Data destruction requires more than just encryption

By Jeff Kelly, News Editor 03 Jun 2008 | SearchDataManagement.com

News on data management trends and technology Digg This!     StumbleUpon     Del.icio.us

Most companies strive to analyze corporate data to improve the bottom line. But how many companies put the same time and effort into ensuring that corporate data is disposed of properly when it is no longer needed? Not nearly enough, according to a recent report from research firm Gartner Inc.

In 2006, for example, an American electronics retailer resold a retuned hard drive with the original owner's data still stored within. More recently, in February, U.K.-based Fitness First simply discarded customer data in a regular garbage bag and left it on a street corner to be collected. The bag was later found, not far from the gym, ripped open, and Fitness First now faces potential lawsuits by its members for violation of Britain's Data Protection Act.

These are particularly egregious cases, and most large and midsized organizations have formal data-destruction policies in place, usually including data encryption, according to Jay Heiser, an analyst with Stamford, Conn.-based Gartner and the report's co-author. But encrypting data before discarding it is often not enough, Heiser said, and companies should develop comprehensive data destruction plans to ensure that data is disposed of appropriately.

Failure to do so could prove costly. Violating the bevy of regulatory and compliance rules enacted over the last decade for handling corporate and personal data, including the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act, can result in expensive lawsuits. In addition, a data breach can cause serious damage to the corporate brand.

"If you want to keep your company's name out of the newspaper for data leaks, data destruction is something you've got to ensure is being done carefully," Heiser said. "Just because you put your head in the sand doesn't mean the data isn't leaking out of your organization."

Reuse, recycle or destroy

In this age of global warming and green computing, pressure is mounting on organizations to reuse or recycle their computer hardware when possible. Overwriting -- replacing one set of data with another while still allowing the original data to be recovered -- is one method, Heiser said. Overwriting capabilities are built into nearly all hard drives, he said, but they can still leave traces of sensitive data.

"The trouble with normal overwriting is that it's slow and it's not actually 100% reliable, and [very often the data] can be recovered by a specialist lab," he said. "Normal overwriting is like trying to erase an Etch-A-Sketch. There's always something left behind."

A more effective form of overwriting, called Secure Erase, is a better option, Heiser said. Secure Erase capabilities began being built into hard drives in 2001, so it's not available on some older machines. "Secure Erase is a very fast, very secure form of overwriting that strongly resists any sort of laboratory, after-the-fact attempts to recover the data."

When reuse is not the goal, outright destruction of data sources -- rendering the data unreadable or otherwise useless -- is required. But destroying data sources is not as easy as it sounds, because hard drives and other magnetic media are extremely durable. "Data media usually contain large amounts of recoverable data, even after extensive impact, water or fire damage," Heiser writes in the report.

More on regulatory compliance and data privacy Read about IBM's compliance warehouse for unstructured content   Find out how database activity monitoring helps with SOX compliance   Learn how to manage HIPAA privacy and security compliance costs

To destroy a data source adequately, organizations have two options, he said. The first is to expose magnetic data sources to a powerful magnetic field, obliterating any data it contains, a technique called degaussing. Degaussing requires specialized equipment, however, and is not suitable for nonmagnetic data sources like CDs and DVDs.

The second option is the old-fashioned approach: physically destroying data sources. Physically destroying small data sources like CDs and DVDs in-house with a cross-cut shredder is easy enough, Heiser said. But destroying larger devices, including computer hard drives, often must be carried out by an outside contractor, such as a "licensed metal smelter or incinerator facility." Companies should ask outside contractors to explain their destruction practices and to supply a certificate of destruction when the work is complete, he said.

Regardless of method, all companies should follow a life-cycle approach to IT risk management that explicitly plans for data destruction, Heiser said. To do otherwise could leave data and organizations at risk.

How does your company dispose of unneeded data sources? Email SearchDataManagement.com editors with your story!

Tags: Healthcare data management,  Financial reporting and compliance data management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Healthcare data management Top 13 master data management (MDM) buzzwords and definitions New data analysis apps part of IBM's industry-specific BI vision Customer data integration and data warehouses for the healthcare sector Business intelligence in healthcare demands a balance between privacy and insight Data mining in the healthcare industry Spotlight on regulatory compliance Compliance software essentials: Build a technology toolbox Business intelligence case study: Hospital BI helps healthcare Strategic IT planning for compliance and beyond Healthcare users struggle with HIPAA Financial reporting and compliance data management Microsoft gives PerformancePoint Server's financial planning component new life New data analysis apps part of IBM's industry-specific BI vision What are the best analytical tools for business intelligence for finance? Disjointed eDiscovery practices exposing companies to legal risk, rising costs Business intelligence software helps states track federal stimulus spending An overview of Sarbanes-Oxley compliance software Automating Sarbanes-Oxley compliance: Understanding SOX software Sarbanes-Oxley compliance quiz: Are you SOX savvy? Governance, risk and compliance now demands a comprehensive approach Securities and Exchange Commission proposes mandating XBRL for financial reporting

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary HIPAA  (SearchDataManagement.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary