• United States



Ensure Your Data is Securely Deleted

Mar 11, 20132 mins
Cloud Security

In any instance in which your data may reside on a vendor’s systems (e.g., cloud engagements, hardware rental engagements, etc.), it is critical to ensure that your data is securely removed from those systems (i) when the agreement terminates and (ii) when any of the systems may be taken out of service, including for maintenance by a third party.  

Consider the following real-world example:  a vendor was engaged to provide desktop refresh services for a large organization.  During the course of those services, the vendor replaced desktop computers with updated machines throughout the customer’s organization.  The agreement specifically required the vendor to securely delete all data from the replaced computers prior to removing them from the customer’s facilities.  In fact, this was not done.  Worse yet, it appears some of the replaced computers were sold on the open market to third parties without proper erasure of sensitive data.  

Ensuring data is protected when a contract ends or when hardware is sent out for servicing is a key information security measure.  This means doing two things.  First, requiring specific language regarding secure erasure be added to relevant contracts.  Second, following up with the vendor to ensure those requirements are, in fact, carried out.


Michael R. Overly is a partner and intellectual property lawyer with Foley & Lardner LLP where he focuses on drafting and negotiating technology related agreements, software licenses, hardware acquisition, development, disaster recovery, outsourcing agreements, information security agreements, e-commerce agreements, and technology use policies. He counsels clients in the areas of technology acquisition, information security, electronic commerce, and on-line law.

Mr. Overly is a member of the Technology Transactions & Outsourcing and Privacy, Security & Information Management Practices. Mr. Overly is one of the few practicing lawyers who has satisfied the rigorous requirements necessary to obtain the Certified Information System Auditor (CISA), Certified Information Privacy Professional (CIPP), Certified Information Systems Security Professional (CISSP), Information Systems Security Management Professional (ISSMP), Certified Risk and Information System Controls (CRISC) and Certified Outsourcing Professional (COP) certifications.

The opinions expressed in this blog are those of Michael R. Overly and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.

More from this author