Physical Data Security, Management and Destruction for Legal IT Professionals

One of our major concerns has always been the security of our clients' sensitive data. Recently, there have been stories in the news about data media getting lost or exposed, often with damaging or embarrassing consequences. Backup tapes, hard drives, CDs and other sources contain exponentially more data than a box of paper, so we have had to become very focused on how these data storage devices are tracked, stored, managed and disposed of when the time comes. Now that storage is so inexpensive, more data is sitting on a single disk or drive. New terabyte disk drives are setting a new standard for capacity ' but they also send up a huge red flag for risk. What if one terabyte hard drive was to fall into the wrong hands? Imagine the fallout and liability to which a law firm could be vulnerable.

Also, since our firm does insurance defense, we are frequently handling our clients' confidential medical records. Our main compliance consideration with these files is HIPAA (the Health Insurance Portability and Accountability Act of 1996), which requires that we keep the information for seven years to allow for recovery of data; then we need to make sure that the data is destroyed. In addition to medical information, we often have access to private information for defendants, such as Social Security numbers and personal details. In order to comply with HIPAA's 'due diligence' clause and its privacy requirements, we need to erase the data when it's no longer needed.

Locking Down the Data

Because of the inherent risks that go along with handling confidential data, we lock down our technology ' both from a virtual and physical standpoint. For example, we lock the users' workstations down tightly. Users cannot save locally to their machine's hard drive.

However, we know that this level of virtual security still leaves a few loopholes. When a user opens a document, a copy is opened and saved on the local machine as a temporary file. When the user saves that file back to the server, the temporary files on the local machine should be deleted, but sometimes that doesn't happen. Also, if people are surfing the Internet, the cached information still remains on their local machines. Again, the temporary files should be deleted, but aren't always.

As for physical data security, we have really woken up to the need for it. We keep an official inventory list of each piece of technology equipment at the firm. The list contains the equipment serial numbers and lease duration data. We lease equipment for three years and we generally have six months' lead-time to replace old equipment with newer models. When we are ready to replace equipment, we take an inventory of all equipment that has been collected and compare it with the leasing company's manifest from when they first leased it to us.

Data Destruction

Another area we have paid sharp attention to lately is the proper destruction of data and computers that we no longer need. Every year, we replace and upgrade workstations and other equipment for several users, and disposing of data-bearing or defective hard drives has always been a concern. Also, our department must continually discard used backup tapes and obsolete handheld devices such as Blackberrys.

Like many firms, our biggest problem was to figure out how to properly erase or destroy information that resided on our employees' hard drives and on backup tapes. Most law firms simply reformat the tape or hard drive and then consider that they are clean and reusable. We used this reformatting method, using a Norton software application to do a DOS-level format on the hard drive. As an extra measure, we would then run a magnet over the hard drive to make sure that it was data-free.

The bad news about the reformat and demagnetizing process was that it was inconsistent. At times, we would boot up some drives and still find data on them. In addition to being an unreliable erasure method, the reformat and magnetize process was extremely time consuming for my staff. Each hard drive would take between 20-60 minutes to reformat ' my staff did one drive manually and would then test to make sure the erasure was complete. For a mass cleanup of machines, if we wanted the process to be done efficiently with good concentration, it would take one of my people a whole day to reformat and test the disks. With a lean staff, it was a real hardship to lose a person for an entire day, but we didn't have an alternative to this method at the time.

Realizing that this method was neither efficient nor effective, I went looking for a better solution. I asked some of my fellow legal IT colleagues about their data media destruction methods. Most of them were doing a process similar to ours. Some of them were using more physically aggressive approaches such as smashing the drive plates with a hammer or drilling holes in the drives. Those approaches were worrisome to me ' especially with the rising tide of forensic data recovery specialists who could have probably extracted pure data from the remains left by the smash or drill methods.

Hard Drive Shredding

The solution for this problem came from an unusual source ' an IT consultant who was working for Tiffany's, the internationally known jewelry company. The consultant told me that Tiffany's was using a company called Back Thru The Future ('BTTF') (www.backthruthefuture.com) to recycle their old and obsolete computer equipment. Apparently, BTTF would accept the computer equipment, remove the hard drives, and shred them to eliminate any risk of the data getting into the wrong hands. I was intrigued by this report and wanted to find out more.

My first thought was that this would solve our computer-recycling dilemma. In the past, we had been donating our used computers to a non-profit organization. After the charity picked the machines up from our office, we had no idea what happened to them, which was a definite risk for our firm to be taking. And New York laws prohibited us from throwing the hardware in the trash, so that was not an option either.

Witnessing the Shredding Process

As part of my due diligence, I visited Back Thru The Future's headquarters, which is a 40,000 square foot facility in northwestern New Jersey.

While at BTTF, I witnessed the hard drive shredding process, which was done by a massive, custom-built machine that pulverized drives, backup tapes, CDs, Blackberrys and other data media. After the shredding process, which happened in seconds, the hard drives were transformed into small scraps of metal and plastic ' completely unrecognizable compared to their previous identities as tapes or drives.

The shreds were collected in boxes, weighed and then shipped to a smelting location where they were melted and separated into metals and plastics, mostly aluminum, which is then reusable. The process was 100% guaranteed to completely destroy the data so there was no chance of exposure. Also, the shredding process was relatively inexpensive so it would not expand our budget significantly.

BTTF called this shredding process Safe Harbor Data Destruction due to its compliance with the amended Federal Rules of Civil Procedure that govern data storage and electronic discovery. The company maintains a strict audit trail on all shipments, using lock boxes, digital photos and both paper-based and online tracking methods to assure law firms that the shipment has been received, processed and completely destroyed.

From an environmental standpoint, I wanted to make sure that the hard drive shredding was going to be 'green.' Our firm is very intent on recycling and other environmentally friendly methods. I was relieved to find out that BTTF has been approved by the EPA, New Jersey Department of Environmental Protection and county authorities. Since the shredded materials are recycled, nothing needs to end up in a landfill.

Future Plans

We have been shredding hard drives with BTTF since April 2007, and so far the process has gone smoothly. At this time, we are just shredding hard drives, although we will probably start shredding backup tapes and Blackberrys in the future. Also, we will consider shredding printer and fax drives as well, when our equipment leases are up.

One of our major concerns has always been the security of our clients' sensitive data. Recently, there have been stories in the news about data media getting lost or exposed, often with damaging or embarrassing consequences. Backup tapes, hard drives, CDs and other sources contain exponentially more data than a box of paper, so we have had to become very focused on how these data storage devices are tracked, stored, managed and disposed of when the time comes. Now that storage is so inexpensive, more data is sitting on a single disk or drive. New terabyte disk drives are setting a new standard for capacity ' but they also send up a huge red flag for risk. What if one terabyte hard drive was to fall into the wrong hands? Imagine the fallout and liability to which a law firm could be vulnerable.

Also, since our firm does insurance defense, we are frequently handling our clients' confidential medical records. Our main compliance consideration with these files is HIPAA (the Health Insurance Portability and Accountability Act of 1996), which requires that we keep the information for seven years to allow for recovery of data; then we need to make sure that the data is destroyed. In addition to medical information, we often have access to private information for defendants, such as Social Security numbers and personal details. In order to comply with HIPAA's 'due diligence' clause and its privacy requirements, we need to erase the data when it's no longer needed.

Locking Down the Data

Because of the inherent risks that go along with handling confidential data, we lock down our technology ' both from a virtual and physical standpoint. For example, we lock the users' workstations down tightly. Users cannot save locally to their machine's hard drive.

However, we know that this level of virtual security still leaves a few loopholes. When a user opens a document, a copy is opened and saved on the local machine as a temporary file. When the user saves that file back to the server, the temporary files on the local machine should be deleted, but sometimes that doesn't happen. Also, if people are surfing the Internet, the cached information still remains on their local machines. Again, the temporary files should be deleted, but aren't always.

As for physical data security, we have really woken up to the need for it. We keep an official inventory list of each piece of technology equipment at the firm. The list contains the equipment serial numbers and lease duration data. We lease equipment for three years and we generally have six months' lead-time to replace old equipment with newer models. When we are ready to replace equipment, we take an inventory of all equipment that has been collected and compare it with the leasing company's manifest from when they first leased it to us.

Data Destruction

Another area we have paid sharp attention to lately is the proper destruction of data and computers that we no longer need. Every year, we replace and upgrade workstations and other equipment for several users, and disposing of data-bearing or defective hard drives has always been a concern. Also, our department must continually discard used backup tapes and obsolete handheld devices such as Blackberrys.

Like many firms, our biggest problem was to figure out how to properly erase or destroy information that resided on our employees' hard drives and on backup tapes. Most law firms simply reformat the tape or hard drive and then consider that they are clean and reusable. We used this reformatting method, using a Norton software application to do a DOS-level format on the hard drive. As an extra measure, we would then run a magnet over the hard drive to make sure that it was data-free.

The bad news about the reformat and demagnetizing process was that it was inconsistent. At times, we would boot up some drives and still find data on them. In addition to being an unreliable erasure method, the reformat and magnetize process was extremely time consuming for my staff. Each hard drive would take between 20-60 minutes to reformat ' my staff did one drive manually and would then test to make sure the erasure was complete. For a mass cleanup of machines, if we wanted the process to be done efficiently with good concentration, it would take one of my people a whole day to reformat and test the disks. With a lean staff, it was a real hardship to lose a person for an entire day, but we didn't have an alternative to this method at the time.

Realizing that this method was neither efficient nor effective, I went looking for a better solution. I asked some of my fellow legal IT colleagues about their data media destruction methods. Most of them were doing a process similar to ours. Some of them were using more physically aggressive approaches such as smashing the drive plates with a hammer or drilling holes in the drives. Those approaches were worrisome to me ' especially with the rising tide of forensic data recovery specialists who could have probably extracted pure data from the remains left by the smash or drill methods.

Hard Drive Shredding

The solution for this problem came from an unusual source ' an IT consultant who was working for Tiffany's, the internationally known jewelry company. The consultant told me that Tiffany's was using a company called Back Thru The Future ('BTTF') (www.backthruthefuture.com) to recycle their old and obsolete computer equipment. Apparently, BTTF would accept the computer equipment, remove the hard drives, and shred them to eliminate any risk of the data getting into the wrong hands. I was intrigued by this report and wanted to find out more.

My first thought was that this would solve our computer-recycling dilemma. In the past, we had been donating our used computers to a non-profit organization. After the charity picked the machines up from our office, we had no idea what happened to them, which was a definite risk for our firm to be taking. And New York laws prohibited us from throwing the hardware in the trash, so that was not an option either.

Witnessing the Shredding Process

As part of my due diligence, I visited Back Thru The Future's headquarters, which is a 40,000 square foot facility in northwestern New Jersey.

While at BTTF, I witnessed the hard drive shredding process, which was done by a massive, custom-built machine that pulverized drives, backup tapes, CDs, Blackberrys and other data media. After the shredding process, which happened in seconds, the hard drives were transformed into small scraps of metal and plastic ' completely unrecognizable compared to their previous identities as tapes or drives.

The shreds were collected in boxes, weighed and then shipped to a smelting location where they were melted and separated into metals and plastics, mostly aluminum, which is then reusable. The process was 100% guaranteed to completely destroy the data so there was no chance of exposure. Also, the shredding process was relatively inexpensive so it would not expand our budget significantly.

BTTF called this shredding process Safe Harbor Data Destruction due to its compliance with the amended Federal Rules of Civil Procedure that govern data storage and electronic discovery. The company maintains a strict audit trail on all shipments, using lock boxes, digital photos and both paper-based and online tracking methods to assure law firms that the shipment has been received, processed and completely destroyed.

From an environmental standpoint, I wanted to make sure that the hard drive shredding was going to be 'green.' Our firm is very intent on recycling and other environmentally friendly methods. I was relieved to find out that BTTF has been approved by the EPA, New Jersey Department of Environmental Protection and county authorities. Since the shredded materials are recycled, nothing needs to end up in a landfill.

Future Plans

We have been shredding hard drives with BTTF since April 2007, and so far the process has gone smoothly. At this time, we are just shredding hard drives, although we will probably start shredding backup tapes and Blackberrys in the future. Also, we will consider shredding printer and fax drives as well, when our equipment leases are up.