SANS Digital Forensics and Incident Response Blog

Destruction of adverse documents

It is an offence to destroy any document that is or may be used as evidence in an ongoing or potential judicial proceeding in most western (at least the common law) jurisdictions. An organization must not destroy documents on the foundation that the evidence is unfavorable. The penalties for the destruction of documents suspected to possibly be subject to litigation may perhaps end in a charge of obstruction to justice. This makes the determination of deleted material that has been destroyed following a litigation hold situation a key goal of the forensic investigator.

Adverse inferences are often upheld in litigation if a party cannot produce the required documents. There is also the hazard of reputation damage. In British American Tobacco Australia Services Limited v Roxanne Joy Cowell for the estate of Rolah Ann McCabe [2002] VSCA 197 the Judge in first instance seriously denounced BAT for the methodical destruction of a large number of records. Documents that may hold evidentiary value need to be retained. Sardonically implementing a record retention policy without taking proper precautions will generally draw an adverse inference from the court if there is any departure from the policy.

The consequence is that policy also necessitates ongoing education about the policy and the procedures utilized to enforce it and constant re-examination of its content. Where a document has been deliberately destroyed, the court is likely to come to a negative determination.

The litigation process of discovery
Discovery is the progression of events that follow the initiation of legal proceedings. A matter will proceed to Court only after all parties have delivered up relevant documents or have presented testimony that they cannot provide these documents. The process of e-discovery involves electronic records such as emails.

Rigidly enforced periods make it vital for the parties to be able to retrieve documents and emails promptly. The forensic investigator has a duty to uncover breaches of litigation hold. Documents destroyed within the period following knowledge of a law suit for instance come under this category.

Expectation of Privacy
Privacy in the workplace is a contentious subject. The definitions of privacy, and its means of protection, vary by jurisdiction. Employee email is commonplace and is used for both work and private means. Organizations have stringent legal requirements in the European Union, Australia, the United States, and other jurisdictions to guard information on private individuals from unauthorized disclosure.

The expectation of privacy does not provide the right to destroy evidence. It is a matter for the court to determine if a file is relevant to a particular case or if it may be excluded.

How strong can the law be?
To answer this, I put forth an example of a fairly recent Australian law. The Victorian Crimes (Document Destruction) Act 2006 (the Document Destruction Act) was passed into law in Victoria (an Australian State) in 2006. Together with the Evidence (Document Unavailability) Act 2006 (the Document Unavailability Act), these pieces of legislation amend the Victorian Crimes Act 1958 and Evidence Act 1958, correspondingly. They where issued in response to concerns raised by the Report on Document Destruction and Civil Litigation in Victoria, by Professor Peter Sallmann. These documents add weight to the need for all companies comprehend their responsibility in respect of how they store or destroy any documents. This incorporates email and other electronic files.

The Document Destruction Act establishes additional criminal penalties and the Document Unavailability Act sets up new civil consequences. The Document Destruction Act affects acts carried out in Victoria such as those by companies resident (or engaging in business) within Victoria. The Document Unavailability Act pertains to civil proceedings initiated within Victoria.

These particular acts are focused on proceedings that have been started within a single state in Australia. The thing is, that the individual laws may vary (and at times be unclear), but it is nearly universal that the destruction of a document that could be used as evidence in a court is a crime. Where this really comes into effect is that the evidence of the destruction of a document can in fact be worse then the material which may have been contained in the document that was destroyed.

Craig Wright, GFCA Gold #0265, is an author, auditor and forensic analyst. He has nearly 30 GIAC certifications, several post-graduate degrees and is one of a very small number of people who have successfully completed the GSE exam.