Does your company have a data deletion and retention policy? If not, it’s time to create one, experts say. In today’s business climate, every keystroke you make on your computer can leave a trace on disks and tapes. Even if you think you’ve deleted it, forensic experts or others may be able to resurrect it. And if your company houses such personal information as client credit-card numbers, healthcare data, or proprietary government information, the more careful you must be.
The bottom line? You need to safeguard your business from a potential lawsuit.
New “safe harbor” rules
Under new e-discovery rules, companies following consistent data-deletion policies won’t be held liable for no longer having certain records in their possession. The new “safe harbor” rules, adopted in December 2006, amend the Federal Rules of Civil Procedure. Similar rules are recognized by the National Institute of Standards and Technology (NIST) and other international standards-making bodies.
“U.S. and international standards require the regular deletion of sensitive data,” explains Peter Adler, a data and privacy lawyer who heads Alexandria, Va.-based InfoCounsel LLC. “You won’t be sanctioned if you’ve deleted the data.”
Nonetheless, companies are reluctant to take this step. “Most companies don’t have formal policies in place,” notes Brian Babineau, senior analyst with the Milford, Mass.-based Enterprise Strategy Group. A big reason? “Most [corporate] attorneys are reluctant to get rid of anything important, and don’t want their clients to look as if they are hiding something by deleting it,” Babineau says.
How often you should dump data
But having a policy, and following it, could protect your company. How often should you delete or overwrite certain data?
It depends what kind of data it is, experts say.
If it’s e-mail, companies may wish to delete frequently. “The Washington, D.C. [city] government just implemented an every-90-day destruction of e-mail rule,” notes Adler. Some companies delete e-mail as often as every 30 days, he says.
But for other data, companies may opt to purge it every three to every seven years. “We are seeing companies on a three-year cycle, who are just retiring a desktop computer after three years and destroying everything on it,” notes Babineau.
Not all data can follow a set cycle. For example, the U.S. Internal Revenue Service advises individuals and businesses to keep basic tax records for at least three years, and basic employment tax records for four years. But there are exceptions to these basics, and the onus is on the filer to follow the rules.
What’s the best deletion solution for your business? It may ultimately depend on the sensitivity of the data your company stores. First, you must determine how many copies of the data you have, and where it’s housed, by using indexing and search software, notes Babineau. Once you’ve identified what needs to be deleted, here are a few options:
- Wiping/Overwriting: This technique literally overwrites a hard drive with gobbledygook so it can’t be read. For smaller companies, a good wiping is probably all that’s needed, says Jesse Lindmar, computer forensics division director of Miles Technologies, a Moorestown, N.J. computer consulting firm. With smaller companies, where cost is an issue, “there is no need to physically destroy devices that can be reused,” Lindmar says. The U.S. Department of Defense standard wipe constitutes seven sequential overwrites, Lindmar notes. “The data is not coming back unless you have unlimited time, resources and/or access to high-level laboratory equipment.” Lindmar recommends wiping software such as Intelligent Computer Solutions Inc.’s WipeMaSSter, Active@KillDisk, Jetico BCWipe and WipeDrive.
- Degaussing: Degaussing involves running a hard drive through enough electric and magnetic energy to fry it so it can’t be read, explains InfoCounsel’s Adler. While the hard drive can be used again, Adler warns that degaussing “is only as good as the organization who does it,” and doesn’t always foil data recovery.
- Destroying: Actually shredding and disposing of the hard drive. “It’s so inexpensive to do this,” notes Elizabeth Wilmot, president of Capitol Heights, Maryland-based DataKillers. DataKillers will destroy 10 hard drives for $15.50 per hard drive, and notes that replacing hard drives has never been cheaper. “If you have it, it can become fodder for a lawsuit,” she says. “If in doubt, shred it.”
While developing a data retention/deletion policy is complex -- and likely to involve records management as well -- it is a necessary evil, experts say. “It’s best to err on the side of being protected,” says Wilmot.