Shredding Old Computers 'Into Dust' is the Best Way to Protect Law Firm Data
Disposing of old equipment isn't as simple as walking to the dumpster behind the office. It may cost law firms more than a hammer and a nail, but computer forensics has advanced to point where data on a decommissioned machine isn't truly gone until the hardware is ashes.
April 26, 2019 at 11:30 AM
4 minute read
“Gone, but not forgotten” isn't really a sentiment that law firms want applied to data that they thought was destroyed. Unfortunately, retiring old laptops, smartphones or other equipment is no longer as simple as picking up a hammer and driving a nail through the hard drive.
Frank Gillman, chief information security officer at Lewis Brisbois Bisgaard & Smith, noted that such an approach is popular among the do-it-yourself crowd. But he thinks that nowadays, people would be amazed at the data a talented forensic technician would be able to recover.
“If you're not like literally shredding that stuff into dust, like the hard drive is going through a shredder with teeth and turning it into compost, it's still dangerous,” Gillman said.
Raising the stakes somewhat is both the proliferation of data and the patchwork of global privacy regulations that have been enacted to prevent that data from being misused or imperiled. The European Union's General Data Protection Regulation (GDPR) or the incoming California Consumer Privacy Act (CCPA), for example, both carry steep penalties for organizations that fail to safeguard the information in their care.
Gillman recommends that firms keep a detailed record of where particular pieces of information are being stored across internal devices. But even then it's hard to account for every scrap of data a tool might encounter over the course of its lifespan. For instance, an attorney could enter a credit card number into a company laptop while making travel arrangements. “How do you know? And you really don't,” Gillman said.
Still, once you've put the hammer down and slowly back away from the hard drive, don't just pick an e-recycling company out of the phone book at random. Gillman suspects that most people don't bother to look into the various methodologies employed by different providers.
Some e-recycling services might just overwrite a machine and call it a day, which can be effective but still not as foolproof as the aforementioned shredder with teeth. Opting to shred a machine could also buy firms leeway with regulators in the event that bad actors still manage to recover data from what's left of the device.
“That's what really protects you. You say, 'Hey look, you know what, we did everything we could do,'” Gillman said.
There are also other steps that firms can take to help mitigate risk long before a given piece of equipment ever reaches retirement age. London-based law firm Bird & Bird discourages employees from storing data on hard drives, instead preferring that lawyers utilize its on-site document management system.
When data is loaded onto a portable machine as part of a presentation, for example, it's unlikely to be left there and forgotten. “We have a regular report that scans all local drives so we can track this,” said Karen Jacks, IT director at Bird & Bird.
The firm also deploys a global policy for the disposal of equipment that includes the deletion of data using multi-pass pattern wiping before the device is sent to a certified specialist to be wiped and destroyed.
Having those types of procedures and protocols in place can go a long way towards mitigating human error or even just plain ignorance. Iliana Peters, a shareholder at Polsinelli, thinks it's important for employees within an organization to at least understand the process in place at their organization for the disposal of obsolete equipment. Even if the average worker doesn't know that a flash drive should be destroyed after use, chances are the IT department can take care of that for them.
“I think that law firms have to understand that their risk from a business associate standpoint when it comes to security is high,” Peters said.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250