trail. Once you send or receive an email, the information contained within it is recorded and archived for future reference, often even after you delete it from your email client.

The email paper trail has its benefits – it can be a godsend if you need to check the details of a conversation that took place months ago or retrace the steps of a deal. But it has its bad and even ugly sides, too. In light of the recent accusations against Clinton because she didn’t leave a digital paper trail, the virtues and vices of the email paper trail are worth discussing.

The Good

Email and other electronic communications have dramatically changed the contemporary legal landscape. Because it is so widely used and practically impossible to get rid of, email serves as documentation for almost every move an organization and its employees make. Like the traditional paper trail, organizations can use the email paper trail to their advantage.

From a practical standpoint, paper trails have always been useful. A paper trail documents processes and procedures so that anyone can recreate them or finish them when incomplete. A paper trail provides proof of transactions – that they were conducted and exactly how they were conducted. Documentation is also important for billing purposes and audits, and in some cases, it’s mandated by law. When you lay a good paper trail, you create evidence that you followed procedures and laws – evidence that can ultimately protect you from claims of wrong doing.

The Bad

Organizations invest both time and manpower in laying a good paper trail to document procedures and comply with the law. While doing so is good practice, it cannot help you when workers make missteps, unintentional or not. Workers today have more freedom and flexibility in how and when they get their work done, using all manner of devices to send and receive correspondence from anywhere there is a network connection. With communication flowing so freely, it is easy for workers to use less discretion with every piece of correspondence they send. They may not realize that any hasty reply or lapse in judgment captured in an email or other electronic communication can be used against them or their organization.

Take the recent antitrust hiring suit involving tech giants Apple, Google, Adobe and Intel as a case in point. The case pitted 64,000 Silicon Valley tech engineers against corporate bigwigs like former Apple CEO Steve Jobs and former Google CEO Eric Schmidt, who agreed not to solicit one another’s employees, a so-called “no poaching” deal. In so doing, they restricted the natural flow of talent and artificially suppressed employee income in the Silicon Valley.

The deal was informal, but it was documented in a series of incriminating emails sent among the executives that were meant to be secret. The email evidence ultimately forced the defendants to pay an estimated $300 million settlement in early 2014. This is just one of the ironies of the case, according to a New York Times article: Silicon Valley might have made email a daily habit for hundreds of millions, but the suit showed that even technology executives can be careless of its ability to supply lawyers with evidence.

The Ugly

Email blunders that surface during a lawsuit can damage an organization’s reputation and finances, but when hackers force entry and access a company’s email in a blatant attempt to bully or humiliate, things can get downright ugly.

In the hack heard around the world that took place in November, Sony Pictures was the target of a massive breach where hackers stole and leaked 11 terabytes of data, including several unreleased films, sensitive internal emails and company documents revealing employee salaries, Social Security numbers and medical information. Not only has Sony suffered public humiliation, but the entertainment giant will also lose significant revenue as a result of the leaked movies and limited release of the film “The Interview,” which purportedly sparked the hack in the first place. Experts say this type of attack, which is very personal and maliciously destructive in nature instead of simply aiming to gain intelligence, is unprecedented.

In Conclusion

Where court cases 20 years ago could involve 300,000 pieces of paper on the high end, the paper trail of electronic communications connected to a case today can – if printed – number anywhere from 30 million to 300 million pieces of paper.

Ultimately, it’s up to IT to decide how to regulate and manage the data produced by email, whether by using proactive email filters that can catch troublesome emails before they are sent, or by using electronic records management systems that dictate what information to keep, what to discard, and how to archive electronic documents for future reference.

The fact that today’s paper trail is mostly paperless makes it no less real. It’s incredibly important to comply with your organizations’ (or in Hillary Cinton’s case, the government’s) email regulations and to be aware that you’re leaving a digital paper trail with every message you send. Do these things and the email paper trail could end up helping you in the long run rather than hurting you.

Ransomware and the propulsion of the extortion economy has rapidly eclipsed into a national priority. Recently, we observed the catastrophic impact of a widescale ransomware attack impacting gas pipelines and raising national gas prices overnight.

How can security leaders charged with investigations handle the management of interviewers and interrogators, as well as handle interviewing, including dealing with false confessions and misleading information?