Corporate legal departments are beginning to mandate proper data and hardware disposal as repercussions of the TJX
Data theft threats and corporate data destruction policies
"The risk for data theft is very high," said Richard Ptak, president of Ptak and Noel Associates. "Data is very vulnerable and people haven't been made as aware as they should be about data on disk. Formatting the drive, erasing or deleting the files is not sufficient."
Storage resellers who specialize in data security will likely see and upswing in business as a result of the highly publicized data theft cases (see sidebar).
"Companies always have money in the budget for compliance and data loss concerns," said Ryk Edelstein, director of operations for Montreal-based Converge Net. "Infrastructure budget may be gone, but when companies recognize a serious business threat funds are usually allocated for that need."
Storage resellers have an opportunity to be proactive and create their own data destruction services business to meet proper data hardware destruction needs.
"Resellers should let legal departments know that there should be policies set up for hard drives when they're exhausted," said Ptak.
"The end of life on hardware and decommissioning components of data security policies are generally lacking," said Edelstein. "Current hardware destruction methods are unsound. There are people out there who can get to the ensconced data on hardware that has been thrown out."
That data in the dumpster or out-of-the-way closet can still be accessed by someone with malicious intent.
"There are some geeks out there who will try and steal data off of old hard drives because they want to prove how clever they are," said Ptak. Companies can take that risk.
But by outlining some specific risks -- dumpster diving and theft, for example -- the discussion between storage resellers and customers can begin with digital data destruction policy generation and the effect on the customer.
Data destruction alleviates regulatory compliance issues
"Hardware destruction is eventually going to become part of compliance," said Jerome Wendt, lead analyst and president of DCIG Inc. "But most lawyers will tell you that there is no reward for over compliance. Customers should generally do the minimum requirements to meet regulations."
Currently, that could mean making data that is older than seven years inaccessible, or storing old hard drives in the back of a closet. But that data can still be reached by someone determined to access it. Disposing that old hardware and stored data will have to become part of compliance management.
"Most data retention compliance regulations don't have a specific statement about stored data at the end of its life," said Edelstein. "There's an objective that needs to be met -- namely that the data has to stay secure -- but no specific technology for the job."
Health care, financial institutions and any company that receives and keeps private information on file is a potential customer for resellers in the data destruction field.
"Someone probably isn't going to try and rip off a dry cleaner operation unless it's a chain," said Ptak. "But research and development shops or any place that stores information that is private must properly recycle or dispose the old data hardware."
But what has become clear is that throwing an old hard drive in the garbage or hitting it with a sledge hammer isn't an effective way to destroy the stored information.
"It's expensive, but there have been instances where drives that have been in a fire or flood have had some files recovered off of them," said Ptak.
That possibility should have companies -- and those companies' customers -- concerned, said Edelstein. "But by using hard drive shredders, companies get an audit trail ensuring that the hard drive has been wiped and can't be recovered," said Edelstein. "There's an audit trail that is defensible and will ensure customer's pass compliance and regulations requirements with flying colors."
Lease data shredders for data destruction
Once customers understand the need for data destruction, storage resellers can implement policies and programs easily, said Edelstein.
"Resellers are always looking for higher ground," said Edelstein. "First it was building boxes, then it was being a security expert. Now resellers are looking to be compliance experts."
By offering a data destruction service, such as data shredding, storage resellers aren't reduced to seeing customers only once every year to fix problems and update hardware.
"Resellers can get a data shredder on lease for a low cost," said Edelstein. "The data shredder -- which is a portable box -- is brought to a customer's shop. You drop the old hard drive into it and the data gets destroyed."
"Plus, customers have the piece of mind knowing their data is gone because the service is performed on site," said Edelstein. "Customers should never lose care, custody or control of their data."
The shredder will clean the hard drive in front of customers and provide an audit trail that they can use to avoid litigation, by putting the onus on you, the reseller.
But resellers shouldn't worry about being caught up in litigation because the right data shredder will destroy data so that forensic reconstruction can't get at the information, said Edelstein.
After the information has been wiped clean, resellers can help customers set up a policy to perform such data destruction services on an ongoing basis, and they can even take advantage of the cleaned hard drives.
"The hard drives are reusable," said Edelstein. "After they've been cleaned, the drives can be redeployed or returned to vendors."
This was first published in June 2007