Yet FACTA offers no specific recommendations on how companies should dispose of their data. The main test for data destruction policies is one of "reasonableness."
Most companies still believe a reasonable approach means simply formatting hard drives to get rid of old data, says O'Brien. "It's just ignorance," she adds. Disposal is often taken out of the hands of IT departments and left to operations.
Although Gartner recommends that midmarket companies use reputable third parties for data destruction, financial considerations often tempt companies to keep processes in-house. There is no shortage of options for companies that need to destroy data, including software wiping, degaussing (exposing the hard drive to a powerful magnetic field) and physical destruction.
"My biggest competitor is still the dumpster," says Angie Keating, co-founder of Reclamere, a data destruction company in Tyrone, Pa. Too many companies leave data destruction decisions to the wrong people, she says, such as environmental health and safety workers or technicians. "We have decisions being made by people who won't lose their jobs or suffer the consequences of a data breach if it's not done properly or the wrong method is chosen," Keating notes.
Company size bears little relation to a firm's savvy about destroying data, she adds. "We have globally known customers that have poor practices in-house. However, we have customers who are small and yet take security very seriously." They even want to come on site to watch the drives' destruction, she says.
One of Reclamere's customers is law firm Kirkpatrick & Lockhart Nicholson Graham, which built an audit trail into its contract for disposal of old data on 2,200 PCs from 10 law offices across the U.S. There was no need for the legal firm's staff to physically check on data destruction, says CIO Steve Agnoli, because the contract stipulated that Reclamere would be responsible for any compromised information.
"We wanted to ensure that when they did the data destruction, Reclamere could document the process for us so we would have a good record of what machines were sent where, when the data was destroyed, how it was destroyed, as well as see who certified the destruction," Agnoli says. Reclamere also transported the hardware from all 10 office locations. "It was a one-call deal," says the CIO.
Because the machines were only 3 or 4 years old, the law firm wanted to destroy the data but preserve the machines. And Agnoli didn't want the machines to end up in a landfill. So the firm sold many of them -- splitting the proceeds with Reclamere -- and donated many to charity. The PCs still had a lot of life in them, Agnoli notes.
This was first published in October 2006