Do you know where your company's most sensitive data is right now? Would you be surprised to find it on a laptop...
listed on eBay, or sitting on a used hard drive for sale at a local PC shop?
If your organization is like many that lack formal IT asset disposal policies, chances are there may be old hardware out there with your company's name on it -- as well as its financial reports, customer lists, payroll data and every other secret imaginable.
While organizations have been worried about database hackers and laptop thieves for years, the potential nightmare of data theft from discarded equipment is just as real.
Last July, Fresh Express, which grows and packages salads for groceries, realized it needed a more documented process for retiring its IT assets. The old way was to let individual employees handle the reformatting of drives, or, in the case of servers, IT would physically destroy the drive with a hammer.
"It was ad hoc, with no accountability. That put us at risk," explained Marven Smith, systems analyst for the Grand Prairie, Tx.-subsidiary of Chiquita Brands International Inc.
He hired Retire-IT LLC, a Columbus, Ohio-based technology equipment disposal firm that retrieves, transports and disposes of legacy enterprise equipment, even offering detailed audit trails for corporate records.
"They give me a serialized inventory of everything and guarantee that all data is destroyed," Smith said.
According to a November 2005 Gartner Inc. survey, nearly 80% of companies said that "managing data security and privacy risks' were very important or most important when disposing of obsolete hardware." Yet 30% admitted they had no policy for ensuring the security of used equipment.
Frances O'Brien, research vice president at Stamford, Conn.-based Gartner, said that despite the increased concern, there is still a vast amount of used hardware out there with recoverable corporate data on it. She points to a 2003 study conducted by Massachusetts Institute of Technology students on 158 disk drives bought from auction sites, PC retailers and salvage companies. It found that 74% of the drives contained recoverable data -- including company financials, credit card numbers, medical records, sensitive e-mails and pornography.
That kind of data, in the wrong hands, can be used to commit identity theft, fraud, blackmail, and corporate espionage. It can also trigger lawsuits and fines for breaking state and federal laws aimed at protecting consumer and employee data, including the Fair and Credit Transaction Act of 2003, Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).
It was HIPAA that spurred Kaiser Permanente, an Oakland, Calif.-based health insurance provider, to institute formal procedures for handling the tens of thousands of IT assets it disposes of each year. KP employs Redemtech Inc., an IT disposal and reseller based in Columbus, Ohio, to collect and sanitize old equipment. Prior to transport, Redemtech "locks" hard drives with a software utility. At the end of the process, it gives KP a list of the equipment with serial numbers and proof of data erasure.
"This process protects us against legal liability," explained N'Dombele Nkunku, finance lead for IT asset management for KP.
Such an audit trail helps ensure an organization gets what it pays for, O'Brien said, adding, "Some may charge you for it but not do it. They'll resell your equipment with your data on it."
Or they may be plain sloppy. O'Brien said a single reformat, for instance, isn't sufficient to make hard drive data unrecoverable -- three to seven re-writes of a drive is usually sufficient. Degaussing, using a magnetic field, destroys data, but can also fry the electronics.
Plus, the more rewrites, the higher the price. O'Brien puts the average cost at $17 to $22 per PC, though allowing the provider to resell equipment can merit a discount.
Make sure to spot-check the work, she said. Compare serial numbers from your inventory with their audit report, for instance, or test a random drive to see if it's really empty. Nkunku said Kaiser Permanente pays unannounced inspection visits to Redemtech's facilities.
Don't forget to check who is actually doing the work. "There have actually been some vendors that have partnered with prison systems to dismantle equipment," O'Brien noted. "Do you really want a convicted felon having access to your data?"
Though managing the disposal process may take some effort, experts agree that ensuring that all old systems undergo a thorough and documented data sanitization will be increasingly necessary for organizations that want to avoid being sued, robbed, fined or just plain embarrassed.
"This should be a common business practice anytime you dispose of equipment with data," Smith said. "You don't want to be the next data theft story on the news that night."
Sue Hildreth is a freelance IT writer based in Waltham, Mass. She can be reached at Sue.Hildreth@Comcast.net.