Where And How Do You Dispose Of Your Computers, CDs, USB Drives, Etc.?

In the past few years I’ve performed over 100 information security and privacy program reviews for the vendors and business partners of my clients, and I have often found these contracted organizations have lax to non-existent to outragiously irresponsible computer and electronic storage device disposal practices. One of the “information security” policies for one of the vendors actually directed their personnel to try to sell their old computers and storage devices on e-Bay or other online sites in order to recoup some of the costs…this was in their “Information Disposal Security Policy”! It had absolutely no mention of removing the data before trying to sell the devices; the main intent was to recoup as much of the investment as possible.
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…


—————————————–

Disposal of Electronic Storage Devices
Many organizations still do not have any procedures in place to dispose of electronic storage devices. During a recent informal survey, I found this to be especially true with small and medium-sized businesses. Considering this, it is no surprise that privacy breaches resulting from information found on the wide range of storage devices, such as USB thumb drives, DVDs, CDs, tapes, and so on, continue to be commonly reported.
In 2006, it was widely reported that Simson Garfinkel, a postdoctoral fellow at Harvard University’s Center for Research on Computation and Society, bought more than 1000 hard drives on eBay, looked at the data on them, and found a large amount of PII and sensitive information, such as data from an automated teller machine (ATM), 31,000 credit card numbers from a medical center, a supermarket credit card processor, travel plans, credit card numbers and ticket numbers from a travel agency, consumer credit applications, work histories, and Social Security numbers, just to name a few.
Electronic information can be destroyed in many ways, some more reliable than others. Some of these destruction methods include:

  • Overwriting (also known as wiping)
  • Low-level formatting
  • Physical destruction
  • Degaussing

Sometimes physical destruction of small storage devices is the most efficient, effective, and inexpensive way to irreversibly remove data. However, if you do not want to get out the sledgehammer, want to ensure the data on the storage media is irreversibly removed, and do not plan to re-use the storage media, then degaussing is often considered the best option if it is possible for the storage media you use.
I recently created a degaussing FAQ; see it at http://www.privacyguidance.com/files/informationdisposaldegausserFAQ.pdf.
Effectively and creatively communicate, on an ongoing basis, what the disposal policies, procedures, and corporate-approved tools are for the disposal of electronic storage devices.

—————————————–

Tags: , , , , , , , , , , ,

Leave a Reply