Upgrading to “Best” Hard Drive Retirement Steps Involves Little Extra Cost, But Dramatically Less Risk; Three Examples Cited Showing Risks to Companies and Consumers.

WASHINGTON, D.C. & CANTON, OH.///September 29, 2016///Even though there are sound and affordable data security practices for retiring hard drives containing sensitive information, the “data wiping” practices of many companies and government agencies are either sloppy or completely nonexistent, according to the International Association of Information Technology Asset Managers, Inc. (IAITAM).

IAITAM highlighted three recent cases where the fumbling of hard-drive retirement created major threats:

  • The U.S. Dept. of Health and Human Services (HHS) reached a 2013 settlement with Affinity Health Plan, Inc. in the amount of $1.2 million for federal health privacy violations after the company returned photocopiers to their leasing agent before the hard drives were erased.  This oversight caused the personal health records of 344,579 individuals to be compromised.
  • Earlier this year, Oklahoma-based Crest Foods had a data breach where computerized records containing sensitive information about employees (including Social Security numbers and bank routing information) were found in a dumpster outside the recycling facility they used as a disposal vendor.
  • Three years ago, a major New York City bank found that its IT director diverted used company computers with hard drives intact to her child’s school, rather than going through the required outside data wiping process.

As these examples indicate, it does not require a disgruntled employee or outright sabotage to result in a real or potential problem due to deficient data-wiping procedures.

IAITAM CEO Dr. Barbara Rembiesa said: “The golden rule when it comes to data security when retiring hard drives is ‘remove the data, remove the risk.’  Another more useful way to look at this is that the sooner the data is removed in the process, the lower your risk.  Retired drives containing data are an invitation for both intentional and unintentional misuse.  This problem is magnified if drives are stored in an unsecure location where large numbers of employees have access.  Even sloppy handling of hard drives with outside disposal firms can create problems if managed incorrectly.

What’s the best way to proceed?

As IAITAM notes, many companies still perceive that it’s difficult, time-consuming, and costly to wipe data from retired computers, but that’s not the case.  Wiping software is now capable of being initiated remotely with minimal technician time and effort.  If you’re retiring or processing batches of computers simultaneously, a simple PXE configuration can allow the processing of hundreds of computers a day with just one technician.  The bottom line is there’s no excuse for poor data security when it comes to your computer and hard drive retirement process.

According to IAITAM, data-wiping practices tend to fall into three categories:

  • GOOD: A good process is one in which data on retired drives gets wiped at some point, even if it’s late in the process because most companies rely exclusively on a “remarketer” or ITAD (IT Asset Disposition) vendor to do the data sanitization.  By the time the ITAD vendor receives the hardware, it has often been sitting in storage for months if not years in a vulnerable state.  This is the absolute tail end of the process.  Most companies understand the importance of wiping their data and therefore do meet the “good” requirement.
  • BETTER: A better process is one in which data on retired drives gets wiped at the company where the drive originated or was in use.  Better still is wiping the drive immediately upon its being retired.  Wiping software is now capable of remotely initiating a wipe on any computer connected to the company’s network.  In just a few minutes a wipe can be initiated.  The drive may take a few hours to wipe but no further effort is required by the technician.  Once the drive is wiped the results can be automatically logged to a database or sent via email.  The ideal is to wipe drives within a day or two of it being retired.  Any longer and you create an environment ripe for accidental misuse or intentional malfeasance.
  • BEST: The best process is one in which data on retired drives gets wiped at the originating company and then is either wiped again or validated using a third party, such as an ITAD vendor.  In this scenario the drive is wiped upon being retired.  Because the data is gone, there is little risk in the drives sitting in storage, even if it’s unsecured.  The data is gone, so the risk is gone.  Then once the drives are sent for final disposition, the ITAD vendor can either sanitize the drives again or validate using a random sample that the drives were properly wiped.  This “best” practice both lowers risk by removing the data early as well as providing a failsafe to protect against problems and errors.

Rembiesa said: “The good news is that the ‘best’ level of data-wiping security is obtainable for most companies and should be the ultimate goal.  Some companies don’t store data that is innately sensitive and needs to be protected and maybe feel comfortable with a lower level of security.  On the other hand, companies that store financial, health, or personal data are typically under strict regulation and must be particularly vigilant about protecting their data.  In these cases, the ‘best’ level should be a requirement. Moving from the ‘good’ to only the ‘best’ level represents a substantial increase in security with minimal investment.  Doing so means your data is at risk for months or years less and really covers a multitude of sins later in your process.”

For more information about best practices, go to http://itak.iaitam.org/data-wiping-best-practices-good-better-best/.

The International Association of Information Technology Asset Managers, Inc. (IAITAM) is the professional association for individuals and organizations involved in any aspect of IT Asset Management, Software Asset Management (SAM), Hardware Asset Management, Mobile Asset Management, IT Asset Disposition and the lifecycle processes supporting IT Asset Management in organizations of every size and industry across the globe. IAITAM certifications are the only IT Asset Management certifications that are recognized worldwide. For more information, visit www.iaitam.org, or the IAITAM mobile app on Google Play or the iTunes App Store.

Alex Frank, (703) 276-3264 or afrank@hastingsgroup.com.