Risk & Compliance

Die Hard (Drive)

The crucial task of replacing old machines is about to get even harder: New federal regulations hold companies responsible for properly disposing o...
Esther SheinDecember 15, 2004

In general, the development of faster computers just barely keeps pace with the need for faster computers. Back in 2000, for instance, a PC equipped with a Pentium III chip processing instructions at 500 megahertz per second could easily handle most computing tasks performed by a typical business user. Today, that same computer would churn through a graphics-laden, enterprisewide business-intelligence program with all the speed of a teenager asked to do a chore.

To help keep up with new — and more- robust — releases of business software, companies typically replace workers’ computers every three to four years. While this schedule seems about right, there is one slight downside to the regimen: getting rid of old computers is growing increasingly difficult. These days, computers hold a massive amount of structured and unstructured data, as well as application logic and personalized settings. Architecting and migrating this information from one storage device to another can be a pain. Moreover, laws require companies in the United States to dispose of PCs in an environmentally friendly fashion (computer hardware contains toxins such as lead and mercury). Failure to do so can result in stiff fines from the Environmental Protection Agency.

Given the hurdles, it’s hardly surprising that executives tend to focus on “putting new IT systems in place rather than getting rid of old ones,” says Michael Warrilow, a senior analyst with the security and risk strategies team at Meta Group. But the crucial task of replacing old machines is about to get even harder: federal regulations slated to go into effect next month — including those from the Health Insurance Portability and Accountability Act and the Gramm-Leach-Bliley Act — hold companies responsible for properly disposing of any personal information stored on donated or dumped computers. In addition, provisions of Sarbanes-Oxley require publicly traded companies to maintain procedures for the safe disposal of computers. Says Jenny Schuchert, vice president, program development, at the International Association of IT Asset Managers: “[The companies affected by Sarbox] typically have 25,000 desktops in use, so a significant percentage have to be retired each week. They know something has to be done with them — they just can’t end up in a landfill.”

The new laws should worry a whole host of corporate officers, starting with CFOs and corporate risk managers. Companies that take shortcuts in wiping hard drives run the risk of violating these privacy laws — and alienating customers in the process. “If you do something outrageous to your consumers, like expose their data,” cautions Lisa J. Sotto, a partner in the New York office and head of the Privacy Regulatory Practice Group at law firm Hunton & Williams, “you’ve incurred a reputational risk that could have an enormous impact on future revenues.”

Still Lurking About

While erasing data from a hard drive is so easy a child can do it (and often that’s just how it happens), permanently erasing data from a disk drive requires effort. Merely scrambling or reformatting the directories on a drive leaves the underlying data intact. Even if a new operating system is installed and the files are overwritten, the previous data may still be lurking about. Warns Steve Koch, managing partner at IT and business consultancy Client Care Associates, “Unless you overwrite the whole hard drive, it will still hold data from the previous client.”

To get drives clean, a growing number of companies are embracing a disk-sweeping process first developed by the Department of Defense, an outfit that knows something about sweeping. “DoD wipes overwrite the entire hard drive with zeros and ones,” explains Koch. Typically, this method takes from three to seven passes. “That way,” he says, “there’s no possibility any data can be recovered.”

Rather than pass the laborious task on to IT departments, some companies are hiring outsiders to blank their drives. A number of vendors (including Armonk, N.Y.-based IBM Asset Recovery Solutions; QSGI of Hightstown, N.J.; and Gold Circuit, based in Chandler, Ariz.) now offer DoD disk-erase services on a per-hard-drive basis. Prices range from $20 to $50 per unit, depending on the size of the hard drive.

A small price for peace of mind. Consider Cummins Inc., a Columbus, Ind.-based maker of power systems that in 2001 began planning a program to standardize hardware and software for all of its 24,000 employees. Cummins eventually brought in IBM to dispose of 20,000 computers, many of which were donated to charity. Key to the plan: Cummins stipulated that the vendor overwrite hard drives three times — a process that took about an hour and 40 minutes per machine.

Overkill? Maybe. But as Fred C. Vehling, director of IT procurement hardware and services at Cummins, rightly asks: “How do you know someone wouldn’t pick up one of our computers at a flea market and that our competition might not get their hands on it?”

Esther Shein is a regular contributor to CFO.

Nobody Likes Leftovers

Penalties that may be imposed for violating data-privacy and computer-disposal regulations.

Health Insurance Portability and Accountability Act

  • Civil monetary penalties of not more than $100 for each violation, with a cap of $25,000 per calendar year
  • If violation involves a wrongful disclosure, monetary penalty of not more than $50,000, imprisonment for not more than 1 year, or both
  • If violation is committed under false pretenses, fine of not more than $100,000, imprisonment for not more than 5 years, or both
  • If violation is committed with the intent to sell, transfer, or use individually identifiable health information for commercial advantage, personal gain, or malicious harm, fine of not more than $250,000, imprisonment for not more than 10 years, or both

Gramm-Leach-Bliley Act

  • Civil monetary penalties of not more than $100,000 for each violation
  • Officers and directors of the financial institution would be personally liable for a civil penalty of not more than $10,000 each
  • The financial institution and officers and directors would be subject to fines in accordance with Title 18 of the USC and imprisonment for not more than 5 years, or both

Sarbanes-Oxley Act

  • Civil monetary penalties of not more than $100,000 per violation for a natural person; $2 million for any other person
  • If the violation is intentional or results from knowing conduct (for example, recklessness), civil monetary penalties of $750,000 per violation for a natural person; $15 million for any other person

Source: Hunton & Williams LLP

4 Powerful Communication Strategies for Your Next Board Meeting