WEEE compliance deadline - 'delete' doesn't mean 'deleted'
July 2007 date has implications for data deletion of discarded hard drives
The countdown to the July 2007 EU Waste Electrical and Electronics Equipment (WEEE) directive countdown has begun and organisations planning to recycle or donate used PCs must ensure confidential data is gone for good.
Research by Ontrack Data Recovery shows that only 18 per cent of IT professionals use data deletion products when discarding PCs. (You would think a data recovery expert would be pleased about this. Surely it makes its job easier.)
When the directive is activated organisations will come under scrutiny and could face damaging costs if they don’t have the necessary data erasure procedures in place. Obviously, if proper data deletion processes aren't in place then organisations risk exposing confidential information that remains on a hard drive when recycling or giving used computer equipment to charity.
There are two issues here. Firstly, organisations must ensure that their data is actually removed by using a product that is of a Government and Infosec security standard. Secondly, it is the responsibility of IT managers to educate departments across companies on the importance of data security and how to delete files so they cannot be retrieved. Only when all staff are committed to the processes will company confidential information be safe from harm through inadequate computer hard drive disposal processes.
Here is some advice to help protect an organisation's data:
1. Normal deletion of files is not enough
The “delete” button only updates a table that tells the operating system that the file has been deleted. Even though average users are not able to access the file, the entire contents of the file are still there, meaning anyone with a little technical knowledge could retrieve them if the computer fell into the wrong hands.
Many people believe that reformatting their drive will sufficiently delete all of the old data – that is not the case. As with deleting, the format button updates tables indicating that all files and catalogues have been deleted, but does not physically delete the data from the storage medium.
3. Overwriting with file shredding software
Common file deletion tools only erase certain files and certain partitions - not the entire hard disk. This is a common misconception for companies trying to delete old data. Using these tools, it is difficult to guarantee that all data has physically been overwritten. A user cannot control when and where data is saved on the media because the system may have saved the same contents at several different “temporary” sites. To ensure all data is overwritten, it is best to use software that guarantees data deletion specifically for that purpose.
4. Dealing with damaged media
Even if storage media is severely damaged, the information on it may still be accessible. It is possible to partially or fully retrieve data that is stored on a physically damaged storage medium. For situations where companies need to dispose of damaged media, they should use a degausser that can demagnetise the platters and completely erase the drive rendering it unusable.
5. Multiple solutions
There is a raft of solutions to consider and software leaders such as Microsoft have published privacy guidelines to help safeguard against data fraud. For any company looking to bring their deletion policies in line with Microsoft’s suggestions, it is imperative that they work with a professional vendor that offers multiple solutions. Using professional deletion software from a trusted provider and not just deletion tools helps ensure data security.
Naturally Ontrack Data Recovery has products that will ensure effective data deletion, and, naturally again, Ontrack is using the looming WEEE Directive activation date to accelerate sales of its products.
Its MD, Phil Bridge, said: “More and more companies are taking an ethical and admirable approach to used computer equipment through recycling or donations to schools and charities. However, some data security services don’t go far enough to delete confidential information that resides on the hard drive and that’s how data is getting into fraudsters’ hands. We’ve all heard stories of private information being retrieved from laptops abandoned in skips or bought on eBay, but there is no excuse for this. Consumers and IT managers have a range of cost-effective solutions to choose from, but the key to a guaranteed safeguard is ensuring the product has a Government standards accreditation.”
“As the WEEE Directive introduction date draws closer, companies are working closely with asset management and recycling companies. However, it’s still important for businesses to take responsibility for ensuring these services provide maximum protection.”
So divert a sysadmin from doing something operationally important and have him/her review all your computer storage media disposal processes. It's going to be a pain but it looks as if you will just have to bite the bullet and get it done.