Lost and Found
By: George Spafford
May 19, 2006
In a recent embarrassing disclosure there were plenty of pictures on the news services of the US Army going to the bazaars in Afghanistan buying memory sticks (the solid state USB thumb drives) by the box load. As with many news events that I run across this one caused me to stop and think about the intersection of lost devices, lost and found and liability.
Of course we hear of the occasional news story wherein someone leaves a CD in an airline seat, a notebook is lost, etc. For each story we hear about, I wonder how many hundreds never make it to the point of being disclosed. An employee loses a personal USB device, is embarrassed or fearful and never reports it. Or, an organization is aware and chooses to hope that nothing ever happens.
Regardless of the cause, I suspect that number of storage devices lost due to human error is a staggeringly high number. Again, this is just a suspicion but I bet we are not just talking about dozens or hundreds but thousands and thousands of devices being lost, or misplaced, each year. I am sure that malicious theft does happen but I bet the number of malicious occurrences is dwarfed by human error.
Doubtlessly, many lost units are formatted or deleted and then pressed into personal service of a "lucky" finder who doesn’t feel inclined to turn the unit into a lost and found department for some reason but at the same time does nothing malicious with the data.
Beyond that, there will be some percentage of units that are picked up, scrutinized for useful/marketable information and then either pressed into service, sold or discarded. The key is that the data is compromised, pressed into unintended service and potentially sold via one of the information exchange mechanisms as a modern day digital salvage of sorts.
Lastly, some number of units will be found by other customers/visitors/employees of hotels, airports, restaurants, malls, airlines, and so on that are then turned in to lost and found departments. These lost and found departments range from informal to formal operations and usually have a limit as to how long they will hold on to what is turned in., but what happens if the device and owner aren’t reunited?
At this point, one would hope that they either physically destroy the units or have a trusted party perform a secure wipe of the units before they are donated to charity, auctioned off, given to employees or whatever. Using Google to search on the liability of lost and found groups yielded many interesting results. The recurring theme is that these groups expressly disclaim all liability. In short, they really aren’t required to do anything with the data on the devices. If some do make efforts to safeguard/destroy the data, then I certainly applaud their efforts on our behalf.
After spending several days researching, my findings are very simple. Once your data is out of your hands, it is out of your control. Don’t put unencrypted sensitive data on storage devices that you can misplace or have easily stolen. Assess the use of encryption on all portable devices to render the data useless if it falls into the wrong hands. In the end, the party losing the data may feel very frustrated but in this litigious world, others may seek legal recourse to ascribe blame and seek restitution for damages for the loss. The latter situation is a risk that everyone wants to avoid.
--------------
It is interesting to point out that under maritime salvage laws, the salvor (the person recovering the vessel) can not deny the owner, or agents of the owner, access to the property to inspect or preserve it. However, the salvor can apply a maritime lien to recover salvage charges. I’m not saying that this applies to data storage devices for sure, but the potential intersection between the physical and digital worlds is interesting to ponder.
|
