How Risky Is Tossing Your Old Servers? Maybe $60,000,000 Fine

We all have them. Old computers sitting around in storage, never to be used again. Broken servers that have passed their prime. Laptops abandoned for their newer, shinier versions.

And what do you do with them? If these are business computers and you were considering tossing them into the trash can or hauling them to the landfill, you could be courting serious risk for your company. Improper disposal of data holders can lead to embarrassment, lawsuits, and fines.

There are environmental issues, of course.  The FTC publishes a notice on disposal of computers that states: “Most computers contain hazardous materials like heavy metals that can contaminate the earth and don’t belong in a landfill. So what are your options? You can recycle or donate your computer. Computer manufacturers, electronics stores, and other organizations have computer recycling or donation programs. Check out the Environmental Protection Agency's Electronics Donation and Recycling page to learn about recycling or donating your computer.”

But the data exposure is another ballgame entirely. We were reminded of this fact last week when the Office of the Comptroller of the Currency, a lead regulator for national banks, fined Morgan Stanley Bank and its Private Bank $60 million for risk management issues related to the closing of two wealth management data centers.

The American Banker reported, “The OCC found that the bank did not take proper precautions in dismantling and disposing of outgoing hardware that contained sensitive customer data and failed to properly supervise the vendors that Morgan Stanley tasked with wiping customer data from the old equipment before it was resold.” The OCC reported in its press release on the fine, “Among other things, the banks failed to effectively assess or address risks associated with decommissioning its hardware; failed to adequately assess the risk of subcontracting the decommissioning work, including exercising adequate due diligence in selecting a vendor and monitoring its performance; and failed to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.”

But the OCC investigation was not the only attack on Morgan Stanley’s computer disposal procedures arising from the decommissioning of these data centers. Two lawsuits have also been filed by Morgan Stanley clients and former clients who were notified that the data center closing placed their information at risk. The lawsuits claim that unencrypted private financial data remained on the decommissioned computers after they left the bank’s possession and that a software flaw left previously deleted data on the computer hard drives. These putative class action suits have not yet specified damages.

As Morgan Stanley can now attest, termination/destruction hygiene is a crucial part of any information technology program. And like many aspects of modern computing and e-commerce, if safe computer destruction is not part of your company’s core competence, then you are likely best served by hiring professionals to perform the task for you.  But make sure you know what you are getting.

Computer recycling, destruction, and refurbishment involve a full removal of unencrypted data from the drives and storage units. We all know that the simple deletion of an item does not necessarily remove the item itself, just the ease of access to it – like boarding up the door of a house.  The house is still there, just harder to enter. Your vendor handling destruction should be able to attest to writing over the important drives or otherwise destroying the data or drives themselves.

As stated on the U.S. Homeland Security website, “Do not rely solely on the deletion method you routinely use, such as moving a file to the trash or recycle bin or selecting “delete” from the menu. Even if you empty the trash, the deleted files are still on the device and can be retrieved. Permanent data deletion requires several steps.” Homeland Security promotes full physical destruction of the device to prevent others from retrieving sensitive information off of a decommissioned computer.

It also promotes overwriting, in which strings of ones and zeros are written over the data to completely obliterate it.  The site suggests using either of the following:

• Cipher.exe is a built-in command-line tool in Microsoft Windows operating systems that can be used to encrypt or decrypt data on New Technology File System drives. This tool also securely deletes data by overwriting it.
• Clearing is a level of media sanitation that does not allow information to be retrieved by data, disk, or file recovery utilities. The National Institute of Standards and Technology (NIST) notes that devices must be resistant to keystroke recovery attempts from standard input devices (e.g., a keyboard or mouse) and from data scavenging tools.

Either of these options can help assure that your company meets its obligations for the proper disposal of outdated computers.

The end of a computer’s life can be just as dangerous as its active use for exposing sensitive data. Your company needs a set of written policies and programs to establish that computers are removed in a legally compliant manner. Fines, lawsuits, and significant customer conflict may follow if you don’t get this right.