Brace yourself for an unpleasant revelation. A quick scroll through "A Chronology of Data Breaches" on the Privacy Rights Clearinghouse website reveals nearly as many midsized enterprises as large companies. Could your company be next?
In just the past 18 months, the San Diego-based privacy advocacy group reports that nearly 91 million data records of U.S. residents have been exposed to security breaches, as companies both large and small suffer the attentions of identity thieves, hackers and disgruntled employees.
The vast majority of these compromised records were stolen from machines that organizations were actively using. But even more data -- discarded and largely forgotten -- can be found languishing in storage cupboards and basements.
When you consider that a 1 gigabyte hard drive can store up to 75,000 electronic documents, the size of the problem can seem overwhelming. Research firm Gartner Inc. estimates that by 2010, consumers and businesses will have tried to dispose of around 512 million PCs worldwide.
In a separate survey of 300 clients at its IT Asset Management (ITAM) conference, Gartner found that more than 60% of respondents consider "managing data security and privacy risks" their No. 1 consideration in disposing of obsolete or surplus technology.
And so it should be. Several laws punishing data breaches call for fines in the range of $1,000 a record and clear the way for lawsuits. Add to this the cost of damage to a firm's reputation, which can drive customers to rival companies.
Among U.S. respondents who received security-breach notifications, 19% terminated their relationship with the offending company, according to a survey by the Ponemon Institute in Elk Rapids, Mich. Another 5% sought legal advice for possible lawsuits.
Yet despite escalating risk, a laissez-faire attitude toward the destruction of data lingers in companies of all sizes, says Gartner analyst Frances O'Brien. "It's shocking when you see what they do with this stuff," she says, citing examples of companies leaving discarded but operational machines in unlocked storerooms for workers to pick at for "spare parts." Others let their employees take machines home (only later to discover the drive being sold on eBay) or donate them to charity without scrubbing the disks clean. "No good deed goes unpunished," O'Brien quips.
Approximately 30% of the 300 respondents to Gartner's ITAM survey say that they disposed of PCs and servers via third parties. Around half that percentage simply left the machines in storage, while 13% sent them back to the vendor or lessor. More than 20% of companies gave their hardware to charity.
This was first published in October 2006