• United States



Minimizing Risks Associated With Residual Data on Hardware

Feb 17, 20092 mins
Data and Information Security

In just the past week, two embarrassing data compromises were widely publicized.  Those compromises resulted from a failure to adequately scrub old hardware (e.g., laptops, Blackberries, and USB drives) of residual data.  Given the currency of this issue, I thought it appropriate to take a slight detour from my current series of postings on contract issues to present some sample contract language to address this problem.

When drafting contracts with vendors who will be providing services to fix, replace, update, or dispose of hardware, it is important to include specific language in the agreement addressing the vendor’s obligations to ensure all data is scrubbed from the hardware prior to removing it from your facilities.  While the best practice is clearly to conduct such scrubbing yourself, as a fail-safe, language should be included in all relevant vendor contracts to address the issue.

The following is sample language regarding a vendor’s obligation to securely and irretrievably scrub data from hardware prior to its removal from the customer’s facilities:

In the event Contractor will remove any hardware or other equipment (collectively, “Equipment”) from Customer’s facilities for purposes of maintenance, repairs, replacement, or disposal, Contractor shall provide Customer a notarized statement detailing the destruction method used to irretrievably remove all Customer data from the Equipment, the date of destruction, and the company or individual who performed the destruction.  Contractor shall provide the statement to Customer within fifteen (15) days of removal of the Equipment or at any time on Customer’s request. Contractor’s destruction or erasure of Customer data under this Section shall be in compliance with best industry practices (i.e., DoD 5220-22-M Standard).

Of course, this language should only be used if relevant data has been transferred to other hardware or backed-up.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author