Securely sanitizing hard disk drives and other IT equipment is critical when retiring old and obsolete equipment to prevent leaking sensitive data.
A new computer, mobile device or other
IT equipment generally requires some effort setting up and migrating data.
Enterprises also need to spend the time making sure the data is completely
removed from the equipment as it is replaced.
Organizations do not always stop to
consider the security implications of leaving data on obsolete equipment before
disposing of them, Jim Kegley, president and CEO of U.S. Micro, told eWEEK
. With more and more sensitive data
being stored on devices such as copy machines, computers, phones and tablets,
organizations without secure IT asset disposal policies are at risk of costly
data breaches and reputation damage, Kegley said.
The holiday season also means that many
people received new mobile devices or computers. While synchronization and
backup tools have made switching data to new devices a much easier process,
users don't often take the extra step to remove data, including contacts and
work emails, from the older device before throwing it away, increasing the
Companies spend millions of dollars securing
new equipment, but neglect to make the appropriate investment to secure
sensitive information when disposing of assets, according to Kegley.
Approximately eight pounds per U.S. resident worth of IT equipment are
discarded each year, according to U.S. Micro.
Earlier this year, New Jersey's comptroller's office
80 percent of the computers disposed by state agencies and flagged for public
auction still contained personal identifying information such as Social
Security numbers and confidential data such as tax returns, case reports and
immunization records. Last year, a federal audit found that National Aeronautics and Space Administration personnel
at four facilities neglected to ensure data was properly removed before selling
or discarding computers.
In 2010, Blue Cross Blue Shield of
Tennessee disclosed it had spent more than $7 million investigating the loss of
57 hard drives that had been stolen while sitting in storage waiting to be
destroyed, according to Kegley.
Just moving the equipment off-site for
long-term storage or relying on self-cleaning to remove data are "poor
options," Kegley said. Deleting the hard drive or reinstalling the
operating system is not always enough, especially if handled by personnel
without the proper training. Experts recommend sanitizing drives by overwriting
and degaussing the device so that it is impossible to recover the data. In
highly sensitive environments, it is often recommended that the drives be
physically destroyed to prevent any potential data leaks.
Just last week, Army investigators
presented evidence against Pvt. Bradley Manning and the classified documents
that he'd allegedly leaked to whistleblowing site WikiLeaks. Investigators said
that someone had attempted to securely wipe the laptop by overwriting the data
with zeros. The process is effective, but should be run several times. The
operation was run only once on Manning's laptop, allowing investigators to
retrieve some of the data that hadn't been destroyed to build their case.
Less than 25 percent of mobile devices,
computers and electronics equipment are discarded properly, according to Sims
Recycling Solutions, an electronics recycler that specializes in removing data
from discarded equipment.
Earlier this year, the Obama administration
unveiled the National Strategy for Electronics Stewardship, calling for federal
agencies to buy, reuse and recycle electronics responsibly, and to use
certified recyclers to dispose of electronics. The initiative requires agencies
to establish and follow a comprehensive policy on how data stored on the used
equipment is removed. Agencies will also have to improve their processes for
tracking what happens to the electronics after they have been disposed.
Enterprises should ensure that all the
data has been wiped even before the equipment leaves the premises for sale or
disposal, according to Kegley.
The strategy, intended to protect the
environment and encourage the use of energy-efficient devices, does not go far
enough regarding the data stored on those devices, according to Kegley.
"The strategy falls flat on the important topic of data sanitization and
higher standards that are currently available and could be easily implemented
to ensure better protection of consumer data," he said, noting that it is
also "fairly silent" on regulations already in place regarding data
A national strategy, if properly
developed, would be useful as it would give consumers and businesses
information on how to properly recycle electronics to prevent data breaches,