February 3, 2009
I have always been an active proponent of disposing replacement or obsolete technology products in a regulated fashion. Of late, I have been promoting the notion of “Deleting Data does not Purge Data“.
It has been assumed by many that, simply “deleting” the files on a system gets rid of the contents on the drive. This is not the case as there is a very high possibility that this information will most likely still be recoverable.
This compromises the privacy of your data which could include passwords, personal information, classified documents from work etc. The classified nature of data could lead to legal consequences.
As per a recent article (Dumped hard drives tell all), most people tend to transfer desktops or laptops without disposing the data.
113 of 200 drives purchased on eBay as part of a security vendor’s study on disk sanitization still contained recoverable data, including data that in some cases appeared to be confidential or quite personal in nature.
We deal with highly classified data which might some times include data which could be confidential or quite personal in nature. Many a times our team downloads client database (with consent) over a secure connection. This data might contain Electronic Patient Health Information. This data must be protected from unauthorized disclosure in compliance with the requirements of HIPAA and other applicable state and federal privacy regulations.
When an employee terminates the employment usually the desktop or laptop is transferred to another person, department, or disposed of as surplus property. While this being done it is required to mandate “Disk Sanitization”.
There are two options to Sanitize a Disk:
Types of Secure Deletion Standards:
To successfully wipe a hard drive one must at least look for a utility which meets the DoD 5220.22-M ( 3 pass).
Some Open Source Products which perform software disk wiping include:
Aging compute hard drives and other storage media are always at a risk for compromising data. Anyone making any claims that the potential costs associated with aging computer hardware is limited has not done the research.
I can only hope that everyone learns from experience that using appropriate data destruction mechanisms will prove a real bargain in the long run!