Companies face huge challenges when it comes to determining what data to keep and what to delete.
Data retention and deletion represent two sides of the same issue as companies grapple with their legal and regulatory responsibilities. Which electronic records must you save, and when should you delete them--for good? It's not just a legal and ethical consideration for employees, but also a critical security and storage management challenge for IT professionals. So why aren't companies paying more attention?
In an InformationWeek Research survey of 300 business technology pros, only 18% of respondents say their organizations use products that delete data so thoroughly that it's completely unrecoverable. Such products go beyond pressing a PC's delete key or dragging and dropping a file to the trash bin, neither of which actually delete the data. Data deletion products overwrite data so that there's no trace of it, which is what's required if Social Security numbers, salaries, or other sensitive data are on the hard drive.
Researchers at the University of Glamorgan in Wales bought and scanned 300 used hard drives this year and found that 49% contained personal information and 47% had corporate data. Among the data was an employee database for Vodafone, business strategy documents for a German truck company, and the embarrassing detail that a contractor bidding to build a U.S. Navy destroyer is also a transvestite.
Too many companies fall into the extremes of data management, says attorney Michael Overly, a partner in the IT practice of Foley & Lardner and co-author of Document Retention In The Electronic Workplace(Pike & Fischer, 2001). They get rid of all data that isn't mandated to keep, or they don't ever delete anything. "No business I've encountered is really doing deletion that well," he says.
Keeping e-mail around on PCs, servers, and backup tapes gets companies into trouble. During the investigation of fraud at Enron in 2003, 1.5 million internal messages from 176 employees showed up online, exacerbating the embattled company's problems.
Conversely, Philip Morris was slapped with a $2.7 million fine two years ago after it accidentally destroyed e-mails related to a lawsuit. Investment banker Laura Zubalake, fired by UBS Warburg in 2001, came away with $29 million in a sexual discrimination case, partially because the judge instructed the jury that it could infer that e-mails lost and destroyed in defiance of a court order would have been unfavorable to Zubalake's former employer.
The most severe punishments have come after intentional destruction of data. When former CA CEO Sanjay Kumar and former executive VP of sales Stephen Richards are sentenced in the next two weeks in a $2.2 billion accounting fraud case, they could get more tacked on for having trigger-happy delete fingers. In addition to the fraud charges, they both pleaded guilty to obstruction of justice. Prosecutors say Kumar reformatted his hard drive after CA was told to keep all relevant documents. Richards is said to have created a directory, labeled "incinerate," for the apparent purpose of eliminating documents after the Securities and Exchange Commission issued him a subpoena.
Kumar and Richards broke a cardinal rule of data deletion: If you're aware of a claim against the business, relevant information must be retained. Otherwise, companies can be liable for spoliation--legalese for destruction of evidence. "That's where we see most people screwing up," Overly says. "However, in the majority of instances, it hasn't been someone saying, 'Let's write over that as quickly as possible.' It's, 'Oh my God, Bob in retention has written over a tape we needed.'"
No More Smoking Guns Most employees don't delete data to cover wrongdoing or get rid of incriminating evidence. However, there is concern that old, unnecessary data lying around could come back to haunt a company. Thirty-three percent of the InformationWeek Research respondents who say they use or plan to use data deletion tools say they do so as a way to minimize the threat of future lawsuits. And 20% say vendors have pitched them data deletion products as a way to avoid criminal and civil suits.
"When you sit down and look at them eye to eye, they will usually stress civil cases like internal memos thrown in drug companies' faces during lawsuits," says Ruth Harenchar, former CIO at legal staffing firm Hobart West. "I've heard them say that as part of your risk management strategy ... you should 'get rid of any smoking guns.'"
Use of data deletion products as a routine part of a data management policy isn't going to get a company in trouble, as long as it can show there aren't pending legal concerns or investigations surrounding that data and deletion policies are consistently applied. Most vendors add that caveat to their pitches. "You don't want to be in a position of doing things that appear highly suspicious, and that's why having these programs that work across time on a consistent basis is so important," says Alan Brill, senior managing director at Kroll OnTrack, a data deletion software vendor.
Bill Adler, CEO of software vendor CyberScrub, which counts among its customers the New York Stock Exchange, Boeing, and the federal government, says he's turned away potential customers after they told him their computers were subject to seizure by authorities. But he also notes that "almost invariably, when somebody comes to us, they're in a panic. Legal has come to them and said, 'You have to act on this immediately.'"
Before deleting something, Adler says, "you have to be able to say all established retention periods have expired, all audit requirements have been satisfied, there are no pending requests for the information, and there's no foreseeable litigation involving the records." The whole process should be centrally managed and auditable, so companies can demonstrate to courts when data was erased and by whom, Adler says. And deleted data had better actually be just that--deleted.
Is It Really Gone? Anyone with an ounce of computer knowledge knows that when you drag a document to the recycle bin, it's not gone. Emptying the recycle bin, even reformatting the hard drive, doesn't do the trick unless the data is completely written over. Deleted data is traceable with any number of freeware tools and data recovery programs. In Windows, when a user deletes a file, it appears as free space, but it's actually there until overwritten. Even when the contents of a file are partially overwritten, fragments can be recovered. Other systems delete data more securely than Windows does. Mac OS X has its own built-in file shredder called Secure Empty Trash that adheres to Defense Department deletion standards.
Microsoft says its Windows XP and Windows Server 2003 utility cipher.exe "permanently wipe[s] all the deleted data on a disk." However, Harvard researchers have found that cipher.exe leaves traces of files, including file names and small undeleted chunks of data.
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2018 State of the CloudCloud adoption is growing, but how are organizations taking advantage of it? Interop ITX and InformationWeek surveyed technology decision-makers to find out, read this report to discover what they had to say!
Infographic: The State of DevOps in 2017Is DevOps helping organizations reduce costs and time-to-market for software releases? What's getting in the way of DevOps adoption? Find out in this InformationWeek and Interop ITX infographic on the state of DevOps in 2017.
Cybersecurity Strategies for the Digital EraAt its core, digital business relies on strong security practices. In addition, leveraging security intelligence and integrating security with operations and developer teams can help organizations push the boundaries of innovation.