Where hard drives go to die, or do they?

By Sue Hildreth, Contributor 04 May 2006 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

Do you know where your company's most sensitive data is right now? Would you be surprised to find it on a laptop listed on eBay, or sitting on a used hard drive for sale at a local PC shop?

If your organization is like many that lack formal IT asset disposal policies, chances are there may be old hardware out there with your company's name on it -- as well as its financial reports, customer lists, payroll data and every other secret imaginable.

While organizations have been worried about database hackers and laptop thieves for years, the potential nightmare of data theft from discarded equipment is just as real.

Last July, Fresh Express, which grows and packages salads for groceries, realized it needed a more documented process for retiring its IT assets. The old way was to let individual employees handle the reformatting of drives, or, in the case of servers, IT would physically destroy the drive with a hammer.

There have actually been some vendors that have partnered with prison systems to dismantle equipment... Do you really want a convicted felon having access to your data? Frances O'Brien Gartner Inc.

"It was ad hoc, with no accountability. That put us at risk," explained Marven Smith, systems analyst for the Grand Prairie, Tx.-subsidiary of Chiquita Brands International Inc.

He hired Retire-IT LLC, a Columbus, Ohio-based technology equipment disposal firm that retrieves, transports and disposes of legacy enterprise equipment, even offering detailed audit trails for corporate records.

"They give me a serialized inventory of everything and guarantee that all data is destroyed," Smith said.

According to a November 2005 Gartner Inc. survey, nearly 80% of companies said that "managing data security and privacy risks' were very important or most important when disposing of obsolete hardware." Yet 30% admitted they had no policy for ensuring the security of used equipment.

Frances O'Brien, research vice president at Stamford, Conn.-based Gartner, said that despite the increased concern, there is still a vast amount of used hardware out there with recoverable corporate data on it. She points to a 2003 study conducted by Massachusetts Institute of Technology students on 158 disk drives bought from auction sites, PC retailers and salvage companies. It found that 74% of the drives contained recoverable data -- including company financials, credit card numbers, medical records, sensitive e-mails and pornography.

That kind of data, in the wrong hands, can be used to commit identity theft, fraud, blackmail, and corporate espionage. It can also trigger lawsuits and fines for breaking state and federal laws aimed at protecting consumer and employee data, including the Fair and Credit Transaction Act of 2003, Gramm-Leach-Bliley Act and the Health Insurance Portability and Accountability Act (HIPAA).

It was HIPAA that spurred Kaiser Permanente, an Oakland, Calif.-based health insurance provider, to institute formal procedures for handling the tens of thousands of IT assets it disposes of each year. KP employs Redemtech Inc., an IT disposal and reseller based in Columbus, Ohio, to collect and sanitize old equipment. Prior to transport, Redemtech "locks" hard drives with a software utility. At the end of the process, it gives KP a list of the equipment with serial numbers and proof of data erasure.

"This process protects us against legal liability," explained N'Dombele Nkunku, finance lead for IT asset management for KP.

For more information Technical tip: Secure information disposal News: Disposing of IT assets the right way

Such an audit trail helps ensure an organization gets what it pays for, O'Brien said, adding, "Some may charge you for it but not do it. They'll resell your equipment with your data on it."

Or they may be plain sloppy. O'Brien said a single reformat, for instance, isn't sufficient to make hard drive data unrecoverable -- three to seven re-writes of a drive is usually sufficient. Degaussing, using a magnetic field, destroys data, but can also fry the electronics.

Plus, the more rewrites, the higher the price. O'Brien puts the average cost at $17 to $22 per PC, though allowing the provider to resell equipment can merit a discount.

Make sure to spot-check the work, she said. Compare serial numbers from your inventory with their audit report, for instance, or test a random drive to see if it's really empty. Nkunku said Kaiser Permanente pays unannounced inspection visits to Redemtech's facilities.

Don't forget to check who is actually doing the work. "There have actually been some vendors that have partnered with prison systems to dismantle equipment," O'Brien noted. "Do you really want a convicted felon having access to your data?"

Though managing the disposal process may take some effort, experts agree that ensuring that all old systems undergo a thorough and documented data sanitization will be increasingly necessary for organizations that want to avoid being sued, robbed, fined or just plain embarrassed.

"This should be a common business practice anytime you dispose of equipment with data," Smith said. "You don't want to be the next data theft story on the news that night."

Sue Hildreth is a freelance IT writer based in Waltham, Mass. She can be reached at Sue.Hildreth@Comcast.net.

Tags: Enterprise Data Governance,  IT Security Audits,  Gramm-Leach-Bliley Act (GLBA),  HIPAA,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Enterprise Data Governance How to protect distributed information flows Interpreting 'risk' in the Massachusetts data protection law Creating an enterprise data protection framework Analyst DLP study finds maturity, ranks top DLP vendors Voltage, RSA spar over tokenization, data protection Twitter gets condemned by CISOs at Forrester forum PCI DSS compliance requirements: Ensuring data integrity Trustwave acquires data loss prevention vendor Vericept Data has become too distributed to secure, Forrester says Cloud-based security services should start private IT Security Audits Standards compliance does not equal sound information security risk management Tony Spinelli: Prioritize Information Security over Compliance How to prepare for a FERPA audit MasterCard increases PCI compliance requirements for some merchants How to select a set of network security audit guidelines How to write a risk methodology that blends business, security needs PCI compliance requirement 11: Testing Using IAM tools to improve compliance Forensic accounting success depends on information security support HIPAA compliance: New regulations change the game Gramm-Leach-Bliley Act (GLBA) Implement security and compliance in a risk management context The road to compliance IBM to boost security spending, push PCI DSS program ISO 27001 could bridge the regulatory divide, expert says Policies and regulatory compliance Compliance guide for managers: Lessons learned and best decisions Become compliant -- without breaking the bank Compliance Guide for Managers Making sense of the maze CSOs seek regulatory sanity in 2006 Gramm-Leach-Bliley Act (GLBA) Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary cut-and-paste attack  (SearchSecurity.com) data masking  (SearchSecurity.com) data splitting  (SearchSecurity.com) deperimeterization  (SearchSecurity.com) Google hacking  (SearchSecurity.com) masquerade  (SearchSecurity.com) snooping  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary