Tracking the Chain of Control
As demand for such security solutions grows, new appliances are emerging. One example is the $9,000 Digital Shredder, part of the Dead on Demand product line from Ensconce Data Technology Inc. in Portsmouth, N.H. The Shredder, which began shipping to customers last month, claims to completely overwrite data in a single 45-minute pass. The product bypasses the operating system and the disk's BIOS protection to access the drive's secure-erase mode. Only the data is eradicated, leaving the disk for reuse.
One of the original testers of the Shredder was Mike Leclair, a computer crime detective with the Portsmouth Police Department in New Hampshire. He is impressed with the Shredder's data-wiping capabilities but worries about the product's usefulness to the "bad guys." Leclair has an unusual application in that he provides "forensic disks" for court cases. He has to testify that the drives are completely clean before he saves incriminating evidence to them.
"When I testify, I need to be able to say there was no pre-existing data on that hard drive before I place the evidence on it, so the argument won't be raised that what I am actually finding on the hard drive was something from another case," he explains. Before using the Shredder, it took him nearly a day to overwrite a drive and verify it so nothing could be recovered. Now it takes minutes, he says. Ensconce President Jack Thorsen says the Shredder appeals to firms that want control of sensitive data destruction. "They don't have to put their liability in somebody else's hands," he says.
Handing off this risk to third parties can backfire, as it did in a painfully public way for Idaho Power Co. The Boise-based utility, which serves 460,000 people in southern Idaho, discovered in May that when it outsourced the disposal of 230 disk drives to a data destruction company, some unscrubbed drives became available for sale on eBay. Idaho Power had to explain to Federal Trade Commission (FTC) regulators why reams of confidential data ended up on the Web.
Eventually all 230 disks were recovered, or their site of use was identified and their owners signed affidavits ensuring the disks have been completely cleaned, a company spokesman says. Idaho Power says it was not sued by the FTC or anyone else, and it has also changed its disposal policy to physical data destruction.
Still, Idaho Power's experience underscores the importance of auditing third-party providers, says O'Brien. One client discovered its provider wasn't doing what it was contracted to do. "It wasn't that they were being malicious; it was a simple human error," she says. The vendor became aware of its failure only when the client identified it, she adds.
Businesses can get help in finding reputable third-party disposal companies. The National Association for Information Destruction (NAID), which started out disposing of paper documents and microfilm, now certifies vendors that physically destroy disks and tape. By the end of this year, NAID will also certify firms that overwrite software.
This was first published in October 2006