Dispose of IT Equipment Without Sharing Secrets

The threat of data loss, coupled with increasingly stringent environmental regulations, has IT pros rethinking their disposal methods for computer gear.

Getting rid of obsolete IT gear isn’t as simple as it used to be. The threat of data loss, coupled with increasingly stringent environmental regulations, has IT pros rethinking their disposal methods.

"In the past, electronic equipment disposal was more of an asset-accounting issue, handled by the financial group. Now we track computing equipment from cradle to grave, recording the final disposition and using checklists to assure that data was appropriately removed," said James Kritcher, vice president of IT at White Electronic Designs in Phoenix.

It’s about time, analysts say. According to research from IDC, Gartner and the National Safety Council, about 1 billion computers will become potential scrap between now and 2010, and 150 million obsolete PCs are currently sitting in warehouses, storerooms and closets.

"I have yet to visit an end-user IT organization without the infamous IT closet full of aging equipment that probably holds critical data. But removing that data is still not seen as a pressing business issue," said Joe Pucciarelli, a research director at IDC. "Anyone relying on ignorance of the threat as a business strategy will be unpleasantly surprised."

It’s entirely possible that someone could salvage and steal data from computing equipment that is improperly disposed, Pucciarelli said. "Five or 10 years ago the risk might not have been as high, and network executives certainly weren’t aware of it," he says. "Today a company could be considered negligent if it isn’t aware of the risk of old equipment becoming compromised. The bad guys will figure out how to get through the holes and compromise corporate data."

If that happens, companies stand to lose millions. A 2006 study by the Ponemon Institute found data breaches cost companies an average of $182 per compromised record, a 31 percent increase over 2005. According to the Privacy Rights Clearinghouse, more than 330 data loss incidents involving more than 93 million individual records have occurred since February 2005.

While most IT experts are doing all they can to safeguard active systems against such breaches, they need to be equally diligent about protecting inactive equipment from prying eyes.

A data loss along the lines of what happened at University of California at Los Angeles, where a breach exposed 800,000 records, "would be crippling for us," said Chris Holbert, COO and CIO at LaunchPad Communications in Los Angeles. "Corporate intellectual property needs to be guarded. Even if it is mundane or seems outdated, it is critical and we need to ensure no unauthorized parties gain access to that company data—even after its end of life."

Businesses also face the threat of fines from government agencies if their equipment turns up in illegal dumping sites. While laws vary among the U.S. states, the federal Environmental Protection Agency’s Resource Conservation and Recovery Act provides guidelines for both businesses and equipment makers in reference to reuse, recycling, donating and disposing of computer equipment.

Computing equipment can contain toxic or hazardous materials such as lead, mercury, cadmium and chromium. According to U.S. government researchers, 500 million computers contain some 6.32 billion pounds of plastics and more than 1.5 billion pounds of lead.

To help tackle the disposal problem, vendors such as Dell, HP Financial Services and IBM have come up with asset recovery and recycling services designed to help companies get the most of old equipment, ease the recycling process and mitigate the risks of illegal dumping.

According to HP, as much as 90 percent of IT equipment can be resold if it’s processed promptly after coming offline, but every day it sits in a storeroom, the value drops and the likelihood of a theft or a security intrusion increases. Separately, IBM reports that with recycling and reuse options, just 2 percent of the equipment that is processed through its Asset Recovery Solutions business ends up in landfills.

One IT executive who wished to remain anonymous said HP’s recycling services help ensure his company doesn’t suffer a public incident, while also following an environmentally friendly approach.

"We want to keep ourselves out of landfills and out of the papers if God forbid something happened," said the head of PC infrastructure and architecture at a financial services firm. "We are buying HP equipment and sending it back, so it’s not a big financial win; costs are flat. But we like the idea that the next wave of our equipment might be made partly of recycled materials."

Scrubbing systems cleanTo ensure data is entirely removed and equipment disposed of lawfully, Kritcher said, his organization revamped its processes and started working with Dell for equipment recycling services several months ago, following a string of news about other company data breaches.

"The last thing you want is to have your discarded electronic equipment sitting in a landfill with your asset tags—regardless of how they got there. Even worse, there could be recoverable data on the drives," he said.

Also, because White Electronic Designs is a contractor with the Department of Defense, it must adhere to stringent confidentiality rules. IT staff routinely erase all data from desktops, laptops and servers, for instance, using software tools or by physically destroying the media.

"We sanitize the drives and when we have 10 or more units, we send them to Dell for disposal," Kritcher explained. "We receive reports of the items recycled, which can then be reconciled to our records for an airtight audit."

Kritcher’s staff uses DataEraser from Ontrack Data Recovery for overwriting disks. It’s one of a handful of products—including Stellar Wipe Data Eraser Utility, KillDisk, Shred-it and the freeware application Eraser—that wipe information from hard drives by degaussing (neutralizing the magnetic field) and using patterns to eliminate data files in different directories.

At White Electronic Design, IT staff boot DataEraser from a CD or floppy. Once executed, the program performs a degaussing process by flipping each magnetic domain on the disk back and forth "as much as possible without writing the same pattern twice in a row," Kritcher said. A minimum of three passes is required to "overwrite all addressable locations with a character, its complement and then a random character." He said the process can take from one to three hours, depending on the speed of the computing device.

For some devices, physical destruction is warranted. It’s generally done "with a large hammer, rendering the device unusable and bending the platters," Kritcher said. If a hard drive that once contained sensitive data has failed and is inaccessible, he will bring it to a local vendor who will "pulverize or shred the hard drive."

Do-it-yourself destructionWhile some companies work with vendors to secure and dispose of old gear, others wipe data internally and resell the equipment to staff or donate it to charitable organizations.

Bruce Bonsall, CISO of MassMutual Financial Group in Springfield, Mass., said when his organization turns over PCs—a few thousand at a time—each is thoroughly scraped and tested to ensure it is clean. The IT team uses various devices to remove the data, and a computer forensics expert on staff tests PCs following the cleaning process to ensure the data is gone.

"The data must be removed before the PCs can be scrapped, donated to schools and other nonprofit organizations. Allowing the confidential information of our employees, distributors and customers to fall into the hands of people who don’t have a need or right to see it would be irresponsible," Bonsall said.

For Ross McKenzie, IS director for the Bloomberg School of Public Health at Johns Hopkins University in Baltimore, the process of removing data and recycling equipment for use among employees provides both network security and job satisfaction.

"There is a good feeling when you know you didn’t just throw something out, that you protected your organization and gave something back without being completely wasteful," he said.

Processes in place at the university since the late 1990s include using Disk Wipe from DTI Data to scrub hard drives. A few IT staff will take on as many as 75 machines at a time, every few years, McKenzie said. In some cases staff employ less technical methods, such as using tin snips to cut up the platters on hard drives to ensure there will be no breaches down the road.

"We will go as far as physically destroying the hard drive, depending on the sensitivity of the data," McKenzie said. "We don’t take any chances."

—Denise Dubie, Network World

Related Links:

How to Get Rid of Old Computers

Data Theft at the VA

Money Lost on Piracy and Data Theft

Copyright © 2007 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline