Think Twice Before Using the "Delete" Key
In the wake of Enron and WorldCom, the Senate passed the Sarbanes-Oxley Act with a vote of 97 to 0. The law applies mostly to publicly traded companies, their interactions with their accountants, and subsequent punishments for violations. Among other things, the law makes it illegal to destroy or alter a document with the intention of impeding or obstructing an investigation. This article on Thin Planet makes a good case for why corporations should reconsider implementing document retention policies.
Though the law has received a lot of criticism for not requiring companies to report stock options on balance sheets, the practice that allowed Enron and WorldCom to happen in the first place. It does, however, attempt to prevent the paper shredded fest that followed these scandals:
Whomever knowingly alters, destroys, mutilates, conceals, covers up, falsifies, or makes a false entry in any record, document, or tangible object with the intent to impede, obstruct, or influence the investigation or proper administration of any matter within the jurisdiction of any department or agency of the Untied States or any case filed under title 11, or in relation to or contemplation of any such matter or case, shall be fined under this title, imprisoned not more than 20 years, or both.
The Thin Planet article believes that implementing corporate wide document retention policies could be construed as an attempt to avoid prosecution or impede an investigation. Since such a policy would be mandated by and followed throughout the company, the officers of the company would be held responsible.
Before degenerating in techno babble about thin clients, fat applications, and server based computing, the article goes on to suggest that the law is broad sweeping enough to include less profound but more common cases. It uses the example of a human resources person who receives an e-mail about implicating an employee in sexual harassment and then deletes the e-mail.
There are even other more murky issues. What if the HR person's system deleted the e-mail for them as a part of an automated document retention policy? What if that same e-mail was trapped by a spam filter because of lewd language, and the HR person never received it. The harassed employee might later be able to prove he or she sent it, but the HR person couldn't prove it was never received. Who do you think a court would believe?
Luckily, it is up to the prosecutor to prove guilt. As any expert would testify, there are any number of reasons that an e-mail message simply would not make it to its intended destination. Hopefully, it would take more than just a missing piece of e-mail. Nevertheless, this law is only a few month old and hasn't been tested yet. As real world scenarios play out, they'll find other chinks in the armor.