With the introduction of the Protection of Personal Information Act, it has become vital for companies to consider every possible avenue through which data could make it into the public domain. One such avenue is through the sale or disposal of formatted hard drives.
Companies deal in private information, whether its their own intellectual property, or the personal or business information of clients or customers. For both these reasons, and especially with the introduction of the Protection of Personal Information (POPI) Act, companies need to be absolutely fastidious and compliant about how they safeguard their data – especially when data-containing equipment is disposed of.
“There is a very big risk in disposing of equipment like PCs or laptops – even through reputable recycling firms – if certain deliberate steps have not been taken to ensure that the data has been completely removed from the hard drive,” says Rodney Peters, head of ITAM and ITAD at AST Recycling. “Many people think that formatting a drive is sufficient to remove all data, but this is not actually the case.”
He explains that storing data is almost like storing boxes in a warehouse. Each box has a number, and the warehouse manager has a list of what asset is stored in which box. Formatting a drive is like taking away that list. It means that there is no longer an index that points visitors to where the data is stored, but, importantly, it doesn’t mean that the data has been removed.
“Anyone can download software to retrieve that data. It works this way on PCs, laptops, cell phones, and tablets, and can retrieve fragments of data that have been formatted and written over up to 15 times,” says Peters. “In fact, a study carried out by two MIT students back in 2003 revealed that out of 158 devices that they purchased second hand, they were able to retrieve 5 000 instances of sensitive data from previous users that hadn’t been properly deleted.”
To get around this, some recycling companies degauss hard drives. This involves passing the drive through a machine with a powerful magnet, which, acting like an electromagnetic pulse, scrambles all the data contained on the drive. Some companies even drill holes in the drives they are tasked with sanitising, but it is possible to retrieve some data from a drilled drive. Both of these methods mean that the drive cannot be reused, which Peters says contributes to the burgeoning problem of e-waste.
He explains that the only way to get rid of saved data, while preserving the drive itself, is to use data erasure tools that overwrite the data with random ones and zeroes. “Essentially, it’s like putting rubbish into those boxes in the warehouse. So even if someone finds the box, what’s inside is meaningless. The data will no longer exist on the drive. We call this sanitisation.”
Many IT departments or e-waste recycling companies will format hard drives, but will not carry out proper sanitisation procedures. Fully compliant recycling companies will offer a sanitising solution. AST Recycling, for instance, offers a data sanitisation solution which overwrites the data three times and then provides a certificate of sanitisation, confirming that any data previously saved on those drives is unrecoverable. The solution offered by AST is compliant with the United States Department of Defense standard for data sanitisation, DOD 5220.22-M, which means it’s acceptable for military-grade sanitisation. The solution they offer is also ISO 27001 compliant.
“For the public, I would advise this: If you have ever had a photo of your ID on a device, if you’ve ever stored credit card information, photos you wouldn’t want anyone else to have, or scans of personal documents, consider having your hard drives professionally sanitised before you sell them on or donate them, because the chances of your information being recovered are high,” says Peters.
For organisations faced with POPI Act compliance, he recommends the following: “As your equipment may have both your organisation’s and your clients’ data, it is vitally important that this doesn’t get out into the public domain. You need to ensure that when your devices reach their end of life, even if you are letting your staff purchase them, that they are properly sanitised before they are disposed of. Be sure that whatever company does this for you is compliant and able to offer you a certificate of sanitisation to ensure that they have properly dealt with your data.”