When The Billion Dollar Hard Drive Grows Legs

Asset disposal is the hidden threat to data security for a company.

Before a company that you do business with can upgrade to new IT equipment, it has to get rid of its old equipment. And before they can get rid of their old equipment, they have to make sure all of your private information has been properly wiped from it. Simple enough, right?

Data security is a major issue and top of mind for both consumers and enterprises today. Companies face a huge challenge when disposing of old IT equipment — all sensitive data must be securely removed before recycling, reusing, or reselling. Most companies claim to wipe all of their customer’s important data before it is thrown away, recycled, or resold. And yet, approximately 50 percent of the time IT equipment still has sensitive data on it when it is disposed of — it walks right out of a major OEM or a company that specializes in the wiping process with costly private data still hidden deep within its system. It’s what I like to call the “billion dollar hard drive.”

In 2013, Affinity Health Plan agreed to pay a $1.2 million settlement to the Department of Health and Human Services after a failure to wipe multiple photocopier hard drives led to the leak of sensitive health information of nearly 350,000 patients. A computer at Loyola University that contained names, Social Security numbers and some financial aid information of 5,800 college students was disposed of before the hard drive was even wiped. In 2012, South Shore Hospital paid a $750,000 settlement when the hospital was charged with losing 473 unencrypted backup computer tapes containing the names, social security numbers, financial account numbers and medical diagnoses of 800,000 individuals. This occurred when the hospital shipped three boxes of the tapes off-site to be erased without informing the vendor that the tapes carried personal, protected information — or verifying that the company had proper safeguards in place to handle such information.

Usually stories of massive data breaches conjure up images of hackers in dark basements halfway around the world deploying code to steal information. However, much more often than most of us realize, sensitive data can be captured from the very equipment marked for disposal. Proper data sanitization goes far beyond pressing delete — it is crucial that companies adopt a specific, repeatable, and verifiable asset disposal process.

According to IBM’s Cost of Data Breach Study, the average combined total cost of a data breach is $3.8 million, representing a 23 percent increase since 2013. In addition, the average cost paid for each lost or stolen record containing sensitive and confidential information was $145 in 2014. So it’s not surprising that in the same year, Gartner predicted an 8 percent growth in spending toward data security as IT companies became more threat-aware. But companies are not yet threat-averse; this spending seldom addresses asset disposal.

The root of the problem is a breakdown in process. Companies in nearly every industry will be rushing to comply with policies regulating customer data, including HIPAA and HITECH, PCI, PII, PHI, FACTA, GLBA, NERC, FISMA, and Sarbanes-Oxley, or some combination thereof. With regulatory policies in place, the emphasis on a company having a solid asset disposal process in place becomes greater. Often, despite having seemingly thorough wipe policies in place, companies are not wiping equipment properly. In many cases, there may be a piece of equipment — something as seemingly benign as a photocopier — where they did not realize a hard drive had captured and stored sensitive data. Other examples of this scenario include IP telephony, ATMs and networking equipment.

Without a specific, controlled process in place to wipe all equipment and verify that it’s wiped properly, companies will continue to spend money to protect data while equipment is in use and overlook the dangerous implications of careless IT asset disposal.

Wiped Data Containing Devices: Records of overwritten and otherwise destroyed devices. These records must include the unique device serial number. Records should be provided for all software wipes of all functional devices including unique wipe report ID, System Serial Number and device serial number, date and time.
Non-Functional Devices: Physical destruction records should be provided of Non-Functional, loose or data containing devices removed from systems. These records should also include parent system serial number (if applicable), device serial number and device manufacturer, date and time destroyed.
Other Processes: Records should be provided of data containing devices on which data is overwritten or removed by a process other than software enabled wiping. The record should include device serial number, device type, device manufacturer, date and time.

Only a process this comprehensive can ensure that companies are not unwittingly putting their private data in dangerous hands when disposing of IT assets. With the explosion of data due to growth in mobility, IoT and social communication, it is imperative that companies ensure their data is completely wiped and destroyed on devices at end of life. Don’t let your billion dollar hard drive grow legs. Be sure you have documented accountability that every asset wiped is truly and completely clean – every step of the way to disposal.

James Kilkelly is the CEO of Apto Solutions.

More in Home