Enterprises Need Proper Computer Disposal Policies to Protect Sensitive Data

Securely sanitizing hard disk drives and other IT equipment is critical when retiring old and obsolete equipment to prevent leaking sensitive data.

A new computer, mobile device or other IT equipment generally requires some effort setting up and migrating data. Enterprises also need to spend the time making sure the data is completely removed from the equipment as it is replaced.

Organizations do not always stop to consider the security implications of leaving data on obsolete equipment before disposing of them, Jim Kegley, president and CEO of U.S. Micro, told eWEEK. With more and more sensitive data being stored on devices such as copy machines, computers, phones and tablets, organizations without secure IT asset disposal policies are at risk of costly data breaches and reputation damage, Kegley said.

The holiday season also means that many people received new mobile devices or computers. While synchronization and backup tools have made switching data to new devices a much easier process, users don't often take the extra step to remove data, including contacts and work emails, from the older device before throwing it away, increasing the organization's risk.

Companies spend millions of dollars securing new equipment, but neglect to make the appropriate investment to secure sensitive information when disposing of assets, according to Kegley. Approximately eight pounds per U.S. resident worth of IT equipment are discarded each year, according to U.S. Micro.

Earlier this year, New Jersey's comptroller's office discovered that 80 percent of the computers disposed by state agencies and flagged for public auction still contained personal identifying information such as Social Security numbers and confidential data such as tax returns, case reports and immunization records. Last year, a federal audit found that National Aeronautics and Space Administration personnel at four facilities neglected to ensure data was properly removed before selling or discarding computers.

In 2010, Blue Cross Blue Shield of Tennessee disclosed it had spent more than $7 million investigating the loss of 57 hard drives that had been stolen while sitting in storage waiting to be destroyed, according to Kegley.

Just moving the equipment off-site for long-term storage or relying on self-cleaning to remove data are "poor options," Kegley said. Deleting the hard drive or reinstalling the operating system is not always enough, especially if handled by personnel without the proper training. Experts recommend sanitizing drives by overwriting and degaussing the device so that it is impossible to recover the data. In highly sensitive environments, it is often recommended that the drives be physically destroyed to prevent any potential data leaks.

Just last week, Army investigators presented evidence against Pvt. Bradley Manning and the classified documents that he'd allegedly leaked to whistleblowing site WikiLeaks. Investigators said that someone had attempted to securely wipe the laptop by overwriting the data with zeros. The process is effective, but should be run several times. The operation was run only once on Manning's laptop, allowing investigators to retrieve some of the data that hadn't been destroyed to build their case.

Less than 25 percent of mobile devices, computers and electronics equipment are discarded properly, according to Sims Recycling Solutions, an electronics recycler that specializes in removing data from discarded equipment.

Earlier this year, the Obama administration unveiled the National Strategy for Electronics Stewardship, calling for federal agencies to buy, reuse and recycle electronics responsibly, and to use certified recyclers to dispose of electronics. The initiative requires agencies to establish and follow a comprehensive policy on how data stored on the used equipment is removed. Agencies will also have to improve their processes for tracking what happens to the electronics after they have been disposed.

Enterprises should ensure that all the data has been wiped even before the equipment leaves the premises for sale or disposal, according to Kegley.

The strategy, intended to protect the environment and encourage the use of energy-efficient devices, does not go far enough regarding the data stored on those devices, according to Kegley. "The strategy falls flat on the important topic of data sanitization and higher standards that are currently available and could be easily implemented to ensure better protection of consumer data," he said, noting that it is also "fairly silent" on regulations already in place regarding data protection.

A national strategy, if properly developed, would be useful as it would give consumers and businesses information on how to properly recycle electronics to prevent data breaches, Kegley said.