Thought leader

By Tony Dearsley and Tracey Stretton

Individuals and organisations store their most important information on computers, personal digital assistants and other devices – even MP3 players. Virtually all communication and business is now conducted electronically and most organisations have experienced a steep increase in the use of technology. Yet, when it comes to disposing of information or devices, it is often a case of ‘out of sight out of mind’.

Firms should also be aware of the fact that they could be acting illegally by not disposing of their data properly. Many are still labouring under the impression that pressing the ‘delete’ key is the end of the matter and others believe that formatting a drive is even better. This is not the case.

Electronic evidence, especially e-mail evidence, can prove indispensable during civil litigation and in white-collar crime investigation – for example, allegations of insider trading, misappropriation of client assets, data theft and fraud. Firms need to do more than simply delete the contents stored on a former employee’s machines. Though certain circumstances may call for such measures, corporate data is increasingly being relied upon in litigation, and as we enter an increasingly litigious period the demands for organisations to disclose data, be they from regulatory bodies such as the FSA or the OFT, are set to increase. Organisations that are unable to meet these requirements are immediately at a disadvantage –with serious financial implications including the risk of losing a case because vital evidence is missing, or facing court-imposed sanctions for failing to preserve or produce it. What is more, firms can only effectively display sound compliance policy and practice if they have access to all related materials.

Rather than merely wiping a hard drive, therefore, in many cases businesses will need to image its contents for storage.

Clearly a rational and selective approach to the process of data decommissioning and evidence preservation, driven by policy and need, is required.

The real issue is: what should be done when these devices, containing such data, are due for disposal? In the corporate environment there is a duty of care in relation to the Data Protection Act and, of course, there is also the issue of sensitive company or government data and financial information, which may be subject to many regulations. It is essential in any business that there is a recognised and tested procedure to deal with the destruction and disposal of data, and a need for a proper legal risk assessment. Often, disposal is part of a routine process dealt with by the IT department, and all too often there is a failure, not necessarily through a fault of that department itself, to recognise the value of a secure and complete destruction of data or indeed the risk of destroying evidence that should have been kept.

In high-risk situations where loss of data is suspected, where litigation is anticipated, and in relation to cases where computers hold sensitive business information, organisations should be making forensic images of computer hard drives due to be decommissioned and then systematically removing remaining data with a program specifically designed for the task.

It is essential that confidential and sensitive data is removed from computers before disposal to avoid breaches of confidentiality or unauthorised gathering of information about user accounts and passwords. Using a data-erase program to wipe the hard drive clean is the first step to disposing of any sensitive information. CD-ROMs and DVDs should be shredded – there are many domestic shredders with this capability, and tapes should be completely overwritten. Hard drives should be securely wiped using a recognised software program and, if not being recycled, should be physically rendered unusable. Mobile devices should be securely wiped or again physically destroyed.

The entire process of decommissioning hardware inevitably puts added pressure on already strained resources and often at a time when corporate survival is at stake. The failure to do so effectively, though, can also have serious implications which, given the current economic environment, businesses cannot afford to face.

Tony Dearsley is computer forensics manager at Kroll Ontrack. Tracey Stretton is a legal consultant at the same firm. For more information visit www.krollontrack.com