Getting a new computer could be a very risky business. Not because of the price. Not because of any death ray emitted from the screen. And not because of a virus that will eat your files while emailing your contacts. It will be because you will take your old machine and do one of several things: Put it in the nearest empty cubicle, give it to your nephew, auction it on eBay, or perhaps just throw it out the window like you may have dreamed of doing on many occasions.

What you have just done is exposed your data. With today’s new laws safeguarding investor privacy, just the exposure alone can get you in trouble. But you are smarter than that. Your in-house techie used a sophisticated hard-drive erasure program that deletes the contents of your drive three times and confidently reports that the drive is clean. That’s that and life returns to normal, right?

Maybe not. Do you have an audit trail to prove that the machine was truly cleaned? And if so, how reliable is the software you used?

“At least 10 percent of the machines that you think you are sanitizing and reselling into the marketplace are likely to still have data.”

It is not enough to just buy the software and hope for the best. “Under Sarbanes-Oxley and Gramm-Leach-Bliley, you are going to need to be able to say ‘Hey, I have done the due diligence to be able to demonstrate that my vendor’s hard-drive erasure process is 99.99 percent effective. So I know I have done my job under the requirements of the law.’ Creating a reliability matrix and furnishing the customer with documentary proof of erasures is where we are taking our business,” says Houghton. The Gramm-Leach-Bliley Act, also known as The Financial Modernization Act of 1999, places criminal penalties on financial institutions that release client data. The Sarbanes-Oxley Act of 2002 seeks to further enhance security and data protection, among other things.

On July 1, 2003, California law SB-1386 - Protection of Personal Data went into effect in that state. The law requires that any organization that owns or licenses computerized data that includes personal information shall disclose any breach of the security of the system to any resident of California whose personal information, was, or is believed to have been, acquired by an unauthorized person. That means the laptop you’d previously used, then gave to your daughter for school and found its way into her tech-savvy boyfriend’s hands may require you to send a mailing or call every person on the database that was inadvertently left on the drive. Databases, by nature, tend to be large. So we are not talking about a mailing to a few hundred people. And with first-class postage heading towards 40 cents an ounce, well, you do the math.

Many companies are not verifying that the erasure process has been successful through a reliability matrix. This, of course, assumes you even erase the hard drive to begin with. There are forensic tools that can be downloaded from the Internet that can find data, even on a drive that was reformatted.

Outsourcing the cleanup task may be a safer route for brokerage firms that need a safe solution for switching machines or change management. When you order your new machine from Dell or HP, for example, you can set up a process in which it will be shipped to a change management firm. That firm will set up the new machine with the appropriate settings and configure it properly with the right accessories to be sent wherever the client needs the machine.

The old machine will be handled in a secure auditable fashion from pickup at the client site to proper sanitization of the hard drive, recording serial numbers and dates. A new product from Redemtech called Datasure Lock-it locks the hard drive in the machine to ensure the data is not compromised during shipment or while waiting in that empty cubicle or storage room.

Larger brokerage firms may already have centralized security protocols in place, but the smaller firms may fill the gaps with ad hoc solutions which may be more expensive than outsourcing to a firm that specializes in sanitization services.

How about destroying the hard drive? There are mobile document shredding companies that, for an extra fee, will put your hard drive through their industrial shredders. In a perfect world that would be the safest solution. However you will have to still be able to prove that every hard drive was destroyed, and that is difficult without physical evidence.

The audit trail is the key to protecting your legal liability. There are also environmental concerns: The Environmental Protection Agency classifies electronics as hazardous waste, requiring you to dispose of them in the right way in order to not incur liability on the environmental side as well.

Protecting your data will continue to be an essential part of business management. It will be one of the sets of criteria that future customers may use in determining whether or not to park their funds with your firm. Being able to confidently describe the safety measures used by your firm to protect your clients’ data will be just as important as the protection itself.

Implementation Checklist

From End-of-Life Data Security: Challenges and Risks.

l Be sure your data security policy provides for the following:

l Physical security, including controlled inventory and restricted access to unprocessed systems

l Systematic control of the erasure process

l Technology-compatible erasure application

l Systematic verification of successful erasure process

l Periodic quality control audits of randomly selected systems

l Physical selection for undiscovered drives

l Special procedures for servers and arrays

l Destruction procedures for non-functioning drives

l Collection and destruction procedure for magnetic and optical media

l Audit trail documenting the successful erasure of every hard drive

Source: a white paper by Redemtech Inc. To read the entire document visit