Data Security: Is your organization doing enough?
By Angie Ping

As time progresses it is only natural that systems become inadequate. Currently computers have a useful life of only three to five years.

At some organizations the IT department takes responsibility for outdated computers, but the facility manager is still tasked with finding somewhere to store the devices until they are destroyed, recycled or resold. This means wasting valuable space for storage of computers which are out-of-date and will never be reused by the organization.

At other organizations the facility manager must determine what should be done with the older machines without the help of an IT department.

While it may not seem like a difficult task to find storage or implement a process of disposing of computers, new regulations on hard drive data destruction and an increasing amount of privacy-related issues have created new challenges for facility managers. With millions of computers being replaced each year, the need for a strategy to deal with data security is becoming more and more important.

Data security involves more than finding storage, it also includes keeping track of electronic devices that contain sensitive materials. In a recent incident at the University of California, Berkeley, a laptop containing personal information on more than 98,000 individuals was stolen from a restricted area. The names and Social Security numbers of the individuals, mostly graduate students or applicants to the campus’s graduate program, were contained in the computer’s files.

A new regulation in California required the university to disclose the breach of privacy to everyone involved. Many states are currently looking to adopt similar regulations in order to protect their citizens from breaches of privacy. The U.S. government is also looking to create more stringent laws regarding identity theft, including proposed federal legislation that would require that consumers be notified when personal data is compromised.

Regulations
Several regulations have been enacted creating obligations and liabilities for organizations when it comes to disposing of out-of-date computers. Hard drives need to be completely clean of all information or a company may become subject to fines and court action as a result of these regulations:

• Health Insurance Portability and Accountability Act (HIPAA) requires that health care organizations protect patients’ privacy.
• Gramm-Leach-Bliley Act places criminal penalties on financial institutions that release client data.
• Right to Financial Privacy Act (RFPA) places limitations on the government’s right to access personal financial information, requiring the government to provide notice before accessing personal records from a bank.
• Safe Harbor Principles, developed by the European Commission, prohibit trade with nations not meeting the European standard for privacy protection. The U.S. Department of Commerce Safe Harbor Principles was approved by the EC in 2001 allowing U.S. companies to avoid interruptions to business with the European Union due to privacy concerns, instead permitting the U.S. to address privacy concerns under existing statutes.
• California SB-1386 - Protection of Personal Data went into effect in the state of California on July 1, 2003. The law requires that any organization that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system to any resident of California whose personal information was, or is believed to have been acquired by an unauthorized person.

When a financial institution lost two laptops from a banking office last summer, they estimated that regulatory issues led to more than $7 million in fines, pubic relations efforts and other related expenses. Consumers can bring civil charges against organizations who they feel breached their privacy by allowing personal information to fall into the wrong hands.

Client privacy and proprietary information
Even when all files are deleted and reformatted on a drive, the computer still retains some data. If this data is a person’s credit card and Social Security numbers, or an organization’s tax records huge problems arise.

“With the rapid advance of technology and burgeoning sizes of available hard drives, companies and individuals often don’t think twice about upgrading. This invariably leads to shelving and eventual disposal of older less capacious hard drives. Both empirical and anecdotal evidence points to a tremendous amount of sensitive data being available to anyone purchasing used drives,” said Assaf Rutenberg, director of network integration services at Linear Technologies and technology enthusiast.

“By buying used drives, I have come across everything from detailed client lists for a national brokerage firm, to the personal contact information on a company’s internal Website. In each case I have zeroed out the data and informed the seller. Not every buyer would be so scrupulous,” said Rutenberg, “It is important to remember that with the onward march of technology, the ability to retrieve even deleted files off of old machines is within the reach of anyone with internet access. There are many tools to safely erase your data. They are, however, only useful if diligently applied.”

Up to 25 percent of computers using a commercial privacy software solution are not clear of data according to Robert Houghton, president and founder of Redemetech Inc., a company providing technology change management solutions.

Solutions
Older methods of disposing of obsolete technologies are no longer valid today. Throwing computers or their hard drives into the trash isn’t only bad for the environment, it is bad for business. What can be done with hard drives that will keep an organization safe?

With proper planning and care organizations can easily comply with regulations and keep proprietary information private, Houghton said.

“You need to put a discipline in place that allows data security to be managed properly,” said Houghton.

“You have to establish and maintain a chain of custody audit trail. From the moment that a computing device is decommissioned for the last time, you really have to know where that device is and who has control of it. Every change of control has to be documented and the inventory has to be accounted for,” said Houghton.

Placing obsolete devices in an empty cubicle or store room where anyone has access to them might be an easy solution, but it may not comply with regulations. If everyone has access a device could easily be taken and no one would ever know if an inventory is not being kept. The actual computer may not be worth anything to the organization, or to the person who takes, but the data inside can be worth millions.

Houghton said organizations also need to provide for a permanent record of data destruction that can be used in legal matters on a hard drive in order to comply with regulations.

In-house data destruction
Some organizations may choose to tackle the issue of data destruction internally like ProCard, Inc. has done. ProCard, the leading provider of technology and services for commercial card solutions has implemented a strategy that completely destroys the hard drive.

“Our process is typically two step. First we degauss the drive. We bought a degausser that meets all our criteria for data destruction. Then once that is done the company we use for secure document destruction will, for an additional cost, literally shred the drive. I know the degauss step seems redundant as they are being completely destroyed but since we are handing them a whole drive we just want to make sure that there is no way to retrieve data,” said Glenn Barrows, manager of corporate services for ProCard, Inc.

Degaussing uses a powerful magnetic field to corrupt and render data unreadable on hard drives. Since this process makes it impossible to check and see if the data was removed, destroying the drive completely is the best way to be sure no data can be recovered. The one fallback from degaussing is that then the drives cannot be resold so costs can’t be recovered.

Some organizations prefer to resell the drives to help pay for the hard drive erasure process. A process called data overwrite can be used to make hard drives available for reuse. In this process existing data is replaced with nonsensical content. For this to be done in-house, software will need to be purchased, and the procedure will need to be run three times to ensure that data is protected. This can be expensive and each drive will need to be checked upon completion to verify the process was done correctly. This is time-consuming and may require IT department staff to develop a new expertise. One pitfall noticed by Redemtech is that many organization’s fail to erase drives that are disconnected and don’t realize it.

The cost and time associated with erasing data leads many organizations to utilize external resources for data security solutions.

Outsourcing-Let the experts handle it
“The very best method is to outsource data security to a company that is an expert in it, because an outsourcer like Redemtech will already have the reporting in place, the controls in place and the technology in place to provide a quality, reliable outcome,” said Houghton.

The price for outsourcing is less than doing it in-house in most cases according to Houghton. Redemtech offers a full cycle, on-demand process to manage the use and migration of new, legacy and idled equipment and to ease old technology out with complete data security, e-waste control and regulatory indemnification.

Another company offering an outsourcing solution is RetroBox, an information technology disposition company that specializes in the redeployment and recycling of personal computers, laptops, monitors, servers, networking equipment, cell phones and associated peripherals. The company protects organizations from the inherent legal, financial and environmental risk associated with information technology reuse, recycling and disposal.

One of the largest independent computer leasing specialists in the world, Computer Sales International, Inc., recently began offering a data sanitization process as a standard, no charge service to its customers. The service called SecureTrack is now a standard part of the return process on all PC’s, notebooks and Intel®-based servers leased from the company.

Large technology manufacturers, like HP, Dell and IBM, are now also offering hard drive disposal services. IBM’s Asset Recovery Solutions 3x Disk Overwrite service provides a cost-effective way to overwrite disk drives before reselling them. Dell offers data security, removing tags and labels from equipment and overwriting hard drives, as part of their Asset Recovery Services.

"We offer customers a variety of secure and environmentally responsible end-of-life product disposition services globally, including recycling, trade-in, asset recovery and donation," said David Lear, vice president, Corporate, Social and Environmental Responsibility, HP. "With each of these options, we respect the privacy of our customers and use industry standard software and physical destruction to remove customer personal information, identification and proprietary data from all products returned to HP for proper disposal."