I have a question about sample scenarios in consulting pen-testing with the typical littering the parking lot and public areas of the campus in the scope of the document. I could only assume some employee's might and could find those drives and instead of using them on the "scoped" target and security review take those drives home and their by put the Consultant pen-tester and the Company with the scope of work on the penetration tests.

Have colleagues come across this scenario and or have been brought into suit with employees of companies that later find out from an Email-blast or internal memorandum about the audit and lesson's learned.

I see it would be the due diligence for the consultant company to keep track / count / make model and serial numbers with custom malware for keylogging and persistence on systems but when and if that gets later discovered to have missing units and then having committed a crime under the computer fraud and abuse act.

I am very curious of this has happened, it bet this has happened and what are legal or SoW recommendations including additional run through with a Consultant's legal liability as well as your clients legal department assessing risk and damages.