Jurassic Hard Drive Shredders Munch Regulatory, Legal Problems
Date: Nov 12, 2004
End-of-Movie Nightmare? Just the Beginning Today
Remember the ending of Deliverance, when the dreamer saw the murdered man's hand thrust through the placid water, revealing a crime that was supposed to have remained hidden under the still, forgetful lake? An enterprise hard drive is full of many such visions: not evidence of crimes, but chilling moments for the company official who learns—or simply worries—that confidential or proprietary information was not destroyed with a hard drive sent to auction, donated to charity, packed home with an employee, sent to a recycling center, or tossed in the trash.
It's not just the old drive that housed the SQL server that you need to worry about: Workstation drives can contain passwords, automatic logins, proprietary work, and enough personal information to compromise an employee's security, or stupid remarks that could embarrass the company or invite a lawsuit.
Shove past the potentially damaged—or damaging—employee, and Uncle Sam is looking out for employees (well, mostly clients) with this alphabet game:
. The Fair and Accurate Credit Transactions Act of 2003 has rules about timely and proper disposal of consumer information for anyone who collects it. (Want more details? Visit this page or this one.)
- GLB or GLBA. The Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999) applies to all financial institutions. (More details here.)
- HIPAA. The Health Insurance Portability and Accountability Act of 1966 applies to any entity that transmits protected health information (PHI) in electronic form.
But you know about data risks. And you know that drilling holes in hard drives leaves lots of data to mine between them—and how lame software wiping is. You can try to follow the Department of Defense's DoD 5220.22-M standard for overwriting hard drives with due diligence, but:
Who has the time?
You know they keep trying to reconstruct the missing minutes on those Nixon tapes.
What about the drives you can no longer mount?
If you're really good, you probably take the drives apart and pass over each platter with a super magnet (the kind that could pick up your car), and then bend each platter until it breaks. Completely severing the tracks is key to destroying the data. But who has the time—or strength—for that?
Enter: The Dragons
Electronic media destruction has been readily available for some time for everything up to hard drives—CDs, videos, audiotape, microfiche, floppy disks, and the like. Many cities have businesses such as St. Louis, Missouri's St. Louis Data Destruction that pick up micromedia as well as paper, transporting and disposing of it securely, and offering certification of its destruction. St. Louis Data Destruction also accepts drop-offs and shipments. But the monster news is the hard drive–destroying beasts that are rearing their heads in the new shredding ecology. St. Louis Data Destruction has ordered a machine from Vecoplan that munches hard drives into half-inch bites; they expect to charge in the neighborhood of $.35 per pound to make the monster chew up the past for conscientious enterprises.
Tri-R Shredding of Denver, CO has a less dramatic method of destroying hard drives that would soothe many a fearful administrative heart. Tri-R quarters hard drives by placing them on a shear and cutting them in half once the long way and once the short way. The tracks inside the drive are completely severed. The cost for certified shredding for a hard drive already removed from the machine is $4; $6 if recording by serial numbers; $10 if not removed from the machine when they come in. Tri-R even has a joint service with FedEx called Ship and Shred, which allows you to go online and choose your location, type of media, and quantity; get a quote, print a label, and schedule a FedEx pickup. The price includes shipping, shredding, and an emailed certificate of destruction.
The most theatrical and yet least expensive option is the multistory, multimillion-dollar, custom-engineered behemoth at Gold Circuit, Inc. of Chandler, Arizona. After seeing the online movie, we put it on our vacation wish list—but, then, we're geeks. This monster gargles 800 computer monitors (26,000 pounds) per hour in its giant throat, from whole (minus cord) to particles. Not just a mess of particles—particles sorted by material into bins, with lead and other dangerous inhalants sucked out of the air, which is said to be cleaner than the normal air that we breathe, and dirty glass ready to ship to another plant for lead removal. And oh, yes—of course—they do hard drives.
How much for that city-crushing, drive-kill-o-saurus in the multistory building? Twelve cents a pound. Ship one hard drive or many, or arrange for secure pickup on the East Coast. One customer ships by UPS in a box with locks on it, according to Gold Circuit President James Greenberg. "We're also shredding electronics out of airplanes, because they don't want them to end up on new planes," says Greenberg. "Parts actually come to us in locked barrels, and they unlock them and we shred everything that's in them."
Greenberg has noticed a big difference in the hard drive shredding business since the beginning of 2004. "As the laws get a little bit stronger and more people get in trouble, everybody will adhere to it, but they're slow in enacting the laws needed," he says. "Major companies are looking at it the hardest because they have the most to lose, but they have the deeper pockets, so they can afford [compliance]."
Godzilla or Fraudzilla?
Nearly everyone who heard about the Tri-State Crematory in Noble, Georgia wants to forget about it. The oven was malfunctioning, but Reverend Marsh continued to make a living burying "product" in back and stacking it in outbuildings—hundreds of...units. Marsh was stopped by the EPA on Valentine's Day, 2002. Ironically, many destruction businesses told us that other destruction businesses don't really destroy materials—yet none could name such a business or put their finger on a famous case for us to look up and cite. Still, the possibility is real, and the risk not worth taking. That's why you should check out a company before putting your hard drives in their beaks and claws—and avail yourself of services that provide proof of destruction.
First, find a destruction business that has a method of annihilation that's secure enough for the most paranoid of your superiors at a price your department can afford. Then look for complaints with the Better Business Bureau at the company's local branch location, as well as their national headquarters, as you would for any other type of business. Next, see if the destroyer is a member of the National Association for Information Destruction, Inc. (NAID). NAID members have a code of ethics, are part of a community of peers, and have access to standard forms, as well as access to certifications for mobile and plant-based operations. You'll also want to make sure that employees of the company you choose are bonded, drug tested, background checked, well-trained, adequately paid, and presentable.
Now look for the elements that put the secure in secure destruction, such as the following:
Secure locking bins and trucks
Constant accompaniment of the data
Forms transferring custody of data
Guarded facility with video cameras
Taking Casts of the Monster's Footprints
If you need to prove destruction, or just want to assure yourself that hard drives aren't piling up on The Destructorator's back lawn, you'll want the following:
Destruction witnessing—watch your hard drives go to circuit board heaven
Remote viewing via video—same as above, but from the comfort of your office
Certificates of destruction—especially after you've witnessed a couple of kills
So there you have it: Leave those pliers in the Mesozoic era where they belong. The world is evolving, and there are creatures that can munch your troubles away for a song.