Tuesday, 24 March 2015

Rocket Science

Beware cheaper alternatives. Oh yes, we all like a bargain but in the end it all comes down to quality doesn’t it? A bargain is not a bargain if it doesn’t work for very long. There is no saving if Genghis Khan arrives at your door, hordes behind him, having found your customers bank details for sale on EBay. And that is what this is about, remember. Data security. Your legal obligations not to put your data at risk. And the risks get bigger every day.

I used to sell roof tiles. We gave a 100 year guarantee. Our competitors stopped at fifty. Guarantees were therefore not a huge USP, because fifty years is an awfully long time to start with, another fifty is just unimaginable. But we were also more expensive than everyone else. Go figure. Quality costs.

Data security is not rocket science. We can make it sound like that if you like, with enough jargon to make your eyes water, but what we do at the disposals end of the business is really quite simple. I am going to try and explain it simply too.

The law...the data protection act...says that you, as owner of your business (or organisation) have a duty of care when it comes to protecting your data, because your company data is likely to contain information about other people – your customers, patients, pupils or whatever you have. You are free to give your own private information away if you like, no one will be too bothered about that of course, but if you expose anyone else’s confidential information you are for the high jump, or a large fine.

So if you want to get rid of something that has any data on it, you need to protect it with auditable. That something can be a computer, a laptop or a server, but it can also be a printer, a scanner, a fax machine, a tablet or a Smartphone. If you give one of those away without erasing the data from the device memory, destroying the hard disk or shredding it, you are putting your data at risk and have thus failed in your duty of care.

Now most people get a company like eReco to take away their old kit. There are about 800 such companies in the UK, some of which are charities. Like any other sector, some are great (me sir, we are, honest!) and some not so great. Every single one of them SHOULD (and please note the capital letters) issue some paperwork to prove what they have done, deal with the data and recycle all the kit in line with WEEE regulations.

That paper is dull but important. It proves you have fulfilled your duty of care. If the worst should happen and Genghis Khan, our beloved Information Commissioner, should appear at your door with a taste for your first born, it is the paperwork which will placate him.

The basics are:

Waste transfer notes. Legally, to transport waste, you need the right notes. You may not consider your old PC to be waste but just believe me, it is in a legal sense. Compared to mass murder, not having a waste transfer note is not the most heinous of crimes, but I am just letting you know so that you can be aware. You did check that, didn’t you?

Asset lists. A bit more important and slightly more exciting. The person who collects your stuff should have an order from you asking him to collect your stuff and detailing what it is, and should then provide a full asset list of what has been collected. In an ideal world these match, and you file them under job done. I gave them PC A and they confirmed they have PC A in their possession. Your duty of care is in a good place. As long as your service provider has all the right licenses to do what they said they were going to do, at any rate. You did check that, didn’t you?

Certificates of data destruction. The final nail in your alibi. You remember PC A? Well we destroyed the data as agreed and here is the certificate to prove it. If that data now turns up somewhere nasty it is not your fault (as long as your service provider has insurance, all the right licenses and did what they said they would do and you checked that was all ok? You did check that, didn’t you?

Now, moving away from the exciting world of paperwork and your perfunctory due diligence, lets have a look at the data erasure or destruction. As I may have mentioned before, best practise is to extend the lifecycle of any equipment recycled, because 80% of the damage is done during manufacture. This is what WEEE regulations say and we all do our best for sustainability. And yes we can make a few bob out of it too. But let’s leave that for now.

Let’s just agree that every supplier, however good or bad they are, wants to sell PC A on. The easiest and cheapest way to do that is to leave it alone and get rid of it, sold as seen, and not worry at all about the hard disk. That happens. A lot. Genghis has a lot of fun. But most service providers will try to erase the old data somehow. Note I said erase, not destroy. If you destroy the hard drive for PC A it is pretty much worthless, so to make any money you would have to put a new drive in. Now already you have had to remove one drive, destroy it, and put another one in. So that has cost time and money. So the best option for all concerned is to leave the drive where it is and run some data erasure software to remove the data.

There is a standard for this, set by CESG, which is basically our sainted security services, GCHQ. To erase data with no known way of retrieving it, you need to use Infosec 5 level software. To keep this simple lets think of the task of dusting a television screen with the sun streaming in through the windows. If you use cheap over the counter software, which anyone can buy, it will cost you about £20 and you can use it forever. It gives you one wipe. Most of the dust is gone from the screen. Note the word most! It is a man’s wipe, a cursory thing not designed to be comprehensive, and if you knew how, you could get the dust back in a trice.

Infosec 5 software is a duster driven by your grandmother. It gives you three comprehensive wipes and gets right into the corners. No dust left anywhere. And in fact, if there is a hint of dust, that drive is rejected as being unsuitable for data erasure and summarily destroyed. Once wiped, no dust is brave enough to return even if a master criminal is involved.

But Infosec 5 software is not cheap and using it is not straightforward, so it is not available over the counter as it were. It is only provided by people like eReco because not only do we have to buy the expensive software license and train Ben and Aaron but we also have to pay a license fee per drive to boot. That is why we charge £5 per drive.

So when someone says ‘and we will sort your data’ you have to ask how? Because this is one of the areas where your duty of care comes into question. Del Boy may get you into some serious trouble if you do not take care.

In conclusion, the cheaper alternative I started off with can only save money in 3 crucial areas as far as I can see. They have to collect the stuff the same as us, but they could use staff who have not been security cleared and only send one driver along, which means your data could be left unattended if he or she needs a comfort break, for instance. Then they can save a bit by not bothering with any paperwork to speak of. Then they can save a lot by not dealing with your data properly. They can then make a bit more by ignoring WEEE regulations and flogging the kit for export to less scrupulous markets.

It’s not rocket science, is it?