“Yesterday, all my troubles seemed so far away, now it looks like they are here to stay…”
These instantly recognisable lyrics could well have been written for the merchant bankers whose asset management department sold a used computer containing no less than 108 files relating to Sir Paul McCartney’s private finances.
The bankers had quite simply failed to erase the computer’s hard drive; which in addition to retaining the details of the legendary songwriter, also contained sensitive information about the Cancer Research Campaign, a large charity for the blind, and a prominent duchess.
No doubt there were effusive and unreserved apologies from the company and cast-iron promises to review its asset disposal procedures.
Too little, too late.
Failure to carry out full data erasure amounts to gross commercial neglect
Companies have a duty to all of their customers not to pass on confidential information. Under the Data Protection Act 1998 it is a criminal offence for any organisation to allow the unauthorised disclosure of customer’s personal data; companies are contractually obliged to wipe all data off any device that can store sensitive information before they are sold on.
Yet the problem of unprofessional data erasure still exists.
With the advent of smartphones, laptops and tablet computers, the challenge has been magnified tenfold; yet there are still tens of millions of second hand devices for sale on commercial markets, many with commercially sensitive data still contained on their hard drives.
All asset management solutions must include a data erasure programme to ensure it doesn’t fall into the wrong hands
It isn’t enough to simply delete or reformat files, as it only removes the tag pointing to the location of the data and can be easily retrieved. Similarly, encryption may be an effective deterrent but it isn’t an accepted industry standard as even though it is in derivative form, the information still exists.
Those companies who consider doing the work in-house should add up the time required to locate all the IT equipment, set-up the process, perform the erasure and document it all – and decide in the meantime who will run the IT department.
Data erasure is a time-consuming exercise that is best left to the professionals. A comprehensive data erasure programme starts with an initial site survey that provides a detailed report of every single piece of IT equipment that is capable of storing data. This is followed by a risk assessment of all the assets under scrutiny, together with a list of recommendations and technical requirements to cover every possibility.
The erasure process must permanently remove all data and include a detailed report of a data erasure procedure to ensure it complies with regulatory and legal auditing requirements; furthermore in order to be awarded the necessary certification, it must be tamper-proof and deliver a full audit trail.
Every piece of IT equipment must be put through a comprehensive data erasure programme as an integral part of an asset management solutions offering.
Let it be…