All of a company’s technical assets will hold some amount of proprietary data, and it is a legal requirement that companies dispose of that data permanently before the asset is sold on from the company.
There are many scare stories of financial and personal data being recovered once a PC is supposedly data-cleansed, but what can companies do about it?
Data protection is a worrying and emotional issue, and most companies are now aware of and have acted to remove the risk to the bottom line, or to company reputation if private or customer data leaks through an IT system. There are many examples to learn from where software faults or hackers have made confidential details available over the internet. Although this aspect of security is well-documented, some IT managers are still overlooking the protection of data at the end of a technical asset’s lifecycle.
This is despite numerous stories of important corporate data and private client information being found on discarded hard drives left in rubbish tips or sold on to other companies. Arguably the most high-profile case was when some of former Beatle Paul McCartney’s bank details were discovered on a PC sold to a broker by Morgan Grenfell Asset Management back in 2000. This was then broken as a news story on the front page of one of the U.K.’s national newspapers, and as this article demonstrates, is still being quoted today.
Once companies realize the risks that redundant hard drives can pose, many are tempted to react emotionally and destroy hard disks with a hammer or drill, or lock them into a safe for long-term protection. In my opinion, such drastic action need not be taken, as, if treated correctly, companies can dispose of assets with confidence that data will remain wiped. These assets can be sold on or recycled, adding money back into the hardware budget.
The seventh principle in the U.K.’s Data Protection Act clearly states that it is the responsibility of the company to safely dispose of its client’s and staff’s personal data: “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” Similar laws exist in other jurisdictions.
If this data is not controlled, and does happen to leave the building, then it is the individual’s right to take legal action against that company. I believe that most IT managers know they need to remove the data but some are not aware of the laws protecting data, which if broken, can leave the business open to heavy fines and public scrutiny, heavily damaging to a company’s reputation.
Scrub the hard drive clean!
A key issue when disposing of technical assets such as PCs is the absolute removal of any data from the hard drives. Apart from the high-profile cases where personal financial data has leaked out, TAM has found business-critical documents such as the five-year business plan of a large household name computer manufacturer, which came from its firm of London accountants. The accountants believed that the hard drives were empty – but they weren’t.
Another example is the compelling story of the two students at the MIT Laboratory of Computer Science who purchased 158 disk drives for a scrap value of less than $1,000. After examining the drives they found more than 5,000 credit card numbers, numerous medical reports and corporate and financial information. The two students however used this information to report their findings and concluded that buying any 10 drives on the used market would give a 30 percent chance of finding confidential and useful information.
This figure is so high because companies often dispose of their technical assets through brokers. Some of these may promise that all data is removed, but their main concern may be revenue and not data protection. Companies should therefore check the procedures for data removal stringently; if data is found once the PC is sold on the responsibility remains with the original company and not the broker.
We at TAM have found ourselves in a position to educate our clients that a safe hard drive is not necessarily a smashed hard drive. The storage space needed for hard drives can be costly and a hammer and drill solution is a waste of money, as the PC can be upgraded or sold on once all data is safely removed, therefore putting money back into the hardware budget. Even if the hard drive is stored in a fireproof safe, there is always the possibility it could get stolen. Also, studies in the U.S. have shown that a repair or rebuild of a hard disk after a drill or hammer solution is actually possible.
Remove and recycle
There are many data removal tools available on the market, which can effectively and safely remove all data on the hard drive. Software such as Sanitizer is internationally recognized and approved by the U.S. Department of Defense. It permanently and irreversibly cleans the hard-drive through a process of multiple overwriting.
A second compelling reason to use an asset management company over a broker is the financial return you can gain from seemingly redundant IT. If you have taken a hammer to the hard disk drive, your PC is heavily devalued, so will usually end up being scrapped – and you have to take environmental restrictions on the disposal of these technical assets into account.
If you non-destructively clean the hard disk, the PC could be re-furbished and supplied to a new user – units even as low specification as 486 are still being used around the globe. Companies can see a return of five percent into their hardware budgets year-on-year by recycling and refurbishing their technical equipment in this way.
The IT industry has typically worked in a global manner in terms of supply, but in a local manner in terms of re-use and re-manufacture. It is now time for us all to think and work globally on whole-life processes of all IT products.
Kevin Riches is managing director of IT asset lifecycle management firm TAM (Technical Asset Management) (www.tam-uk.com).