Companies face huge challenges when it comes to determining what data to keep and what to delete.
Data retention and deletion represent two sides of the same issue as companies grapple with their legal and regulatory responsibilities. Which electronic records must you save, and when should you delete them--for good? It s not just a legal and ethical consideration for employees, but also a critical security and storage management challenge for IT professionals. So why aren t companies paying more attention? In an InformationWeek Research survey of 300 business technology pros, only 18% of respondents say their organizations use products that delete data so thoroughly that it s completely unrecoverable. Such products go beyond pressing a PC s delete key or dragging and dropping a file to the trash bin, neither of which actually delete the data. Data deletion products overwrite data so that there s no trace of it, which is what s required if Social Security numbers, salaries, or other sensitive data are on the hard drive. Researchers at the University of Glamorgan in Wales bought and scanned 300 used hard drives this year and found that 49% contained personal information and 47% had corporate data. Among the data was an employee database for Vodafone, business strategy documents for a German truck company, and the embarrassing detail that a contractor bidding to build a U.S. Navy destroyer is also a transvestite. Too many companies fall into the extremes of data management, says attorney Michael Overly, a partner in the IT practice of Foley Lardner and co-author of Document Retention In The Electronic WorkplacePike Fischer, 2001-. They get rid of all data that isn t mandated to keep, or they don t ever delete anything. No business I ve encountered is really doing deletion that well, he says. Keeping e-mail around on PCs, servers, and backup tapes gets companies into trouble. During the investigation of fraud at Enron in 2003, 1.5 million internal messages from 176 employees showed up online, exacerbating the embattled company s problems. Conversely, Philip Morris was slapped with a $2.7 million fine two years ago after it accidentally destroyed e-mails related to a lawsuit. Investment banker Laura Zubalake, fired by UBS Warburg in 2001, came away with $29 million in a sexual discrimination case, partially because the judge instructed the jury that it could infer that e-mails lost and destroyed in defiance of a court order would have been unfavorable to Zubalake s former employer. The most severe punishments have come after intentional destruction of data. When former CA CEO Sanjay Kumar and former executive VP of sales Stephen Richards are sentenced in the next two weeks in a $2.2 billion accounting fraud case, they could get more tacked on for having trigger-happy delete fingers. In addition to the fraud charges, they both pleaded guilty to obstruction of justice. Prosecutors say Kumar reformatted his hard drive after CA was told to keep all relevant documents. Richards is said to have created a directory, labeled incinerate, for the apparent purpose of eliminating documents after the Securities and Exchange Commission issued him a subpoena. Kumar and Richards broke a cardinal rule of data deletion: If you re aware of a claim against the business, relevant information must be retained. Otherwise, companies can be liable for spoliation--legalese for destruction of evidence. That s where we see most people screwing up, Overly says. However, in the majority of instances, it hasn t been someone saying, Let s write over that as quickly as possible. It s, Oh my God, Bob in retention has written over a tape we needed. No More Smoking Guns Most employees don t delete data to cover wrongdoing or get rid of incriminating evidence. However, there is concern that old, unnecessary data lying around could come back to haunt a company. Thirty-three percent of the InformationWeek Research respondents who say they use or plan to use data deletion tools say they do so as a way to minimize the threat of future lawsuits. And 20% say vendors have pitched them data deletion products as a way to avoid criminal and civil suits. When you sit down and look at them eye to eye, they will usually stress civil cases like internal memos thrown in drug companies faces during lawsuits, says Ruth Harenchar, former CIO at legal staffing firm Hobart West. I ve heard them say that as part of your risk management strategy ... you should get rid of any smoking guns. Use of data deletion products as a routine part of a data management policy isn t going to get a company in trouble, as long as it can show there aren t pending legal concerns or investigations surrounding that data and deletion policies are consistently applied. Most vendors add that caveat to their pitches. You don t want to be in a position of doing things that appear highly suspicious, and that s why having these programs that work across time on a consistent basis is so important, says Alan Brill, senior managing director at Kroll OnTrack, a data deletion software vendor. Bill Adler, CEO of software vendor CyberScrub, which counts among its customers the New York Stock Exchange, Boeing, and the federal government, says he s turned away potential customers after they told him their computers were subject to seizure by authorities. But he also notes that almost invariably, when somebody comes to us, they re in a panic. Legal has come to them and said, You have to act on this immediately. Before deleting something, Adler says, you have to be able to say all established retention periods have expired, all audit requirements have been satisfied, there are no pending requests for the information, and there s no foreseeable litigation involving the records. The whole process should be centrally managed and auditable, so companies can demonstrate to courts when data was erased and by whom, Adler says. And deleted data had better actually be just that--deleted. Is It Really Gone? Anyone with an ounce of computer knowledge knows that when you drag a document to the recycle bin, it s not gone. Emptying the recycle bin, even reformatting the hard drive, doesn t do the trick unless the data is completely written over. Deleted data is traceable with any number of freeware tools and data recovery programs. In Windows, when a user deletes a file, it appears as free space, but it s actually there until overwritten. Even when the contents of a file are partially overwritten, fragments can be recovered. Other systems delete data more securely than Windows does. Mac OS X has its own built-in file shredder called Secure Empty Trash that adheres to Defense Department deletion standards. Microsoft says its Windows XP and Windows Server 2003 utility cipher.exe permanently wipes all the deleted data on a disk. However, Harvard researchers have found that cipher.exe leaves traces of files, including file names and small undeleted chunks of data. Beyond the basics, there are dozens of products that say they render data unrecoverable. Robin Hood Software s Web site says its not-so-subtly named Evidence Eliminator software renders data unrecoverable by the Secret Service and Scotland Yard. But former Bowne CEO and Newsday publisher Bob Johnson used Evidence Eliminator to destroy more than 12,000 files from his work computers during a 2004 child pornography investigation and ended up pleading guilty to the charges, including an obstruction charge related to his use of the data deletion product. Other products range from open source freeware such as Darik s Boot and Nuke, which renders data on PC hard drives unrecoverable, to multiseat products such as Kroll OnTrack s Data Eraser, CyberScrub s Cybercide, and a full line from Finland s Blancco, all of which work on PCs and storage media. Kroll OnTrack and others make degaussers, hardware that bombards hard drives with heavy doses of magnetism to render them unusable. Secure deletion comes as a feature in EMC s Centera, a content management and storage archive, and IBM s FileNet Records Manager. EMC s Documentum has built-in records management that can, for example, tag SAP transactions and e-mail with retention periods and notify designated people when data is about to be destroyed. EMC and other companies also offer deletion services. Not all the products work as claimed: a Carnegie Mellon University graduate student testing three consumer data deletion products last year found that none was able to remove all sensitive information. The ones that do work overwrite deleted data several times with randomized code. Even so, forensic examiners often can determine that a data-wiping program has been used. If a drive has never been written to, it s blank, and the empty space looks like nothing to the examiner. However, once it has been written to, even with random characters as happens with today s data-wiping programs, the space doesn t appear empty. Sometimes, examiners can tell when the data was deleted and by whom. Those who don t want to use products or convoluted self-deletion methods might try what car dealership South Shore Imported Cars CIO Jack Daniel does whenever a drive is failing. I m an amateur blacksmith in my spare time, he says. I heat a drive up to several thousand degrees, and it destroys the data. And the drive, too. Big Picture Data deletion is only a piece of the bigger data management picture, where an increasing number of laws and regulations require companies to keep all sorts of data. Payroll records can go to the rubbish bin only after somewhere between three and seven years, depending on the company and relevant law. Medical records sometimes must be kept until two years after a patient s death. The Sarbanes-Oxley Act requires accounting firms that audit public companies to keep related documents for seven years after the audit. In addition to regulatory requirements, the health-care industry s use of digital medical records means data stores are increasing exponentially. The industry is stuck trying to keep pace with it, says John Wade, executive director of the Kansas City Regional Electronic Exchange, a secure health information exchange. You re going from terabytes to petabytes to whatever the next number is in an astonishingly short period of time. Backups at packaging company Huhtamaki Americas have hit 2 terabytes a night, making managing that old data a problem. There are files out there that are really old and nobody s cleaned them up, says IT project manager Mike Pettigrew. A storage area network Pettigrew installed last year already has been upgraded twice. Huhtamaki plans to install Xerox s DocuShare document management system, which will put a time stamp on every document employees create, track aging documents, and prompt managers to make decisions about them after a set amount of time. Formulating policies to manage all that data can be complex, too. With lifetime warranties on all the swimming pools it builds, Anthony Sylvan Pools has kept every one of its 400,000 contracts and tries to hold onto customer e-mails as well. You never know when you may need it in the future, VP of IT Anthony Pizzelanti says. If we ever run into a capacity issue, the thing we d do is probably just add more disks. On the flip side, Anthony Sylvan tells employees to delete other e-mails and compress their e-mail archives whenever space limits are reached. The company also deletes employment applications after a year because they no longer hold any value and could potentially be fodder for lawsuits. It also wipes disks seven times before getting rid of a computer or transitioning it to a new owner. Data deletion technology is also being used to fight thefts of laptops and storage media that have put enormous amounts of data at risk. This spring, Everdream and Absolute Software each came out with products that securely delete or encrypt information on a stolen laptop as soon as the device connects to the Internet. A similar capability is built into the newest version of the Palm Treo. For companies that have a policy and the right tools in place, the final piece of the data management puzzle is making sure employees understand their role. They must know the ramifications of deleting or keeping each piece of data they handle. Laws change, regulations change, data media change, so it s not a one-time effort, says Wade of the Kansas City Regional Electronic Exchange. Short of locking down every computer, the best way to prevent rogue data deletion or rule-breaking data transfers is to convey your company s data management policy to all employees. That will eliminate 99% of potential problems. What about the other 1%? Unfortunately, there will always be room for misuse. Source: www.informationweek.com