Driving a Hard Bargain

One way corporations can mitigate the risks and manage the costs associated with hard drive destruction is by outsourcing the job to companies that specialize in this area.

As desktops, laptops and the network infrastructure that supports them have spread throughout the enterprise and into employee hotel rooms and homes, organizations have spent billions of dollars on firewalls, access control lists and authentication schemes to protect their corporate and customer information. Add PDAs, USB flash drives and speed-dial client lists on cellular phones to the mix, and the scramble to secure private data from unauthorized access has become increasingly critical.

It’s ironic that many organizations will spend millions of dollars to shred paper, yet have no documented process to remove the plethora of corporate data on their hard drives. The following article may help secure destruction professionals convince potential clients of the need for these services.

MISSTEPS TAKEN

Throughout the last several years, an increasing number of security issues surrounding data left on computers and servers that were sold into the secondary market has received wide media coverage.

For instance, one of the United States Veterans Administration medical centers donated and sold retired computers complete with hard drives full of sensitive medical and financial information, including the records of patients with AIDS and government credit card numbers.

Additionally, an auditor for the state of Florida found Social Security numbers, security system data and personal information on computers slated for disposal from eight departments within the state. The auditor concluded that the state could face legal exposure in light of improper data security procedures.

Finally, the University of Illinois Medical Center in Chicago threw its outdated computers in a trash bin behind its building. A citizen alerted a local TV station that retrieved the computers and discovered private patient data on the hard drives.

This is just a small sampling of the data breaches that have occurred. Hundreds of data security breaches on retired hard drives have been reported, a number exceeded only by the number of incidents that go unreported or undiscovered. A recent study by the Financial Times found that less than 25 percent of computers disposed of by companies have been properly sanitized of data.

CONSIDERING THE OPTIONS

Proliferation of Legislation

The increasing number of security breaches has been met with a rise in privacy legislation that creates an environment that makes it harder for data security breaches to go unreported. Insurance companies, financial institutions and medical organizations are all impacted by privacy legislation that requires them to have documented procedures that ensure proper hard drive sanitization to safeguard the confidentiality of their customer records. 

 

For insurance companies and medical organizations, data security issues surrounding electronic media are addressed in the HIPAA (Health Insurance Portability and Accountability Act) Security Rule. For financial institutions, the same issues are addressed in the Gramm Leach Bliley Act Safeguards Rule.

 

Not surprisingly, the state of California has enacted legislation that applies to all organizations. The Security Breach Notification Law stipulates that if an organization has a security breach and thinks a California customer’s data has been compromised, it must formally notify, by letter, all California customers who may have potentially had their private information breached. In practice, these consumers are also offered free credit report monitoring to ensure their identity has not been stolen or their credit compromised.

 

Then there’s the growing list of other federal and state privacy legislation including the Notification of Risk to Personal Data Act, the Federal Credit Reform Act and the Freedom of Information and the Protection of Privacy Act. Regardless of the industry, legislation puts organizations at risk for the improper management of private customer data.

 

And if one doesn’t find these laws of concern, the Supreme Court ruled in California v. Greenwood that there is no right to privacy in discarded materials. This means that if an organization does not handle data security properly on retired assets, the next owner of the hard drive has legal right to all information remaining on the hard drive.

 

It’s imperative that organizations establish procedures to protect information remaining on computers that are being retired. Let’s talk about what not to do when trying to manage the data security risks associated with IT asset disposition.

Next to not sanitizing a hard drive at all, simply deleting confidential files is the most insecure form of security. A deleted file is not really gone; only the information that points to the exact location of the file on the hard drive is removed.

Reformatting a drive essentially removes all of the information that points directly to every file’s location, primarily the root directory and the file allocation table. A reformat overwrites less than 0.1 percent of a hard drive…0.1 percent! Virtually all files and data can be recovered using off-the-shelf file recovery software.

Determining the best practice to protect an organization from the inherent data security risks associated with IT asset disposition turns out to be a slightly more complicated task than it seems, because the "best"—that is, the most secure—approaches to data security are generally considered cost prohibitive by most organizations.

On-site total hard drive destruction is the most secure method to prevent potential data security breaches. Of course, the cost of on-site destruction may be prohibitively expensive for organizations that need to have shredding devices at every corporate location, as a reasonable hard drive shredder can run about $5,000.

The drives can be transported to centralized locations equipped with data shredding devices, but hard drive or tape transport is the weak link in the IT asset disposition process, as Time Warner might be quick to verify. The company lost 40 backup tapes while in transit to an off-site data protection and electronic vaulting company’s location.

On-site hard drive sanitization and degaussing ia another part of the data migration and hardware de-installation process. However, most organizations opt to de-install hardware as one process, placing the assets in storage or staging areas prior to sanitation because of potential problems with data migration. This two-step process increases costs substantially.

Hard drives in non-working assets need to be degaussed and cannot be sanitized using software methods. However, equipping each corporate location with a degausser could prove expensive. Deguassers can cost as much as $1,400 each, excluding the cost of labor to operate the equipment.

OUTSOURCING THE JOB

A safe and affordable approach when decommissioning IT assets is the combination of data encryption and outsourced disposition.

Data encryption makes it virtually impossible to recover information from a hard drive. Encryption involves the use of a key that must be known by the user to access information on a particular hard drive. Some data encryption tools also provide for pre-boot authentication passwords. In short, these tools ensure that data cannot be accessed from retired hard drives except by the most sophisticated methods, like ones employed by high-level law enforcement organizations like the FBI and CIA.

Used in conjunction with data encryption, outsourced IT asset disposition offers the most value to organizations that are focused upon data security and retired IT assets. Because data is encrypted as an enterprise strategy, an outsourced IT asset disposition services provider can perform all the other necessary services to minimize the cost and maximize the financial return from an IT asset disposition program. Data encryption mitigates the data security risk when assets are transported to the IT asset disposition provider and ensures that potential data security breaches are virtually eliminated.

Experienced IT asset disposition services providers not only sanitize hard drives, they also provide a full range of reuse and recycling services, including: inventory management; asset testing and configuration capture; asset tag capture; reuse of assets with value; establishment of an audit trail for the disposition of every asset; environmental and data security liability indemnification; and serialized settlement reporting.

The combination of data encryption and outsourced IT asset disposition can be an ideal data security solution and offers cost savings to an organization. This solution provides for the lowest total cost of ownership because in many cases the financial return from the sale of used IT assets into the secondary market more than offsets the cost of data encryption and information technology disposition services.

A small investment in hard drive data security can save an organization millions of dollars in loss of brand equity and the less tangible cost associated with damage to its reputation if a security breach occurs. A $30 investment to properly handle the disposition of a PC or laptop—addressing security concerns and also ensuring proper environmental recycling—will seem miniscule compared to the damage resulting from a headline telling of a security breach.

The authors are Stampp Corbin, chief strategic officer of Intechra, an information asset disposition company based in Carrollton, Texas, and Intechra consultant Mary Couse.

February 2006
Explore the February 2006 Issue

Check out more from this issue and find your next story to read.