posted 30 Jun 2009 in Volume 12 Issue 9
Navigating the data minefield
By Tony Dearsley and Tracey Stretton
The compliance obligations on firms to manage information responsibly are diverse and the consequences of failing to meet these could be very serious indeed.
Individuals and companies store their most important information on computers, personal digital assistants and other devices – even MP3 players. Virtually all communication and business is now conducted electronically and most companies have experienced a steep increase in the use of technology. Yet, when it comes to disposing of information or devices, it is often a case of ‘out of sight out of mind’.
It is clear that many organisations and individuals still do not have a full appreciation of the potential volume and type of information that is stored on computer hard disks.
Firms should also be aware of the fact that they could be acting illegally by not disposing of their data properly. Many companies are still labouring under the impression that pressing the delete key is the end of the matter and others believe that formatting a drive is even better. This is not the case.
Electronic evidence, especially e-mail evidence, can prove indispensable during civil litigation and in white-collar crime investigation – for example, allegations of insider trading, misappropriation of client assets, data theft, and fraud. Firms need to do more than simply delete the contents stored on a former employee’s machines.
Though certain circumstances may call for such measures, corporate data is increasingly being relied upon in litigation, and as we enter an increasingly litigious period, the demands for organisations to disclose data, be they from regulatory bodies such as the FSA or the OFT, are set to increase. Organisations that are unable to meet these requirements are immediately at a disadvantage –with serious financial implications including the risk of losing a case because vital evidence is missing, or facing court-imposed sanctions for failing to preserve or produce it. What’s more, firms can only effectively display sound compliance policy and practice if they have access to all related materials. Those that are able to assess compliance in advance of an official investigation can also take proactive steps to identify infringements and avoid sanctions.
Rather than merely wiping a hard drive, therefore, businesses will in many cases need to image its contents for storage. This can take anything from between two and six hours to complete. If one assumes an average completion time of four hours, then imaging the drives of redundant computers in sectors facing widespread redundancies running into multiple thousands presents a logistical challenge. Clearly a rational and selective approach to the process of data decommissioning and evidence preservation, which is driven by policy and need, is required.
The real issue is: what should be done when these devices, containing such data, are due for disposal? In the corporate environment there is a duty of care in relation to the Data Protection Act and, of course, there is also the issue of sensitive company or government data and financial information, which may be subject to many regulations. It is essential in any business that there is a recognised and tested procedure to deal with the destruction and disposal of data and the need for a proper legal risk assessment. Often, disposal is part of a routine process dealt with by the IT department, and all too often there is a failure, not necessarily through a fault of that department itself, to recognise the value of a secure and complete destruction of data or indeed the risk of destroying evidence that should have been kept
In high-risk situations where loss of data is suspected, where litigation is anticipated, and in relation to cases where computers hold sensitive business information, companies should be making forensic images of computer hard drives due to be decommissioned and then systematically removing remaining data with a program specifically designed for the task.
It is essential that confidential and sensitive data is removed from computers before disposal to avoid breaches of confidentiality or unauthorised gathering of information about user accounts and passwords. Using a data-erase program to wipe the hard drive clean is the first step to disposing of any sensitive information. CD-ROMs and DVDs should be shredded – there are many domestic shredders with this capability, and tapes should be completely overwritten. Hard drives should be securely wiped using a recognised software program and if not being recycled should be physically rendered unusable. Mobile devices should be securely wiped or again physically destroyed.
The entire process of decommissioning hardware inevitably puts added pressure on already strained resources and often at a time when corporate survival is at stake. The failure to do so effectively, though, can also have serious implications which, given the current economic environment, businesses cannot afford to face.
Tony Dearsley is computer forensics manager at Kroll Ontrack. Tracey Stretton is a legal consultant at the same firm. For more information visit www.kroll.com