Data has been growing phenomenally fast and it’s hard to manage and secure. That’s becoming common and passé, with big numbers thrown around to push the growth story of data. Nearly every proactive policymaker around the world today is weaving a framework for responsible regulation of data. And, businesses in the purview of the likes of HIPPA, SOX, and the formidable GDPR, have pulled up their socks to fall in line with the rules.
What sticks out [urgently] in this narrative is the proliferation of storage devices and the new threat scenarios that emerge out of the enormous data stored on these devices. As per Statista, roughly 375MN hard drives and 235MN solid state drives were shipped worldwide in 2018 alone. Further, around 260MN PCs were shipped globally in 2018!
Topping this prodigious growth in storage size is the shrinking lifespan of individual devices and ownership, meaning, a massive number of devices are changing hands; more number of devices are being shown the door to secondary transactions viz. resell, exchange, reallocate, recycle, and donate, etc.
These two key developments – growth of devices and their accelerated transition to second hand ownership or end of life – define a ‘new’ responsibility for every device owner; and that is, how to ensure data privacy and security while disposing of the many used devices that are flush with data?
In the commercial context, management of used devices puts a tremendous onus (and pressure) on IT Asset Managers (ITAMs). The need for secure disposal of used devices, in line with prevalent data privacy mandates, has stretched the ITAM rigor for surveillance, decision making, and bookkeeping to the tail end of media assets.
But, surprisingly, the general awareness of residual data threats is low in contrast with the burgeoning ‘used devices’ realm and the obligations it entails, as ascertained by a recent lab investigation of second hand devices, conducted by Stellar® in 2019. The study outlines the ‘residual data’ threat landscape, with several key findings that hold currency in the global data privacy context.
Before jumping onto the findings of the study, here’s a quick glance into a few practical risk scenarios that emerge with disposal of used/old IT assets:
- An organization may hand over old hardware assets to an ITAD vendor without due diligence of capability, practice, and track record. This might lead to breach of sensitive data on account of lapse in the ITAD’s data destruction and e-waste management process. Agbogbloshie in Ghana – one of the world’s largest e-wasteland – has reportedly been the epicenter of organized cybercrimes by way of salvaging sensitive data from inadequately sanitized hard drives that are put up on the open market for as low as $35. PBS.org had reported that one such ‘salvaged’ hard drive that came from a large military contractor turned out to have sensitive information on multi-million US government contracts.
- IT asset management team in a company may simply format the old hard disk drives and laptops in a bid to remove data before selling off the assets to the highest bidding vendor. The vendor company may refurbish the hardware and put it on sale, without due sanitization. This may land the devices with shady ‘data brokers’ who would extract and misuse the residual data with data recovery tools. This scene can be replayed for rented devices which may be returned after plain formatting, while the owner of the data remains oblivious of the residual data which still exists within the media and might be extracted.
Stellar® Second Hand Device Study: Approach and Key Findings
The study investigated the world’s largest known sample of 311 used devices comprising hard drives, mobile phones, and memory cards. These used devices were procured from businesses and individual users directly or via resellers based in multiple locations.
The goal of the study was to determine presence of residual data in used devices and thereby the general awareness (and risks) concerning disposal of used devices. The data found on the devices was completely anonymized and placed into wide categories and generalities to derive indicative findings. The research was conducted based on NAID® Second Hand Device Study principles and in compliance with global data privacy standards and practices.
The investigation found that 7 in 10 used devices had residual data, and were therefore at risk of PII and personal data leakage.
The study revealed that a wide variety of sensitive personal and business information was present on most of these used devices. About 46% (or 69 out of 151) of the total hard drives analyzed had personal photos, videos, national identity cards, income tax records, driving license, banking details, login credentials, sales deeds, invoices, partnership agreements, etc.
Similarly, 6 out of 10 mobile phones were found with contact numbers, call recordings, photos, identification cards, and banking information. Total 98% (or 147 out of 150) memory cards contained visa and passport copies, and photos, etc.
In the Eye of the Residual Data Storm
In light of the empirical findings of the study, it’s clear that unsecure disposal of inadequately sanitized media poses an immense risk of residual data breach. Leakage of PII, personal information, intellectual property, trade secrets, confidential reports, and other sensitive information can result in identity theft, misattribution, financial loss, brand damage, customer loss, and litigation.
Violation of data protection regulations such as HIPPA could result in fines of up to $50,000 per violation for willful neglect, with maximum USD1.5 MN per year for violations of an identical provision. Likewise, non-compliance with EU-GDPR in 2019 could result in fines of up to 4% of annual global turnover or €20 million – whichever is greater!
Considering the world sees a constant flux of devices – as offshore installed IT infrastructure and e-waste¬ shipments – the residual data threats emerging in any region of the world can have global implications.
Gaining a deeper appreciation of residual data threats and steadfast rigor are key imperatives for secure disposal of used devices. IT asset management community needs to exercise more caution with removal of hardware assets. It’s an ethical and legal obligation for every device owner to make informed decisions and spread awareness that simply deleting files or formatting media does not wipe the data.
File deletion tools are designed to free up storage space when files are no longer needed. They do not erase data. Similarly, the purpose of a drive formatting utility or software is to prepare a storage media for fresh use. The data is not necessarily or always wiped from the media after formatting.
Residual data can be potentially extracted from any formatted (and even physically damaged) media by using a data recovery software or service. So, it’s crucial to adequately sanitize the used device before disposing it through a reputed ITAD vendor or by running a certified data erasure software on-premises.
Data Erasure – Making of the “Super” ITAM
ITAMs can sanitize media internally by using data erasure tools or outsource the job to a professional ITAD services agency.s The ITAD route is more common for various reasons viz. hardware asset disposal is a specialized job, it requires infrastructure and capacity, may offer more choices for sanitization, and is already an established line of service for managing used or end-of-life assets.
However, in contrast to the sea of choices with ITADs, there are a few objective arguments in favor of ‘Data Erasure’ software as a key enabler for ITAMs, namely
- On-premises media sanitization: Data erasure software enables ITAMs to sanitize their storage media on-premises, which is a powerful proposition to enforce the data security protocols for regulatory compliance. Use of data erasure software is an emerging practice in the media sanitization realm, which complements the prevalent media sanitization practices such as shredding, degaussing (which doesn’t work on SSDs) and the likes. Data erasure ensures foolproof data security, regardless of the physical state and circumstances of a storage media in the chain of custody.
- Secure data destruction with strong regulatory compliance: Modern data erasure software sanitizes media effectively and in line with global erasure standards. This helps organizations attain compliance with data security and privacy regulations such as SOX, GLB, HIPAA, ISO27001, EU-GDPR, and PCI-DSS. Further, data erasure software generates automated erasure reports and certificates that are tamper-proof and therefore serve as trusted audit trails at any given point in time.
- Reduces TCO, Ecofriendly, and Socially Responsible: Data erasure software allows the erased devices to be reused, reallocated, or donated. So, it helps bring down the Total Cost of Ownership for storage hardware, while drastically reducing e-waste generation and contributing to social empowerment.
Clearly, data erasure software would make a relevant solution to fill the white spaces in media sanitization and complement the status quo, so as to empower ITAMs for their evolved needs and roles.
To sum up, data erasure software is available on-premises, reduces TCO, drives compliance, simpler, and eco-friendly. All the ingredients needed for the making of a super ITAM!
Statista records for HDD,SSD, and PC shipments:
PBS story on data theft in Ghana e-wasteland: