Data Destruction 2011
(Reuters) – Child abuse reports, Social Security numbers and other highly sensitive data were discovered on a batch of government computers headed for the auction block to be sold by the State of New Jersey.
(BBC) – US space agency NASA has been left red-faced after selling off computers without ensuring that highly sensitive data had been removed.
Both of the above headlines made world news in the past several months. How is it that after a decade of best practices, growth of organizations like IAITAM and NAID, and ever increasing scrutiny on data breaches, that we are still seeing headlines such as these?
Back in 2003 when MIT researchers Simson Garfinkel and Abhi Shelat reported on an experiment in which they purchased 158 used hard drives from a variety of sources and checked to see whether they still contained readable data, roughly one third of the drives appeared to have information that was highly confidential and should have been erased prior to the drive’s resale . As a computer forensics practitioner and ITAM professional of over 10 years experience, I believe that if the same study were performed today, the results would be much the same.
A few key developments in the global economy and ITAM have come together to make disposition at end of life for electronic assets more risky than ever. This article will take a look at them and what we as ITAM professionals can do to insulate our organizations from being the next statistic.
The Great Recession
Beginning at the end of 2008, our country entered the greatest economic meltdown the world has seen since the Great Depression. The major stories were about businesses failing in the financial sector that had seemed “too big to fail”; however this was just a minor part of the story. All over the country, even the healthiest of companies saw their credit lines frozen or pulled and these companies subsequently went into a survival-mode mentality. For the less fortunate, survival simply wasn’t to be and after valiant struggles to stay afloat, they went into bankruptcy or were merged.
These events had huge impacts on ITAM. Companies that merged with others were at the lowest risk for data breach regarding IT assets. Because the acquiring companies had resources and a real incentive for compliance, assets that were not useful to the merged organization generally had the best outcomes for compliance and security. For companies that failed, many had far worse outcomes. Companies that failed simply auctioned equipment off. It goes without saying that a failing business has few resources for proper data destruction processes at such a chaotic and stressful time. Companies who hunkered down to ride out the storm frequently downsized their staffs. Organizations that once had dedicated people for ITAM now found themselves short-staffed. During times of “do more with less”, processes break down. The highest risk area for process failure usually involves manual processes, sometimes viewed as menial or repetitive. Hard drive destruction and sanitization are key areas of high risk that very well can suffer during times of scarce precious resources.
The Rise of Commodity Values
Along with staff cuts and resource shortages of all kinds, greater economic pressure came to bear on ITAM professionals to maximize value at end of life. This push came at the exact time that commodity values began to climb to unheard of amounts, with gold over $1,000 per ounce; copper over $3.00 per pound; and aluminum over $1.00 per pound. These rising commodity values have led to an unsustainable business model – the back-end revenue model. In this model, IT assets are taken for nearly free, and in some cases, top dollar is paid for certain material. Third-party logistics companies are used to moving material cheaply. Non-secure warehouse space is rented to give a local presence and the vendor uses slick marketing to appear to be a full-service, compliant, professional vendor. Claims such as “zero exporting” cover up the practice of selling material to U.S. brokers who themselves then export the material, often illegally, to developing countries. This isn’t just my opinion. Take a look at the recent article in ComputerWeek magazine about a very recent survey detailing how the failure of businesses to audit their e-waste vendors is fueling the business of illegal exporting of e-waste to developing countries . Increased enforcement by the US EPA and increased awareness by organizations like BAN have raised awareness. These are both great things, but an unintended consequence has been very high prices on the black market for electronic materials. Because responsible, legal, and ethical ITAM vendors refuse to sell material on the black market, the supply has diminished despite the fact that the demand is higher than ever.
The back-end revenue model isn’t new. The document destruction industry already lived through this in the 1990’s. Document destruction companies literally cropped up overnight; however, when the price of paper fell, many of those companies went out of business. Of course it’s a scary thought that mountains of confidential documents could be simply left as a business fails and the owners leave town in the middle of the night. Considering that a single computer hard drive may contain over a tractor-trailer load of confidential information, can you imagine the horror of hundreds or even thousands of your companies computers sitting in a warehouse being auctioned off by a bankruptcy court with your organization’s data still completely intact?
Call to Action
Now that our economy has arguably entered the recovery stage, it’s time to revisit some things that may have fallen through the cracks over the past 3 years of weathering the economic storm.
- It’s time to take a very close look at your organization’s ITAM disposition policy, processes, people and technology. If your company performs data destruction in-house, re-evaluate and audit the processes that your team follows. What is your quality control for making sure that no hard drive is ever missed in a device? What is your training program for making sure that those responsible for destruction can identify, process, and validate removal or sanitization of all different types of devices your organization uses? Is your process efficient? Do you truly have the right resources in people and technology for a 100% perfect data destruction program? If not, maybe it’s time to look at outsourcing your data destruction to a NAID AAA certified service provider for the utmost in secure, professional service.
- It’s time to give your ITAM service provider a thorough audit. Who are they, really? How long have they been in business? Where does your material really get processed? Is it processed in your region after being transported on their trucks in a secure chain of custody, or is it trucked all over the country by subcontracted trucking companies before reaching the final processing destination? Do they have 100% downstream accountability for all material and can they prove it through bills of lading and customer lists that they are willing to share? What happens to TV’s and CRT’s and can they prove it? Does your organization hide behind a contract, believing that nothing bad can possibly be happening with your material? Does your organization currently have, or can they prove they are in the process of getting BAN e-Stewards certification (not simply signed the pledge)?
A Wake-Up Call
By re-evaluating internal processes and with renewed vigilance of your providers, the protection of the organization’s confidential information can avoid the all too common breaches. Many other important things go into a professional, compliant, world-class ITAM end of life program but attention to these details is required for everyone.