The impending date for the introduction of GDPR in May has brought data destruction and erasure strategies to the forefront of corporate strategic thinking. Thanks to potentially punitive fines for non-compliance and responsibility now sitting with the senior leadership team, data storage is now firmly at the top of the agenda in many organisations.
Knowing about the issue and taking pragmatic steps to address it are clearly two different things. The problem is that organisations don’t always know where their data resides, so responding to subject access requests (SARs) for personal information is set to be a complex, time-consuming and expensive process. Under Article 17 of the GDPR, organisations must be able to prove that they can erase data properly and permanently.
Once an initial data audit is undertaken, (most organisations should be well on the way to completing this process anyway in preparation for the GDPR) the next stage is to get rid of personal data that is no longer relevant, no longer in use for a specific purpose or relates to children under 16.
How to erase data properly
However, just deleting data or reformatting magnetic media (including hard disk drives and tapes) will not be enough to ensure that the wrong personal data does not reside somewhere in the business. If data gets deleted from any media type it can be recovered in many cases, even when the hardware is damaged by flood or fire.
Luckily, there are many software solutions available that completely wipe devices so they can be securely reused, resold or recycled. There are also solutions that permanently erase only specific, targeted files. There are of course more permanent erasure solutions such as degaussing which can take magnetic tape storage and render the device completely unreadable (and unusable).
Virtual drives should also be considered as part of any data sanitisation process. Third party service providers in particular use virtualised infrastructure to partition storage space across multiple customers in order to achieve economies of scale. Many providers are then faced with the issue of securely deleting targeted areas of their virtual storage infrastructure whilst leaving the rest intact, for example, if a customer ends their managed service agreement.
The risks of physical drives
Another big source of risk is physical drives, which tend to be recycled and reused by organisations seeking to contain the cost of storage. Without using the right data erasure tools and software, organisations cannot be sure that sensitive data has been removed before it is redeployed or sent back to the original equipment manufacturer.
In a study of 64 disk drives bought online from locations including the US, Germany, France, Italy, the Asia-Pacific region, Poland and the UK, Kroll Ontrack found that 30 drives still contained traces of personal data.
One of the drives raised particular alarm. It had belonged to a company that used a service provider to erase and resell old drives. Despite that, the drive contained a wealth of highly sensitive information, including user names, home addresses, phone numbers and credit card details. It contained an employee list of around 100 names that included information about work experience, job titles, phone numbers, language abilities, vacation dates and a 1MB offline address book.
Nearly a third (21 drives) contained personal photos, private documents, emails, videos, audio or music. User account information was discovered on eight drives, including login data such as first and last names, contact details, email address, online account names and passwords.
Transactional data was recovered from nearly every seventh drive (9). This included company names, salary statements, credit card numbers, bank account info, investment details and tax returns.
The problem extends into the business world, as users access work from their own mobile devices. Six drives in our study were found to contain critical business data such as CAD files, PDFs, JPGs and passwords.
We even found full online store set ups, configuration files and POS training videos in our search of these six drives. A further five contained other work-related data: invoices and purchase orders, much of it including sensitive personal information.
Users are unaware of the risks
In an earlier survey of 2,000 UK consumers, we found that many users are unaware of the risks presented by not backing up data or by recycling their devices properly, with more than one in 10 (11 per cent) admitting they were not sure whether data is permanently deleted when they recycle or throw away old mobile phones, tablets or computers.
Only 32 per cent said that they regularly backed up the data on their electronic devices, leaving 68 per cent risking the loss of personal information and many more leaving data on their device when it is lost, damaged, resold or disposed of.
The world has seen a proliferation of gadgets, from smartphones to iPads to voice-activated digital assistants, televisions and fridges that can all record and transmit data. Industrial sensors and CCTV cameras also help to produce data so large and complex that a new approach must be taken to store, secure and erase upon request by individuals.
Computer forensic experts can use data to make or break a criminal case. An example of such a case was when prosecutors found that a murdered woman’s Fitbit data did not match her husband’s alibi. From the locations tracked by the Fitbit and the activity monitor, investigators were able to produce a timeline showing that she was not where her husband said she was at the time of her murder. Richard Dabate is now out on bail pending trial for killing his wife.
The case serves to demonstrate that a determined computer forensics expert will be able to recover data from almost every device, in almost every stage of disrepair. Our many studies over the years into discarded or recycled devices shows a lack of thought is often applied, leaving individuals and the organisations they work for under a severe level of risk.
The GDPR effect
When the new GDPR legislation comes into force, companies in both the private and public sectors will need to prove that data is securely erased in line with the new guidelines and show that they are fully accountable for monitoring, reviewing and assessing relevant processing procedures.
They will need to show a willingness to minimise data processing and unnecessary retention as well as incorporate safeguards for all data-related activities. Many organisations are already viewing the GDPR as a reason to apply best practice management to their data storage strategies. There are several business benefits to putting an end to end erasure policy in place, and not simply because of the new focus in revised European legislation.
Cost – Data storage both physical and virtual is expensive. Being able to erase data securely enables businesses to recycle and re-use storage media without fear of inadvertently placing sensitive data in the hands of others.
Security – The difference between deletion and erasure is often misunderstood and sometimes thought to be the same. It is important for businesses to understand that if data is deleted it is recoverable but if it is erased properly it is irretrievable.
Keeping up to date – The focus on data retention and erasure is not new (PCI DSS, ISO 270001) but as the world becomes more data dependent understandably the sentiments of more focused regulations are being applied to the wider world. GDPR will also cover important aspects like globalisation or popular technological developments, such as Facebook, Twitter, Google+ and other social media platforms. The new legislation will encompass all of the new ways of communicating in the digital age – and the subsequent information that’s generated from our interaction with it.
In our experience, it seems data protection professionals are on the whole well-informed about the new GDPR legislation. The challenge for them is to bridge the gap between theoretical requirements and the practicalities of implementation, as well as the impact this will have on the businesses they work for. This includes the ability to erase data securely and with an auditable process.
Conversely, there are still a large number of organisations that have not assigned the tasks associated with data protection within their business, be it to an individual data protection officer or a group of individuals. For those businesses, time is well and truly running out.
What does your organisation currently do to get rid of data properly and why? Do you feel prepared for GDPR? Let us know by tweeting @OntrackUKIE