A developer at a software company orders a small network-attached storage (NAS) device using a personal credit card, bypasses the procurement process, and connects it directly to the office network to share files with their team. The device is never registered in the asset tracking system.
Six months later, the NAS manufacturer releases a critical security patch for a remote code execution vulnerability in the device's web interface. The IT security team runs their monthly patch status report against the asset inventory — the NAS does not appear because it was never tracked. The patch is not applied. Three months after the patch release, an attacker scanning the organization's IP range finds the unpatched NAS, exploits the vulnerability, and uses the device as a pivot point to access internal file shares.
Post-incident investigation finds the root cause: the device was never in the asset inventory, so it was never in scope for vulnerability scanning, never assessed for firmware updates, and never monitored for anomalous network activity. The procurement bypass that seemed like a small convenience created a blind spot that persisted for nine months.
A healthcare organization decommissions 200 laptops. The IT team uses their degausser, which has successfully sanitized hundreds of HDDs over the years, to process all 200 drives. The drives come out of the degausser and are donated to a local school. The IT manager documents "degaussed" in the asset disposition records and considers the process complete.
One year later, a student at the receiving school plugs one of the donated laptops into a monitor and finds that it boots normally. The student navigates to the Documents folder and finds patient records from the healthcare organization — names, addresses, diagnoses, and insurance information. The student notifies the school, which notifies local media.
Investigation reveals the 200 laptops all contained solid-state drives. The degausser — which works by generating a strong electromagnetic field to destroy magnetic storage patterns — had no effect whatsoever on the SSDs. Flash memory stores data as electrical charge, not as magnetic patterns. The drives were returned from the degausser in exactly the same state they went in: fully functional, with all data intact. The entire "sanitization" process accomplished nothing.
A financial services firm retires 800 servers over two years. They contract with a certified media destruction vendor to shred all drives. The vendor provides a certificate of destruction for each batch: serial numbers, shredding date, facility location, and the vendor manager's signature.
Two years after the last retirement batch, a journalist reports that a used hardware reseller has been selling server drives containing financial data, including drives from several major corporations. Investigators trace some of the drives to the financial firm's asset inventory by serial number. The financial firm's legal team produces the certificates of destruction for every drive — including the three serial numbers the investigator found at the reseller. The certificates show those drives were shredded on specific dates, in a specific facility, before the reseller ever had them.
Conclusion: the drives at the reseller were not from this firm. The certificate of destruction provides incontrovertible evidence that the firm's specific drives were destroyed. The firm's legal exposure — and the potential FINRA investigation — is eliminated by the paper trail. Without the serial-number-matched certificates, the firm would have faced a lengthy investigation and potential regulatory action despite having done everything correctly.
A technology company is sued by a former employee alleging discrimination. The company's legal team issues a litigation hold notice: all email communications involving the relevant department, time period, and personnel must be preserved and must not be deleted for the duration of the litigation.
The company's email retention policy is 90 days — emails older than 90 days are automatically purged from the server. IT receives the litigation hold notice but the automated deletion job is not paused for the affected accounts. Three months into the litigation, discovery requests arrive for emails from 18 months ago. The emails are gone — purged under the normal 90-day policy after the hold was issued but before the deletions were suspended.
The court finds that the company failed to preserve evidence despite having a legal obligation to do so. This constitutes spoliation of evidence. The judge issues an adverse inference instruction to the jury: the jury may conclude that the missing emails contained evidence unfavorable to the company. What began as a discrimination lawsuit now has a procedural finding against the company that significantly strengthens the plaintiff's position.
A sales executive's laptop is stolen from a hotel room during a conference. The theft is reported to IT, which immediately triggers the MDM remote wipe for the corporate data partition. IT also notes that the laptop has an asset tag: a barcode sticker with the company name, a visible tracking number, and the phrase "PROPERTY OF [COMPANY] — REWARD FOR RETURN."
Three weeks later, local police contact the company. The laptop appeared at a pawn shop; the pawn broker photographed the serial number and asset tag during intake as part of their stolen property verification process. The tag number matched a police database entry from the theft report. The pawn shop holds the laptop, police recover it, and the company reclaims the physical device.
IT confirms the MDM wipe completed successfully within hours of the theft report, so corporate data was protected regardless of recovery. But the asset tag enabled physical recovery of the $1,800 laptop and provided evidence of the theft for the insurance claim. The theft deterrent value was also demonstrated: the pawn broker reported the suspicious device precisely because the prominent organizational tag made it obvious the device was not the seller's personal property.