Interesting read out at Security Focus called Shred It! It discusses document retention policies and a recent Supreme Court ruling after the Enron/Arthur Anderson debacle.
The second worst thing you can do in the face of a government investigation is to destroy the documents relevant to that investigation. The worst thing you can do, of course, is to almost destroy these documents.
The ethics and legality of destroying documents are interesting and there is a very fine line between criminal and responsible actions. The bottom line is that if you are going to destroy documents, make sure it is not targeted (they enthusiastically applied their policy only to the Enron auditors) and make sure you destroy all copies of such material (emails on the server and client, documents on laptops, servers, etc.). Neither of these are easy tasks and if you are not willing to invest money to cleanse everything, then it’s far cheaper to delete nothing at all.
It is also interesting to look at the three different classes of hackers: Black Hats, White Hats, and Grey Hats.
The difference between White Hats and Black Hats is a matter of ethics. They learn and hone the same skills but use them for different purposes. A security researcher that exposes vulnerabilities in a responsible and ethical manner belongs to the White Hats, while one that discloses in the form of a virus is deemed a Black Hat.
The Grey Hats use their skills for the best purpose of their employer. This is why I like to call them Security Samurai, because the term samurai denotes a warrior who serves a master. We strive to protect our employer from any attacker, be it a competitor or litigation. We also share solace with defense attorneys in that we are not bound by the same ethics that most people are. We straddle a fine line between legal and criminal and are a necessary evil for companies to protect themselves.
I have said many times before; I will never violate an NDA agreement that I have with a company. Truth is, it doesn’t take an NDA to keep me quite. It’s what I believe in and what I have dedicated myself to. Don’t get me wrong, I’ve seen some pretty f’ed up things before that make me want to scream. Instead of blowing the whistle and publicly disclosing the follies of different organizations, the best I can do is relay them in stories for education’s sake. I change the industry, a few facts, and leave you with the moral.