Data Destruction Is it really gone? Donna Read Chris Parker Florida Gulf Coast ARMA Chapter April 2013.

Data DestructionIs it really gone?

Donna ReadChris Parker

Florida Gulf Coast ARMA Chapter

April 2013

Life Cycle of a Record Creation or receipt

Use and maintenance

Disposition = perm retention or………

DESTRUCTION

Definition of Destruction

What is in a hard drive? Lead Brominated Flame Retardants Barium Mercury Beryllium Cadmium

Dept. of Defense 5220.22-M

Definition: DoD 5220.22-M is a software based data sanitization method used in various data destruction programs to overwrite existing information on a hard drive or other storage device.

Type of Media Optical Discs CD/DVD Hard Disc Drives HDD Magnetic Tape Floppy Discs Flash Memory Paper Microform Hand held devices Networking devices – routers etc. Equipment – fax & copy machines

Degaussing Degaussing is the process of decreasing or

eliminating a remnant magnetic field. Due to magnetic hysteresis it is generally not possible to reduce a magnetic field completely to zero, so degaussing typically induces a very small "known" field referred to as bias.

Degaussing was originally applied to reduce ships' magnetic signatures during WWII.

Degaussing is also used to reduce magnetic fields in CRT monitors and to destroy the data on magnetic media.

NIST 800-88 Outlines Which Data Destruction & Erasure Options are Best for You

NIST – National Institute of Standards and Technology

Guidelines for Media SanitizationDisposal – Clearing – Purging – Destroying

State E-Waste Guidelines• 19 States already have E-Waste Legislation

• All states will have in 2 – 3 years.

• Makes it illegal to dump E-Waste in landfills

• Puts a carbon tax on manufacturers

Cost of Improper Destruction Dec 2010 – NASA sells shuttle PCs without wiping

secret data – 10 PCs sold that contained highly sensitive data restricted under the arms control rules.

The employees of a physician disposed of medical records inappropriately by placing them into office recycling bins.  Although the contents of the recycling bins were supposed to be shredded, these instructions were not communicated to the building’s janitorial services.  As a result, the files were transferred to the building’s recycling area without being shredded.  Case settled for $85,000.

Law suits abound The drugstore chain CVS is being sued by the

Texas Attorney General for failure to properly dispose of customer records including credit card and debit card numbers, drivers license numbers and medical prescription forms with name, address, date of birth, issuing physician and the types of medication.

It is a violation of several Texas laws and carries potential penalties of $50,000 per violation and/or $500 per abandoned record.

Disposition Decision Making

Take Destruction Seriously There are laws governing the protection

of PII (Personally Identifiable Information)

Identify theft: The United States Department of Justice states that in 2010, 7% of all United States households had at least one member of the family at or over the age of 12 who has been a victim of some sort of identity theft. The odds are against you.

Questions?

Donna Read, CRM, [email protected]

Earl Rich, [email protected]

Chris [email protected]