In a recent embarrassing disclosure, there were plenty of pictures on the news services of the U.S. Army going to the bazaars in Afghanistan buying memory sticks (the solid state USB thumb drives) by the boxload.
As with many news events that I run across, this one caused me to stop and think about the intersection of lost devices and liability.
Of course we hear of the occasional news story where someone leaves a CD in an airline seat, a notebook is lost, etc. For each of these known stories, I wonder how many hundreds never are disclosed. An employee loses a personal USB device, is embarrassed or fearful, and never reports it. Or, an organization is aware and chooses to hope that nothing ever happens.
Regardless of the cause, I suspect the number of storage devices lost due to human error is staggeringly high. Again, this is just a suspicion, but I bet we are talking about not just dozens or hundreds, rather thousands and thousands of devices lost or misplaced each year. While outright theft of USB devices undoubtedly happens, I suspect the number of malicious occurrences is dwarfed by human error.
Doubtlessly, many lost units are formatted or deleted and then pressed into the personal service of a “lucky” finder who doesn’t feel inclined to turn the unit into a lost and found department, yet does nothing malicious with the data.
Beyond that, there will be some percentage of units that are picked up, scrutinized for useful/marketable information and then either used, sold or discarded. The key is that the data is compromised, pressed into unintended service and potentially sold via one of the information-exchange mechanisms as a modern-day digital salvage of sorts.
Lastly, some number of units will be found by other customers/visitors/employees of hotels, airports, restaurants, malls, airlines, and so on that are then turned in to lost and found departments. These lost and found departments range from informal to formal operations and usually have a limit as to how long they will hold on to what is turned in. But what happens if the device and owner aren’t reunited?
At this point, one would hope that they either physically destroy the units or have a trusted party perform a secure wipe of the units before they are donated to charity, auctioned off, given to employees or whatever.
Using Google to search on the liability of lost and found groups yielded many interesting results. The recurring theme is that these groups expressly disclaim all liability. In short, they really aren’t required to do anything with the data on the devices. If some do make efforts to safeguard/destroy the data, then I certainly applaud their efforts on our behalf.
After spending several days researching, my findings are very simple. Once your data is out of your hands, it is out of your control. Don’t put unencrypted sensitive data on storage devices that you can misplace or have easily stolen. Assess the use of encryption on all portable devices to render the data useless if it falls into the wrong hands.
In the end, the party losing the data may feel very frustrated but in this litigious world, others may seek legal recourse to ascribe blame and seek restitution for damages for the loss. The latter situation is a risk that everyone wants to avoid.
 It is interesting to note that under maritime salvage laws, the salvor (the person recovering the vessel) cannot deny the owner, or agents of the owner, access to the property to inspect or preserve it. However, the salvor can apply a maritime lien to recover salvage charges. I’m not saying that this applies to data storage devices for sure, but the potential intersection between the physical and digital worlds is interesting to ponder.