Chain of custody: do you know where your data is?

Blogs and Articles

With data volumes doubling every two years, organisations must be able to account for data throughout its management lifecycle.

4 June 20227 min
Iron Mountain logo with blue mountains
By Bill Laberis

With data volumes doubling every two years, organisations must be able to account for data throughout its management lifecycle.

Organisations of all sizes are failing to prove a comprehensive chain of custody of their digital data and paying a hefty price for that error.

What is chain of custody? Think of it as the complete, fully documented step-by- step history of where digital assets live and who has charge of them, from the time they are created right through their destruction. And destruction doesn't mean tossing digital media into a dumpster or handing it over to someone else who cannot prove beyond doubt it was utterly destroyed. It means disposing of this media through a secure, compliant programme.

Chain of custody applies to digital media in any form - from tape to magnetic media and all other means by which electronic information is managed. For most businesses, this process must be a complete, unimpeachable record showing through whose hands media passed, where it was stored, how and when it was altered and where it was stored. Anything less can expose the organisation to fines, run-ins with regulators, public condemnation, even ridicule – all of which can impact the bottom line. You must be able to account for data being properly stored and correctly represented.

Chain of Custody: an Example

Consider this example of the value of strong chain of custody. Wrongful termination suits are quite common. And often a court will order the seizure of certain items, such as the laptop of the HR director or perhaps even a CEO. The judge may require the CEO's company to collect and then turn over all the CEO's emails for some period of time.

The previous employee's attorney may well attack the methodology by which this email collection was handled and whether there were any opportunities for the emails to be altered or tampered with. The attorney may question the propriety and honesty of the person who actually obtained the emails. If a defensible trail of any and all electronically stored information in question cannot be proven, the CEO and the company may be in for a world of hurt.

Screening Vendors

Obviously there are a lot of ways to get chain of custody wrong. Here are some important things to look for when screening vendors touting their chain of custody expertise:

  • Can the vendor prove beyond doubt that it knows the location of every single stored asset at any and every moment?
  • Is access to your stored assets given only to authorized technicians?
  • Is each and every one of your data assets assigned a unique identity?
  • If your asset is updated or edited, is it assigned a new unique identity along with an audit trail of the changes made?
  • Does the vendor create and maintain hard copies of every interaction with your assets in the event of a computer failure
  • Can the vendor guarantee it can access then retrieve all your assets in minutes, not hours and certainly not days?
  • Can you edit, remaster, remix and otherwise alter your asset without ever touching the original digital masters, which remain protected in a secure facility?
  • Are you offered a wide choice of geographic storage facilities to minimize risk of natural disaster?
Make sure any company seeking to store and maintain your invaluable digital assets can answer "yes" to all these questions above. There is simply too much at stake to allow for error.