Not-So-Secret Service: Text Retention and Deletion Policies

Recent news reports indicate that the United States Secret Service, as part of a hardware replacement policy for agents’ phones, allowed individual agents to wipe all of the data from their devices, and failed to preserve text messages as required both by federal law and pursuant to demands from both Congress and the USSS’s oversight agency, the DHS Office of the Inspector General.

It was reported that, long before the replacement program was implemented, employees were advised of their document retention requirements, and were provided specific procedures about how to restore their old devices to factory settings while preserving the data formerly contained therein. Apparently, nobody got the memo, or — in a more sinister interpretation — they got and deliberately ignored that memo. Generally, I am a fan of not attributing to venality that which mere stupidity can adequately explain, but when the device wiping was systematic and programmatic, that’s an awful lot of stupidity to explain. Many government agencies and private entities have both a hardware and data life cycle. Laptops, hard drives and smartphones are replaced. Emails that are no longer needed for the company, and for which there is no legal retention requirement are purged, as are outdated documents, files, attachments, etc. In fact, from a privacy and data security standpoint, it is important to get rid of data that is no longer needed and to update hardware and software in a way that includes the latest security and privacy protections.

DevOps Connect:DevSecOps @ RSAC 2022

The flip side of this, of course, is that data that is needed for the functioning of the entity—or which is required to be maintained by law—must be preserved in the process of upgrading or migrating.

As such, companies need to have robust document retention and destruction programs to identify data that needs to be deleted and data that needs to be kept. This includes a process for a litigation hold—that is, a suspension of the document destruction program when the data that is to be destroyed is relevant to ongoing or anticipated litigation or investigation. To be subject to a litigation hold, it is not necessary that there actually be litigation and formal…