Everything Must Go: Effective Data Removal When a Business Closes

Ineffective data removal from corporate desktop computers, laptops, external drives, servers and other IT equipment containing highly sensitive data can pose a serious security risk down the road.

 In March, Toys ‘R’ Us broke the hearts of millions when the company announced the closing of all its 735 U.S. stores. When a business decides to terminate operations, what happens to the thousands of IT assets owned by the company—desktop computers, laptops, physical servers, external drives, printers, scanners, smartphones, tablets and so forth—that has collected corporate, customer and even employee data for, in the case of Toys ‘R’ Us, more than 60 years?

With IBM estimating that 2.5 quintillion bytes of data are generated daily, it goes without saying that there is a lot of information that could become vulnerable to loss/theft. Unfortunately, dragging files to the “Recycle Bin” on computers and emptying that bin or reformatting drives before dumping them into the dumpster, recycling them or even reselling them, could turn into a privacy nightmare. In addition to this, there are major regulatory violations and legal fines that could be incurred.

Prioritize Privacy Over Payouts

When dissolving a business altogether, retailers such as Toys ‘R’ Us have a corporate responsibility to ensure that all data is expunged permanently from IT assets so it won’t fall into the wrong hands later on. Leaking corporate or customer data, whether it’s accidentally or intentionally, can have major financial, legal and reputational ramifications—going far beyond the standard implications of shuttering a business.

Businesses can mitigate this risk of data exposure and incurred costs by implementing the necessary data retention and data removal policies, outlining key stages in data’s life cycle where it could be compromised and detailing when, where and how to properly remove data that is no longer required. This includes at the “end-of-life” stage, when employees leave the company, as well as ensuring that it is an ongoing process to minimize overall exposure. 

Is This Data Really, Truly Gone?

The ‘Recycle Bin’ feature on computers makes it easy for users to recover files that may have been accidentally deleted, saving many of us from a sudden panic on more than one instance. But the initial excitement is short-lived—and perpetuates the lack of understanding about the difference between “deleting” and permanently erasing data.

Actions such as using basic deletion commands, deleting Windows and installing it again and even reformatting an entire drive do not permanently remove the files. These methods only move information from one location to another. It doesn’t actually destroy a file; it merely removes pointers or indicators to the data. And so, companies that are shutting down their business will still have thousands, possibly even millions, of files that are easily accessible and susceptible to data loss and theft. The right way to permanently erase files from computers/laptops, servers and external drives is to overwrite the data with zeros and ones multiple times.

To make sure deleted information cannot be recovered, these closing businesses need to use certified tools that securely erase data and comply with regulatory standards, including stringent ISO, NIST, HIPAA, PCI DSS and SOX requirements. It’s critical for businesses to not only erase data (so it is really, truly gone forever), but to also provide evidence that a) the process has been performed, and b) all data has been completely and permanently removed.

Reporting: Data removal reports should contain hardware asset details such as BIOS serial number, asset tag, MAC address and HDD serial numbers, as well as detailed information about the software used to complete the erasure process. And it is critical that these documents are tamper-proof, meaning they cannot be altered after the fact. If this is not provided, the credibility of the data removal method/tool itself cannot be verified. That opens the door to major risks for the business’s past customers and makes it that much more difficult to maintain an audit trail that can be checked by security regulators, auditors and governing bodies.

Auditing: Each certificate of erasure should be compared against the current asset database to confirm that all data maintained by the company has been permanently erased.

Conclusion

From dolls, board games and Legos, to computers, servers and data, everything must go when a business shuts down. In today’s digitally ruled environment, data removal has to become the rule—not the exception.

For those businesses that overlook permanently erasing critical information stored across IT assets and storage environments, it will be as if they’ve sent hundreds of files directly into a criminal’s Recycle Bin, making them easily retrievable and susceptible to a data breach.

Russ Ernst

Avatar photo

Russ Ernst

As the Executive Vice President, Products and Technology at Blancco, Russ Ernst is responsible for defining, driving and executing the product strategy across both the data erasure and mobile diagnostics product suites. Critical parts of his role include developing a strong team of product owners and cultivating an organizational product culture based on continuous testing and learning. Given his deep technical expertise and understanding of the data security landscape, Ernst often speaks on Blancco’s webinars alongside data security influencers on topics, such as cloud storage, SSD data destruction challenges and data deletion methods.

russ-ernst has 2 posts and counting.See all posts by russ-ernst