Managing and protecting all enterprise data


Data destruction: When data should disappear

Most companies don't have a detailed policy that governs what data they need to keep and what data should be destroyed. Deciding on the destruction levels you're comfortable with is the easiest part of this puzzle. The most complicated piece is figuring out what to destroy and when, and then sticking to it.

Most companies don't have a detailed policy that governs what data they need to keep and what data should be destroyed.

Once a year, the Winter Hill Bank in Somerville, MA, gets rid of everything--hundreds of boxes of paper, backup tapes and even plastic binders, according to Bill DiTucci, facilities manager at the bank. "The truck comes and in a couple of hours it's all destroyed right there in front of us," he says.

Like many other financial institutions around the world, Winter Hill Bank isn't taking any chances when it comes to protecting customer information. With a data destruction policy in place, DiTucci says the bank is less exposed to criminal and civil prosecution, as well as the costly loss of business that comes from newspaper headlines should sensitive customer data end up in the wrong hands.

Winter Hill Bank uses The Brinks Company, a document and media destruction firm that operates a fleet of mobile shredding trucks across the U.S. On a scheduled basis, these vehicles roll up to a customer site and pulverize mountains of paper or backup media, depending on the company's requirements, in exchange for a certificate of destruction confirming the job was done according to guidelines from the National Institute of Standards and Technology. "We destroy in 15 minutes what would take you days and days to shred," boasts The Brinks Company on its Web site.

For other organizations, however, especially those with open litigation cases, data destruction is a tightly controlled process, most often dictated by the policies established by the company's legal department. For example, Harold Shapiro, director and technology architect, management information services at Warner Bros. Entertainment Inc., says he's required to hold on to some tapes forever.

Another company, Data Killers, a division of Turtle Wings Inc., an electronics recycling center in Capitol Heights, MD, operates a 6,600 lb., four-shaft shredder that can shred approximately 1,000 lbs. of metal and plastic per hour. The shredding process not only cuts and shreds metal but, by forcing it through cutters and screens, compresses and compacts it, rendering it completely unrecoverable, claims the company.

The College of Southern Maryland, La Plata, MD, put this process to the test recently to dispose of 1,200 backup tapes it found while renovating a building on campus. "[The tapes] were put on a top shelf and nobody knew they were there," says Peggy Jones, business manager for the information management team at the college. The college had migrated to a new backup application and the old tapes were unreadable in the new system. In a little more than an hour at the Data Killers' facility, the tapes were pulverized into a substance that looked like "confetti" says Jones, adding that they had no idea what was on the tapes "and you can never be too careful these days." The college is in the process of creating a destruction policy so it doesn't face the same backlog of tapes in the future.

But even shredding doesn't always do the job, says Brett Shavers, president of E3 Discovery LLC, Bellevue, WA, and a computer forensics examiner. He's recovered data from drives that seem completely beyond repair. "It's possible to read useful data off a platter that has been cut into chunks that are only 1/25th of an inch," he claims. A more common issue, he notes, is firms "wiping" drives and then donating/selling them and the data still showing up. "People's healthcare records have turned up in the oddest places," he says.

Generally, one or two wipes is enough to frustrate any ordinary forensic analysis. But for the extra cautious, Shavers recommends going with the U.S. Department of Defense requirement of three overwrite passes to erase a drive, or the National Security Agency standard of seven overwrite passes, before physically destroying the media. For the ultra-paranoid, there are also services that melt down and liquefy drives, a practice the U.S. Navy has used since the 1970s (see "This message will self-destruct in five seconds," below).

This message will self-destruct in five seconds

Texas Memory Systems doesn't advertise this on its Web site or in any of its marketing materials, but the solid state disk (SSD) provider manufactures a version of its product that makes data instantly disappear.

The Texas Memory Systems RamSan-410v SSD system is exactly the same product as the RamSan-400, but without the battery power and backup disk drives. "When you kill the power to the unit, the data truly disappears," claims Woody Hutsell, executive VP at Texas Memory Systems.

Government agencies, the military and businesses operating in "less-secure parts of the world" use it, but Hutsell was reluctant to disclose more details. It's a niche portion of Texas Memory Systems' business, representing less than 5% of the company's revenue last year.

Flash-based systems from BiTMicro Networks Inc. and SanDisk Corp. offer a similar instant-erase capability. SanDisk also offers a partial security-erase feature that allows users to delete only confidential data, freeing space on the disk for the next mission.

Degaussing services
For most organizations however, degaussing services are enough. EMC Corp. estimates it performs nearly 100 erasures per month of entire arrays and single drives since the launch of its data erasure service in 2005. In most cases, it's for equipment coming off a lease. The customer wants a guarantee their data is completely erased before trading the storage system in for another one. Or they might be redeploying storage to another department, for example, from human resources to test and development, and need to remove confidential information. Data center relocations are another major driver of data erasure services, according to EMC.

Paula Laughlin, director of global services marketing at EMC, claims that in the past few months she's seen a "noticeable uptake" in single-drive erasures at banks. "When drives fail, often they can still spin up and the banks in particular are being extra careful that the data on them is erased," she says. EMC is working on making the service even more granular to provide volume and LUN-level erasures and to wipe certain portions of a database. "Customers are asking us to speed up this process, too," she notes. An in-frame erasure of a single drive can take several hours or up to a day, depending on the load.

Data destruction policies
It turns out that deciding on the destruction levels you're comfortable with is the easiest part of destroying data. The most complicated piece is figuring out what to destroy and when, and then sticking to it.

The National Association for Information Destruction (NAID) Inc., a trade association of data destruction companies, recently interviewed 508 companies of all sizes and industry groups across the U.S. on their document destruction policies. NAID's report revealed that 45% of surveyed organizations have no written policy concerning the protection and disposal of confidential information.

Gartner Inc. believes the problem is even worse than that. "There isn't a company in the U.S. that has an effective data [retention] policy across the board," says Debra Logan, research VP at Gartner in Haywards Heath, UK.

Government agencies appear to be among the worst offenders for hoarding data. "I have seen numerous instances of data without owners, and therefore of low quality and often useless, but we keep it all," says a senior U.S. government advisor on health policy who requested anonymity due to the sensitivity of the topic. A recent investigation to clean up a dataset that purportedly identified doctors being paid by Medicare took several months of study. The data went through five agencies and institutions that passed it on "without a care as to its reliability," according to this user. "No one owned it ... it was useless for our purposes." He suggests the IT industry needs two new professions: a data coroner who will certify when data is dead and a data mortician who will bury it.

Experts say the only way to get a handle on this data explosion is to create a data destruction policy that the new Federal Rules of Civil Procedure, effective since Dec. 1, 2006, all but mandate. Parties in a lawsuit are now required to address the issue of electronically stored data very early in the proceedings in compulsory "meet-and-confer" sessions. The preservation and destruction of data and its disclosure, as well as any claims of privileged information, for example, are now on the table per amendments to Rule 26(f).

Specifically, the rules say that while a litigant is under no duty to keep every document in its possession, it's under a duty to preserve any information that could reasonably be believed to be relevant to the case, says Mike Karp, senior analyst at Enterprise Management Associates, Boulder, CO. But, he says, what's reasonable to one person might not be reasonable to the next. It's this grey area that's a headache for many firms.

Sticking to the policy
Even with a data destruction policy in place, things can still go wrong. Intel Corp.'s recent antitrust case with Advanced Micro Devices (AMD) Inc. is an interesting example of how closely companies need to follow the letter of the law. The chip giant admitted in court that "it regrets the lapse in its retention practices" around preserving employee emails, a mistake that cost the company $3.3 million to process backup tapes to recover missing emails. Intel has turned over 30 million pages of potential evidence so far and expects to spend millions more on discovery.

The "lapses," which came to light in early March 2007, stem partly from the fact that Intel's email system automatically deleted emails after 35 days to 45 days if employees didn't take action to save them. This policy didn't take into account litigation-hold proceedings that require companies to keep all records relevant to legal action. AMD criticized Intel's policy for its "grim reaper" impact on evidence in the case.

"A litigation hold on document destruction will always trump your destruction policy," says L. Scott Oliver, partner with Pooley & Oliver LLP, a Palo Alto, CA-based patent litigation firm specializing in semiconductor and software companies. "You need to keep everything once a case begins as you won't know what data could be deemed discoverable."

This creates no end of problems for storage managers. "The legal folks say hold on to everything until we say not to anymore," explains Warner Bros. Entertainment's Shapiro. "But they never release the hold." For anyone involved in litigation at Warner Bros., Shapiro moves their mailbox and file shares to a separate server and performs a full backup of it every day. Those tapes are pretty much kept forever, he says.

Warner Bros. uses IBM Corp.'s Tivoli Storage Manager (TSM) for backup. TSM works on an incremental forever approach rather than taking weekly full backups, which means that the servers under litigation must be managed separately. "We're constantly doing backups and buying more tapes ... the permanent holds are what's killing us," says Shapiro. He's protecting approximately 70TB on a daily basis and has used well over 1,000 LTO-3 tapes in the past six months.

The company has a 30-day retention policy for backups of all files and databases. It had been longer than that, but the number of tapes the company had to retain was overwhelming. "The 30-day rule has meant we can reclaim tapes," says Shapiro. Warner Bros. outsourced its email backup to Zantaz Inc. (recently acquired by Autonomy Corp. PLC) to clean up its PST problem, which spreads like poison ivy through IT departments. Warner Bros.' employees have a 150MB message store and an automated policy moves email into a system cleanup file after 90 days. It stays there for 30 days and if the users don't touch it, it's deleted. The policy seems to be working for now, says Shapiro, as long as the budget is there to keep buying more tapes.

Experts warn that stringent deletion policies can often lead to "underground archival," which is when employees use alternative storage media such as zip drives, thumb drives, CDs and DVDs to store data. "They [personally] save stuff, which is very dangerous from a legal standpoint," says Mark Diamond, president and CEO of Contoural Inc.

A 30-day or 60-day deletion policy is irrelevant once the court discovers copies of data outside the boundaries of the company's deletion policies. "It's not what you should have been doing but what you actually have that matters," notes Diamond. He recommends companies ban the use of external storage media wherever possible and document this practice. "It makes it harder for users to move data, but it protects the company," he explains.

Oliver at Pooley & Oliver LLP adds that companies must come up with destruction policies and implement them before they get into litigation. "It's easy to come up with a policy, but you must execute on it," he says. It requires close integration of management with IT groups, and there's often tension between the policy and the employees of the company (see "Data destruction best practices," below). Stories abound of firms preparing for litigation and shredding paper to "look clean," he says. The problem is, "there's always a copy somewhere; it's hard to keep these things contained," he adds.

Data destruction best practices

  1. Establish a well-defined destruction policy and clearly identify the legitimate business reasons that support the policy.
  2. Implement the policy on a consistent basis. Failure to do so could undermine the stated legitimate business reasons for the policy.
  3. Maintain an updated database showing all sources of electronically stored information, the type of information stored, and details such as file names and date ranges.
  4. Establish the means to quickly and adequately implement "litigation holds" on any electronic information that might be relevant to actual or likely litigation.
  5. Designate a single management-level employee to serve as the company's representative on the issue of the organization's destruction policy--both the business reasons that support such a policy as well as the measures undertaken to meet litigation hold requirements. This person will serve as the organization's spokesperson on the facts that demonstrate "good faith" in connection with the organization's destruction policy.
Source: Zantaz Inc. (recently acquired by Autonomy Corp. PLC)

Oliver tells the story of a "major name brand" on the East Coast that never thought about the scope of the documents its employees were hoarding. It received a discovery request and had the standard 30 days to respond. The firm paid $1 million a month to Pooley & Oliver to have a crew of lawyers go through boxes and boxes of email printouts. Another example was a CEO about to make a deposition who suddenly revealed that he had his own personal email archive. "We had to sift out all the privileged documents ... that was a fun all-nighter," jokes Oliver.

David Bayer, VP of marketing and alliance development at Stratify Inc., a legal discovery software provider, suggests that if you're going to have a shred day "make sure it has a policy around it."

Encrypt data
Jon Oltsik, senior analyst at Enterprise Strategy Group in Milford, MA, believes encryption is one of the most effective ways to destroy data. For example, Hitachi Data Systems (HDS) Corp. recently introduced an encryption feature for users looking to step up the security of their archive. The patent-pending technology, which is referred to as "secret sharing," allows users to store their security key within the Hitachi Content Archive Platform and "secretly share" that key across multiple nodes within the archive. In doing so, HDS claims only a fully operational system--one with all of its nodes connected to the archive--can decrypt the content, meta data and search index. This new software ensures that if a server or storage device is stolen or removed from the cluster, the device's data would be automatically encrypted and unreadable by any other device.

"In the future, that's how we'll deal with all this data because you can't take physical possession of every device and just destroy it," says Oltsik. "There are too many devices, with more coming."

Article 3 of 16

Dig Deeper on Data storage compliance and regulations

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Storage

Access to all of our back issues View All