Computer Disposal Options by gjjur4356


									Computer Disposal Options

          Presented by:
          Joseph Bozic
        President, dataXile Corp.
      Board Member, NAID-Canada
Facts about dataXile Corp:
– A leading electronic data destruction company
– Established in 2005
– Toronto based
– Diverse clientele
– On site and off site services
– NAID member since 2005
            Presentation Goals
• Raise awareness on the perils of neglecting secure
  electronic information destruction.

• Identify the challenges associated with secure electronic
  data destruction.

• Clarify secure options for electronic data destruction.
   Is secure electronic data
destruction really an issue to be
       concerned about?

         You be the judge.
•   Backup tapes containing 77,000 medical files detailing patient HIV
    status and mental illness history are publicly auctioned in British
    Columbia; government launches probe (Canadian Press, March 6,
•   U.K. banking details are sold to fraudsters in Nigeria for the purpose
    of identity theft (BBC News, August 14, 2006)
•   Leading electronics retailer fails to destroy hard drive with
    confidential data despite assurances it would do so.
    (, June 5, 2006)
•   Computers belonging to the state of Kansas that were slated for
    public sale contained confidential data (The Capital-Journal, June
    19, 2008)
•   Audit shows 40% of government computers sold with sensitive
    information on them (The West Australian, March 20, 2008)
A Canadian study conducted in 2006/2007
concluded the following:

•  It was possible to recover personal information from 65% of the
   drives they examined
• 8% of the drives they examined contained personal health
   information about the owners of the drive
• 10% of the drives they examined contained personal health
   information about people other than the owners of the drive.
(Children’s Hospital of Eastern Ontario Research Institute )
• New reports, literally every day, from across North
  America highlight that sensitive data is being
  compromised due to poor disposal practices.
• The reported incidents are just the tip of the iceberg.
• This is so easy to prevent, yet so common.


Too few people pay attention to the end of the information lifecycle.
Information is only as secure as the weakest link in its lifecycle.

All efforts to protect information during its useful life are undermined if
      little care or attention is paid to its destruction and disposal.
Implications of unsafe destruction:

• Security breach of sensitive business
• Breach of personal customer information
• Negative publicity and public embarrassment
• Aiding and abetting identity theft
• Loss of customers or clients
• Damaged reputation
• Potential investigation by privacy commissioners
The Legislative Landscape is Changing
Canadian firms have legal obligations to
destroy data under numerous federal and
provincial acts. Examples include:

•   PIPEDA – Federal
•   PHIPA – Ontario
•   PIPA – Alberta
•   PIPA – British Columbia
             PHIPA Violation in Toronto

Recycling is not a substitute for information destruction.
Organizations with business interests in the
U.S. my be subject to American legislation.

• Sarbanes-Oxley Act (SOX)
• The Fair and Accurate Credit Transactions
  Act (FACTA)
• Gramm-Leach-Bliley Act (GLBA)
• The Patriot Act
Legislation is becoming more strict
• PIPEDA is currently under review
  – Breach notification is a likely change
  – Information destruction requirements are also
    likely to increase
• NAID has been working closely with
  government offices to help form policy
  – Failure to destroy data at the end of its
    lifecycle is likely have serious consequences
    What kind of data is stored on electronic media?
•   Financial data
•   Health information
•   Sensitive company information
•   Client information
•   Payroll information
•   Personal information
•   Credit card data
•   Photographs

      Chances are you don’t know exactly what information is
                    stored on your hard drive.
Electronic data destruction can be challenging
 – Electronic media stores huge quantities of data.
 – Electronic storage media takes on many forms.
– Physical destruction is tougher to carry out.
– Electronic methods require expertise.
– Electronic methods require time.
– Electronic methods can be expensive.
– Numerous options for disposal and
  destruction can create confusion.
– Environmental issues are a major concern.
Electronic Data Destruction Techniques
     What are appropriate techniques?
          Who can be believed?
                      Wiping Hard Drives
Pros                                   Cons
•   Drives can be reused,              •   Automated audit trail may not
    extending the life of the assets       be possible depending on tools
•   Considered a “reasonable”              used
    measure in most scenarios          •   Could be expensive
•   Large number of available          •   Could be time consuming
    products makes wiping an           •   Quality of available products
    easily accessible solution             ranges significantly
                                       •   Reallocated hard drives that
                                           have been wiped could
                                           potentially be traced back to
                                           original owner
                 Degaussing Hard Drives

Pros                                   Cons
•   Deguassers can be used for tapes   •   Not always reliable
    as well as hard drives             •   Could be expensive
•   A one-time investment              •   Could be time consuming
                                       •   Quality of available products
                                           ranges significantly
                                       •   Drives are inoperable but not
            Secure Erase Methods

Pros                        Cons
• Extremely secure          • Potentially expensive
• Faster than traditional   • Time consuming
  data wiping               • Drives are not
• Drives can be reused        physically destroyed
• Usually auditable
               Physical Destruction
Pros                         Cons
• Extremely secure           • Drives cannot be reused
                             • Not always feasible for on
• Visual proof of
                               site requirements
                             • Vendors tend to focus on
• Economical solution          large clientele
• Execution is quick
• Destroyed hard drives
  cannot be reallocated
• Environmentally friendly
To Outsource or Not to Outsource?
In house data destruction can be expensive

•   Poor allocation of resources
•   Apathy could haunt you later
•   Insiders are a potential threat
•   It’s often more expensive than first thought
Choose your vendor carefully
•   Charities are a potential security risk
•   Recyclers are a potential security risk
•   Monitor the chain of custody
•   Look for NAID Certification
•   Ask for references
•   Ask questions
•   Treat the requirement seriously
“When it comes to the disposal of personal information, recycling is
            not acceptable as an option for disposal.”

“Let there be no mistake – recycling does not equal secure disposal.”

                Fact Sheet: Secure Destruction of Personal Information,
                Information and Privacy Commissioner of Ontario
Electronic data destruction tips
   – Limit what you collect.
   – Use encryption technology when possible.
   – Sanitize data with reputable products prior to disposal.
   – Be wary of degaussing hard drives.
   – Consider physical destruction whenever possible.
   – Outsource requirements to NAID certified members whenever
   – Request inventory list of assets sanitized/destroyed.
   – Be wary of outsourcing requirements to various recyclers and

       Recycling is not a substitute for secure data destruction.
The Environmental Impact
E-Waste is a potential environmental hazard

• North America has a poor track record of
  taking care of its e-waste
• Exporting e-waste is a violation of law
• Exported waste could haunt you later on
• Exported e-waste often contaminates the
Proper e-waste disposal is garnering attention

• Media attention is increasing
• Governments are taking responsibility and
• Take-back initiatives address environmental
• Data security is usually an afterthought
• Data security is still the owner’s responsibility
The chain of custody for exported e-waste is
extremely difficult to track.

Data security is often the forgotten element
when discussing the exportation of e-waste.
        Thank You

        Joseph Bozic
  President, dataXile Corp.

To top