Everything Must Go: What Happens to Data After a Business Closes?

By
  • Richard Stiennon
Published
  • September 07 2016, 6:30am EDT

After filing for Chapter 11 bankruptcy earlier this spring, Colorado-based Sports Authority recently announced that the company would sell its intellectual property to rival retailer Dick’s Sporting Goods for $15 million. Included among the intellectual property (IP) assets are the company name itself and its e-commerce website—plus 114 million customer files and 25 million email addresses.

Needless to say, in the process of terminating business operations and liquidating more than 450 stores nationwide, Sports Authority unearthed an enormous amount of data that it’s now (desperately) trying to reallocate. But when closing the doors for good—whether it’s for strategic, economic or other reasons—auctioning off IP is just one direction that valuable company data can head in.

What happens to the thousands of IT assets owned by the company —desktop computers, laptops, physical servers, external drives, printers, scanners, smartphones, tablets and so forth—that contain corporate, customer and even employee data collected and stored for years? What happens to the cloud instances of virtual machines and data stores? Where does that data go?

With IBM estimating that 2.5 quintillion bytes of data are generated daily, it goes without saying that there is a lot of data that could become vulnerable to loss/theft. But dragging files to the ‘Recycle Bin’ on computers and emptying that bin, or reformatting drives, before dumping them into the dumpster, recycling them or even reselling them could turn into a privacy nightmare for the company that’s going out of business, its customers and its employees. And that doesn’t even include the regulatory violations and legal fines that could be incurred.

Prioritize Privacy Over Payouts

When dissolving a business altogether, or closing a selection of brick-and-mortar locations, retailers like Sports Authority have a corporate responsibility to ensure that all data is expunged permanently from IT assets and won’t fall into the wrong hands later on. Leaking corporate or customer data, whether it’s accidentally or intentionally, can have major financial, legal and reputational ramifications—going far beyond the standard implications of shuttering a business.

Businesses can mitigate this risk of data exposure and incurred costs by implementing the necessary data retention and data removal policies, outlining key stages in data’s lifecycle where it could be compromised, detailing when, where and how to properly remove data that is no longer required—at the ‘end-of-life’ stage, when employees leave the company, as well as making it an ongoing process to minimize overall exposure.

A data removal policy needs to be integrated into organizations’ overall data management policies and processes—but this isn’t the reality of today. Unfortunately, data removal is typically placed low on the priority list of CIOs and IT professionals in terms of budget, resources and tools. This is due in large part to the heavy amount of attention and fear that persists about other security threats such as malware, phishing and spoofing.

To make matters worse, businesses have an incomplete view and understanding of data asset management. As a result, data removal within organizations is heavily tied to each physical asset’s lifecycle, and in most cases today, data’s lifecycle can be much longer or shorter—depending on the type of data—than the lifespan of a physical asset.

Is This Confidential Data Really, Truly Gone?

The Recycle Bin feature on computers makes it easy for users to recover files that may have been accidentally deleted, saving many of us from a sudden panic on more than one instance. But the initial excitement is short-lived and perpetuates the lack of understanding about the difference between ‘deleting’ and permanently erasing data.

Using basic deletion commands, deleting Windows and installing it again and even reformatting an entire drive don’t permanently remove the files. These actions only move information from one location to another. It doesn’t actually destroy a file; it merely removes pointers or indicators to the data. And so, companies like Sports Authority that are shutting down their business will still have thousands (possibly even millions) of files that are easily accessible and susceptible to data loss or theft.

In order to make sure deleted information cannot be recovered, businesses need to use certified tools that securely erase data and comply with regulatory standards, including stringent ISO, NIST, HIPAA, PCI DSS and SOX requirements. It’s critical for businesses to not only erase data (so it is really, truly gone forever), but to also provide evidence that A. the process has been performed, and B. all data has been completely and permanently removed.

Now this is where verification is absolutely critical. I like to think about it in the same way that I think about filing my taxes. Once you have filed your taxes, you always ask for proof and documentation that your taxes have indeed been filed. Why? Because you can use it to protect yourself in the event of a financial audit. The same rationale applies to data removal. And yet, so few businesses ask for proof that data has been permanently erased and can never be recovered.

Reporting: Data removal reports should contain hardware asset details such as BIOS serial number, asset tag, MAC address and HDD serial numbers, as well as detailed information about the software used to complete the erasure process. And it is critical that these documents are tamper-proof. If this is not provided, the credibility of the data removal method itself cannot be verified. That opens the door to major risks, and makes it that much more difficult to maintain an audit trail that can be checked by security regulators, auditors and governing bodies.

Auditing: Each certificate of erasure should be compared against the current asset database to confirm that all data maintained by the company has been permanently erased. Use a tool that can gather erasure reports into a single database to help automate this process and that contains an API for easy integration with your asset database.

From soccer balls, running sneakers and yoga pants, to computers, servers and data, everything must go when a business shuts down. In today’s digitally ruled environment, data removal has to become the rule—not the exception.

For those businesses that overlook permanently erasing critical information stored across IT assets/storage environments, it will be as if they’ve sent hundreds of files directly into a hacker’s Recycle Bin—making them easily retrievable and susceptible to a data breach.

(About the author: Richard Stiennon is chief strategy officer at Blancco Technology Group, where he leads long-term strategic planning, product positioning, public affairs, analyst relations, joint ventures and industry partnerships. During his days as vice president of research at Gartner Inc., Richard’s forward-thinking insights and questioning of the corporate status quo earned him Gartner’s Thought Leadership Award in 2003. He has also written three thought-provoking books on the alarming state of cyber war and its impact on businesses. His most recent book, “There Will Be Cyberwar”, was named a Washington Post bestseller in April 2016.)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access