Memories Are Made of This 

Carelessly managed data storage can cause some very big headaches. 

Regardless of the size and type of your business, chances are you are constantly gathering and storing data. Whether it is simply names and addresses or more detailed personal information such as social insurance numbers, drivers' licence numbers, medical history or family names and birthdates, such information must be protected in accordance with the provisions of the Privacy Act.  

Unfortunately, news headlines about lost customer data can generate negative publicity for your company, which could potentially cost you business. To avoid such problems, ensure your company has policies governing data use, storage and disposal. Data that may no longer be needed may still be quite useful to criminals. 

In the Old Days… 

When hardcopy was king, and files had been in storage long enough to meet statutory retention requirements, businesses simply called up the shredding company and watched as documents were safely destroyed. Digital data has not only different disposal problems, but also can be transmitted almost anywhere. 

Storage Today 

Today a wide variety of digital devices can become storage media for confidential data. For instance, PDAs or smartphones of staff and management may easily contain contact names, addresses, birthdates and photographs. USB flash drives and hard drives can store significant amounts of information, and could potentially contain data about your company, clients, engineering plans, budgets, passwords, addresses, or payroll, just to use a few examples.  

Whether it's Mini SD, micro SD, or Compact Flash, they all store data. These memory cards increase a device's basic storage capacity to the extent they can store sufficient personal and business data to create serious breach-of-confidence issues if used by unauthorized individuals. Many of these cards are interchangeable between devices; for example, the card on the corporate camera may contain data that was on a laptop or PDA.

Digital cameras used to create visual records of client assets (trailers, trucks, backhoes, etc.), office and plant layouts are harmless when used for insurance purposes, for example. Such data in the wrong hands, however, could provide details on assets location, alarm systems, and floor or yard plans that could be used to commit a crime.

Many newer photocopiers have hard drives that support copy, print, scan and fax functions. Some copiers can also support user-based access to thousands of stored documents.  

Old laptops and desktops rendered obsolete by changes in operating programs often remain loaded with information transferred to newer technology. This data is easily accessible and could be a goldmine of information for the unscrupulous if thrown away.

Let us not forget the storage devices that existed before flash memory such as tapes backups, ZIP drives and floppy diskettes. Much of their information has been transferred to new technologies but kept on the old computers. CD+/-R or DVD+/-R discs can store roughly 700MB or up to 8.5GB of data, respectively. There are probably hundreds of discs in your office containing backup data that is accessible to anyone with an optical drive on their computer. 

Ensure Proper Disposal of Data 

Protecting and properly destroying old but still accessible information requires management to re-establish control. 

Take Inventory 

1.  Inventory all old floppies, ZIPs, tape drives, computers, removed hard drives as well as equipment currently in operation.

2.  Document the type, location and users of all media.

3.  Determine whether the data and/or equipment need to be retained.

4.  Determine whether the data was simply archival.

5.  Find out whether the data has been migrated to newer equipment.

6.  Establish the age of the data.

7.  Is older equipment required to read the data?  

Once all this has been determined you can decide whether the older data and equipment can safely be destroyed. 

Understand the Flow of Information 

•  What information is being collected?

•  What information should be considered confidential?

•  Where and on what media is the information stored?

•  Is the information on paper?

•  Is the information on a centralized server?

•  Is the information on individual standalones, laptops, or a combination of all of the above?  

This knowledge will tell you where critical information is located and will assist in determining what needs to be destroyed. 

Manage Data and Its Carrier 

Once all the information has been located, you need to determine the possibility of limiting the media using and storing the data. For example, if data is stored on a main server, how frequently is it backed up, what medium is used and where is it stored?

Laptops, flash drives and other data storage media supplied to staff should be accounted for at all times. Any missing backup disks should be investigated immediately, especially if they contain sensitive information. All changes to equipment such as hard drive upgrades must be accounted for. Retired equipment should be inventoried and stored in a secure location until a decision is made to purge the data and destroy the medium.

Defining the medium recording the original data source and limiting the number of backups to a predetermined protocol will also make it easier to determine where the data resides when the time comes to destroy it. For example, if the original data is on a server and operational procedures require daily saving onto a hard drive and weekly saving onto a DVD or CD securely stored to record disc number, date deposited, date removed and by whom, there should be little need for additional backup. Should it become necessary to retrieve older data the records will be available.  

Disposal  

Hard Drives Hard drives store information magnetically; deletion does not actually remove the data, it simply marks it as "deleted" to be overwritten later. A determined individual could recover the deleted data. Prior to disposing of hard drives, consider wiping the drive with a utility that will overwrite each bit with null data, thus making data recovery that much more difficult. 

CDs and DVDs Rewritable and reusable CDs or DVDs should be reformatted before being reused. Discs that cannot be reused should be shredded. 

Memory Cards If memory cards can be removed from PDAs, cell phones, cameras, etc., remove and reformat them for future use. Resident memory in portable devices should be reformatted and, as a final security, crushed to ensure that the memory cards are no longer useable.  

Establish and Police Policies  Staff policies should ensure that all equipment and memory devices are accounted for. Downloading sensitive data to home-office computers or personal laptops should be prohibited without management's permission.  

Follow-up procedures should ensure data is erased from personal laptops once the job is completed and the office files are updated. Sensitive data files should be encrypted and password-protected to make unauthorized access more difficult. This will help prevent unauthorized distribution of company data and ensure all data can be destroyed in an appropriate manner.