Avoid Data Disposal Nightmares
by Chris Rodinis
April 2nd, 2012
blog.ewastewiz.com
www.computerworld.com
Just crushing and shredding an end of life hard drive isn’t enough. Having an annual corporate IT spring cleaning is not an effective data life-cycle management strategy. Whatever means chosen to destroy the data is of paramount importance. Merely pulverizing the drive can put corporations at risk of data theft because the remaining fragments may not be small enough and secure data may still be extracted. NAID research indicates that 300 pages of secure data could be extracted from a single one inch slice of demolished hard drive remanence.
Consider the following corporate tales as cautionary.
Losing confidential data happens more frequently than you might think. Universities in the UK annual survey has brought to light the issue of IT pro’s disposing hard drives without proper data destruction.
As we diligently guard our data in the front of the house, what ends up happening is that some or a lot of it can inadvertently leak out the back. Another recent study of a few hundred hard drives from around the globe has become a short list of failures to secure data.
Even after all the publicity that data disposal errors have gained not much is different. These episodes about the loss of secure data by companies are making headlines with greater frequency. Which reminds everyone to be diligent and destroy data per NAID guidelines.
From a recent police inquiry, about 100 disposed hard drives from random sources were found with a high (75%) rate of re-marketability. From that percentage, about 60% still had personal and secure data residing on them.
More research on disposed hard drives produced figures stating about 50% of drives contained secure data to such a degree that identities could have been fraudulently used.
Considering the amount of daily stored secure data, which keeps increasing, and drive space which continues to increase, the odds are that eventually some secure data will end up in criminal activity.
Laws Govern Destruction of Secure Data
Just as their are laws governing the disposal of computers, there are laws governing the destruction of secure data. Merely using the delete button will not render the drive clean.
Encryption while the drive is active is recommended, and when at end of life disk wiping and physical destruction is the standard for the National Institute of Standards and Measurements.
The latest move by the New Jersey legislature is a big step forward in secure data destruction. The first standard is requiring a verifiable chain of custody for hard drives containing secure data. As the equipment is slated as surplus it will tracked according to various possible destinies such as reuse or re-marketing to charities, schools, the state, or the public. Re-use is the top priority.
Before the drive can be destroyed, now by law, a rigorous data wipe is required and most likely all recyclers involved in e-waste will require an NAID certification. Certification means that the drive must be sanitized beyond the point forensic recovery or physically destroyed by approved means.
Here are some excerpts from a data disposal nightmare……The good old NYC Health and Hospitals was finally getting to move into a new facility when disaster struck………..as computers were being transported the company van was left unlocked and guess what…….secure data hard drives were stolen……..that is why using a recycling company which does continuous video surveillance and RFID/GPS tracking is recommended…so far for this incident, the police have been notified, the driver has been fired, and victims get a free year of credit/fraud monitoring and resolution. Of course the third party vendor contract has been cancelled and the vendor is being sued so NYC Health and Hospitals can recoup the cost of damages.
If there ever was an incentive to do correct data destruction, that would be to follow the money. The money always talks and what is being said here is that lack of proper data destruction is very costly and the cost is rising. These costs are increasing annually and now are in the many millions of dollars.
The average cost per individual breach is approximately $220 dollars each. Companies have spent many millions in total per each breach of secure data. To further discuss secure data destruction you are welcome to contact www.EwasteWiz.com