Brace yourself for an unpleasant revelation. A quick scroll through "A Chronology of Data Breaches" on the Privacy Rights Clearinghouse website reveals nearly as many midsized enterprises as large companies. Could your company be next?
In just the past 18 months, the San Diego-based privacy advocacy group reports that nearly 91 million data records of U.S. residents have been exposed to security breaches, as companies both large and small suffer the attentions of identity thieves, hackers and disgruntled employees.
The vast majority of these compromised records were stolen from machines that organizations were actively using. But even more data -- discarded and largely forgotten -- can be found languishing in storage cupboards and basements.
When you consider that a 1 gigabyte hard drive can store up to 75,000 electronic documents, the size of the problem can seem overwhelming. Research firm Gartner Inc. estimates that by 2010, consumers and businesses will have tried to dispose of around 512 million PCs worldwide.
In a separate survey of 300 clients at its IT Asset Management (ITAM) conference, Gartner found that more than 60% of respondents consider "managing data security and privacy risks" their No. 1 consideration in disposing of obsolete or surplus technology.
And so it should be. Several laws punishing data breaches call for fines in the range of $1,000 a record and clear the way for lawsuits. Add to this the cost of damage to a firm's reputation, which can drive customers to rival companies.
Among U.S. respondents who received security-breach notifications, 19% terminated their relationship with the offending company, according to a survey by the Ponemon Institute in Elk Rapids, Mich. Another 5% sought legal advice for possible lawsuits.
Yet despite escalating risk, a laissez-faire attitude toward the destruction of data lingers in companies of all sizes, says Gartner analyst Frances O'Brien. "It's shocking when you see what they do with this stuff," she says, citing examples of companies leaving discarded but operational machines in unlocked storerooms for workers to pick at for "spare parts." Others let their employees take machines home (only later to discover the drive being sold on eBay) or donate them to charity without scrubbing the disks clean. "No good deed goes unpunished," O'Brien quips.
Approximately 30% of the 300 respondents to Gartner's ITAM survey say that they disposed of PCs and servers via third parties. Around half that percentage simply left the machines in storage, while 13% sent them back to the vendor or lessor. More than 20% of companies gave their hardware to charity.
Running Down the Risks
For Corey Jenrich, IT manager at Community Bank in Pasadena, Calif., the specter of bad publicity and reputation loss loomed large should a laptop theft ever lead to data exposure. "If we have a breach, then we have to notify the affected customers and tell them that their data may be compromised," Jenrich says. "That's a huge reputation risk for us. It wasn't something that we could sit by and say, 'That's OK.'"
Jenrich opted for Lost Data Destruction from Beachhead Solutions Inc., which encrypts and eliminates all data on a lost or stolen laptop. He especially likes taking data encryption responsibilities from end users and giving them to administrators. "Beachhead looks at the extension of the file and says, 'I am going to encrypt you,' and [that process is] transparent to the end user. They have no idea it's happening."
Top-notch encryption is vital for financial institutions. If a laptop is stolen and a bank can prove that the data was encrypted, it nullifies the bank's obligation to notify customers, says Jenrich. To ensure that encrypted data doesn't end up in the wrong hands, Beachhead's pre-installed timer signals the software to overwrite the data (for example, in the event a machine fails to connect to the bank's network within a certain period of time). The bank has also revamped its disposal of PC hard drives as the machines are decommissioned.
For 10 years, the bank accumulated some 300 PCs until it ran out of space. It pulled the drives out of the machines and called on a disposal company to wipe them clean. Then the bank bought WipeDrive software from WhiteCanyon Inc., which it uses to scrub the hard drives as the machines are decommissioned.
Many CIOs are well versed in the data-handling requirements of federal laws such as the Financial Services Modernization Act (also known as Gramm-Leach-Bliley) and the Public Company Accounting Reform and Investor Protection Act (also known as Sarbanes-Oxley). Now the Fair and Accurate Credit Transaction Act (FACTA) requires firms to address how they handle data disposal.
FACTA requires "any person who maintains or otherwise possesses consumer information for a business purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The law's reach is also quite broad, affecting anyone "who maintains or otherwise possesses consumer information for a business purpose."
Yet FACTA offers no specific recommendations on how companies should dispose of their data. The main test for data destruction policies is one of "reasonableness."
Most companies still believe a reasonable approach means simply formatting hard drives to get rid of old data, says O'Brien. "It's just ignorance," she adds. Disposal is often taken out of the hands of IT departments and left to operations.
Although Gartner recommends that midmarket companies use reputable third parties for data destruction, financial considerations often tempt companies to keep processes in-house. There is no shortage of options for companies that need to destroy data, including software wiping, degaussing (exposing the hard drive to a powerful magnetic field) and physical destruction.
"My biggest competitor is still the dumpster," says Angie Keating, co-founder of Reclamere, a data destruction company in Tyrone, Pa. Too many companies leave data destruction decisions to the wrong people, she says, such as environmental health and safety workers or technicians. "We have decisions being made by people who won't lose their jobs or suffer the consequences of a data breach if it's not done properly or the wrong method is chosen," Keating notes.
Company size bears little relation to a firm's savvy about destroying data, she adds. "We have globally known customers that have poor practices in-house. However, we have customers who are small and yet take security very seriously." They even want to come on site to watch the drives' destruction, she says.
One of Reclamere's customers is law firm Kirkpatrick & Lockhart Nicholson Graham, which built an audit trail into its contract for disposal of old data on 2,200 PCs from 10 law offices across the U.S. There was no need for the legal firm's staff to physically check on data destruction, says CIO Steve Agnoli, because the contract stipulated that Reclamere would be responsible for any compromised information.
"We wanted to ensure that when they did the data destruction, Reclamere could document the process for us so we would have a good record of what machines were sent where, when the data was destroyed, how it was destroyed, as well as see who certified the destruction," Agnoli says. Reclamere also transported the hardware from all 10 office locations. "It was a one-call deal," says the CIO.
Because the machines were only 3 or 4 years old, the law firm wanted to destroy the data but preserve the machines. And Agnoli didn't want the machines to end up in a landfill. So the firm sold many of them -- splitting the proceeds with Reclamere -- and donated many to charity. The PCs still had a lot of life in them, Agnoli notes.
Tracking the Chain of Control
As demand for such security solutions grows, new appliances are emerging. One example is the $9,000 Digital Shredder, part of the Dead on Demand product line from Ensconce Data Technology Inc. in Portsmouth, N.H. The Shredder, which began shipping to customers last month, claims to completely overwrite data in a single 45-minute pass. The product bypasses the operating system and the disk's BIOS protection to access the drive's secure-erase mode. Only the data is eradicated, leaving the disk for reuse.
One of the original testers of the Shredder was Mike Leclair, a computer crime detective with the Portsmouth Police Department in New Hampshire. He is impressed with the Shredder's data-wiping capabilities but worries about the product's usefulness to the "bad guys." Leclair has an unusual application in that he provides "forensic disks" for court cases. He has to testify that the drives are completely clean before he saves incriminating evidence to them.
"When I testify, I need to be able to say there was no pre-existing data on that hard drive before I place the evidence on it, so the argument won't be raised that what I am actually finding on the hard drive was something from another case," he explains. Before using the Shredder, it took him nearly a day to overwrite a drive and verify it so nothing could be recovered. Now it takes minutes, he says. Ensconce President Jack Thorsen says the Shredder appeals to firms that want control of sensitive data destruction. "They don't have to put their liability in somebody else's hands," he says.
Handing off this risk to third parties can backfire, as it did in a painfully public way for Idaho Power Co. The Boise-based utility, which serves 460,000 people in southern Idaho, discovered in May that when it outsourced the disposal of 230 disk drives to a data destruction company, some unscrubbed drives became available for sale on eBay. Idaho Power had to explain to Federal Trade Commission (FTC) regulators why reams of confidential data ended up on the Web.
Eventually all 230 disks were recovered, or their site of use was identified and their owners signed affidavits ensuring the disks have been completely cleaned, a company spokesman says. Idaho Power says it was not sued by the FTC or anyone else, and it has also changed its disposal policy to physical data destruction.
Still, Idaho Power's experience underscores the importance of auditing third-party providers, says O'Brien. One client discovered its provider wasn't doing what it was contracted to do. "It wasn't that they were being malicious; it was a simple human error," she says. The vendor became aware of its failure only when the client identified it, she adds.
Businesses can get help in finding reputable third-party disposal companies. The National Association for Information Destruction (NAID), which started out disposing of paper documents and microfilm, now certifies vendors that physically destroy disks and tape. By the end of this year, NAID will also certify firms that overwrite software.
Crushing the Problem
If organizations are worried about recycling their machines or disk drives, a physical assault on the hardware may be best. Disk drive destruction equipment isn't new, but it is becoming more portable, as with the Hard Drive Crusher from eDR Solutions in Greenville, S.C. The size of a cappuccino maker, the HDC spits out a chunk of recyclable aluminum at the end of a 45-second process.
One company that chose the Hard Drive Crusher was Goodwill Southern California (GSC), which operates 46 retail stores, 39 attended donation centers, three campuses and 18 workforce/training centers in the counties of Los Angeles. The organization was worried about liabilities associated with the information stored in thousands of PCs donated to the charity each month. Goodwill wanted an environmentally friendly solution that also guaranteed data destruction.
"We were looking for a solution that would physically destroy the hard drive and also that could be operated by a person with disabilities," explains Geraldo Castro, GSC's director of facilities and environmental services. Also beneficial is the fact that the HDC won't operate without the safety features being engaged.
Goodwill is also realizing benefits from computer recycling. It covers the cost of providing jobs for 30 people with disabilities within the Southern California operation, which generates more than $50 million in sales from all its activities. Its PC "de-manufacturing" line now recycles 30,000 pounds of hardware (roughly 6,500 PCs) a month, and plans are under way to hire 12 more people for a second line.
Castro says he is stepping up marketing to Southern California companies as well. Several large firms have sent many units to the charity. "We can issue a certificate of destruction that we will destroy any hard drive we get. That reassures our donors and encourages them to donate more," he notes.
The bad news for businesses is that the carefree days of simply jettisoning old PCs or "erasing" drives are long gone. The good news is the growing number of affordable disposal options available to midmarket companies.
John Sterlicchi is a freelance writer in Clearwater, Fla. Write to him at firstname.lastname@example.org.