Merely donating old computers to schools, libraries or other nonprofit organizations may become a casualty of the information age. The need to conform to regulations including HIPAA (the Health Insurance Portability and Accountability Act) and the Gramm-Leach-Bliley Act requires financial and other health care institutions to ensure that no confidential data is exposed to public view, something that can occur if naked hard drives are resold to other organizations.
But the debate is also enfolding more traditional companies, who are just as worried about civil suits as their counterparts are about investigations from regulatory agencies.
A subset of the debate involves the best practices to destroy data, which can either include Department of Defense-compliant software that overwrites all data on a drive several times or an actual physical shredding of the disk platter itself. That debate may get resolved in November, when the board of NAID (the National Association for Information Destruction) will present its first recommendations.
More and more, industry sources say, enterprises are looking seriously at the problem. "Five or six years ago, our clients didnt have budgets allocated for this," said Steve Forbes, a contracts administrator at recycler Gold Circuit Inc., based in Chandler, Ariz. "Now, there are entire budgets that have sprung up for asset disposition and electronic asset disposal."
Even smaller nonprofit recycling firms are finding themselves swept up in the data-protection debate. Fortunately for them, the market for data-destruction products has become increasingly competitive, since the DOD does not offer any certification procedures for compliance with the 5220.22-M specification, published by the Defense Security Service, an agency of the U.S. Department of Defense.
Ron Norton, the owner of Carson City, Nev.-based ComputerCorps, said the nonprofit recycler has chosen a DOD-compliant software utility to wipe the drives before shipping them back into the community. "Data destruction has become much more important to us in the last few months," he said. A number of the companies donating PCs allow the drives to be reused or resold, but theres "a lot of extreme caution," he said.
At Gold Circuit, the enterprise-level recycler has 15 technicians who do nothing but wipe hard drives and upgrade systems, Forbes said. Gold Circuits custom-designed DOD-spec software utility can format a 40-Gbyte hard drive in two to four hours, depending upon the speed of the processor, he said. The drive writes to each sector of the drive, including the boot sector that normally is ignored by the OS.
"Data-destruction services first hit us in the financial sector; at that time, it was kind of a niche," Forbes said, who said clients had been asking for data-destruction services as early as 1993 and 1994, when the company was founded. "Lately, weve been picking up [data destruction] contracts in the corporate sector."
For many recyclers, data destruction has become another service that a recycler can turn around and sell to a client. "Its significantly different than our traditional business," said Joe Harford, vice president of sales and marketing at Reclamere, based in Tyron, Penn., which also uses a custom DOD-spec software utility to wipe hard drives, while CD-ROMs and tapes are physically shredded. "We manage the equipment, we manage the data."
In return, the recyclers provide their own certifications that the data has been destroyed. In addition to HIPAA and the Gramm-Leach-Bliley Act, companies have been asking for liability protection on homeland security issues. But contracts and certifications are negotiated between the recycler and client on an individual basis, with little oversight.
"I have to chuckle every time I see an ad for a DOD-approved facility," Forbes said. "There is no such thing as a DOD approval certificate, no HIPAA cert. Even the EPA just puts out guidelines–youre in an EPA-approved facility; they have visited the facility, conducted an audit or tests, but theres no stamp of approval."
In certain cases, the certifications are enough. With PCs that come from military clients, however, a representative will typically physically monitor the disk drives as they move through the facility, Forbes said.
The question is whether the sensitivity of certain data is worth overwriting with random files or physically shredding, or both. Phoenix-based NAID represents the companies involved in the destruction of data, the majority of which has traditionally been stored on paper and handled by document-shredding companies. But six to 10 companies have joined NAID as firms that handle the destruction of data stored on hard disks, according to Bob Johnson, NAIDs executive director.
The problem is that two of the most secure methods–erasing data via an electromagnetic field or physically shredding the drive–are unappealing because a recycler can not turn around and resell the drive, Johnson said. The other method, "erasing" data by overwriting it many times, may in fact ignore damaged sectors on a drive. These sectors can contain fragmented or partial files that may contain recoverable information but may be ignored by the host OS.