The proposed Data Protection Law will define more clearly how private and confidential data has to be handled. However, even without the law, government organisations and businesses should be aware of how to manage and dispose of sensitive data properly.
A report by the complaints commissioner’s office in 2009 found that unfamiliarity with modern technology and careless disposal of computers, smartphones, photocopiers and removable jump drives left the government open to potential security threats. In some cases documented by the report donated computers still contained confidential files and correspondence, in a separate case government computers that were not wiped were found in the dump.
Since then policies in government were created that prescribe how magnetic media have to be treated, when they are no longer used. However, private organisations should be equally concerned not only about the data that is proprietary to the company but also client data which should remain confidential at all times.
Many organisations are not aware that when data is deleted using a software, such as the delete function in Windows, it is in many cases still available. When an operating system deletes a file, it simply marks the space on the hard drive occupied by the file as free space. The file remains available but now new data can be written on top of it.
Both Windows itself and widely available software can be used to restore deleted files, even from wiped or unbootable hard drives.
Anyone who is serious about protecting data, should think about how to remove the data from devices that are no longer used, says Morlon Gilbert, owner of Data Destroyers, a company that specialises in the destruction of magnetic media such as hard drives and magnetic back-up tapes. He says the data protection focus of many companies is still on paper. “But you have to think past the paper and remember that the information lives a lot longer on hard drives and other magnetic media.”
Common practice on island, he says, is to simply drill a hole in hard drives to destroy them, but this is not only dangerous, as an electric power source is put through a magnetic device, it is also does not get rid of all the data. “The data is still available around the holes and there is software out there to access that data still on the disk,” says Gilbert.
Businesses like Data Destroyers instead use a degausser, a device that creates a magnetic field stronger than the one that holds the data together, so that the data is scrambled beyond recovery. In order to be successful, the magnetic field strength of the degausser must exceed the coercivity ratings of the magnetic media, measured in Gauss or Oersted. Various organisations in the United States, such as the National Institute for Standards in Technology, certify whether a degausser is fit for a specific purpose.
“Our focus is on hard drives and back-up tapes, server hard drives, PC hard drives, LTO back up, basically any type of magnetic media that fits in the gate, it will degauss that,” he says.
Best practice is then to also physically destroy the magnetic media with a crusher. Because of the sensitivity of company data, the destruction should take place on the premises of the organisation and a witness can be present. Data Destroyers then certifies the items that were destroyed, the type of degausser used and the organisation that certified the degausser for audit purposes.
Hard drives that no longer boot up should also be treated in this way to dispose of the data properly. “Even if a hard drive does not power up, you can easily take the spindles and recreate the drive by putting them in a new drive and access the data that way,” Gilbert says.
He also warns of the common practice of donating old laptops and desktop computers, without properly wiping the data. “Hackers now are looking at getting those machines from places like charities and get information off the hard drives.”
For companies that want to donate their computers to charity, he recommends that they destroy the hard drive and install a new one into the machines they want to donate, a service the company provides. “We can order the hard drives, install them into the machines and do a basic installation of an operating system such as Windows XP or Windows 7.”