Hard Drive Homicide
Old Hard Drives Must Rest in Pieces for Lawyers to Truly Rest in Peace
Posted Aug 12, 2006 1:33 PM CDT
By David Beckman and David Hirsch
Data storage can be like remembrance of unrequited love: It never fully fades. So what’s a law office with aging computers to do?
Kill the storage device.
If you give away an old computer (or sell it for the $50 it may be worth), remove the hard disk first. We know of no wipe technique that is certain to totally clean a hard disk. The only way to be 100 percent sure the National Security Agency (or some less skilled but highly motivated recovery agent) can’t glean privileged information from a dead hard disk is to remove the disk and physically destroy it. Wipe it first, but physically destroy it. And when disposing of the pieces, pay attention to local environmental rules.
Here is how we decide when to destroy a hard disk:
• When it has crashed or failed to the point of unreliability.
• Or it is too slow to be useful.
• Or it works, but is smaller than 10 gigabytes.
Some might put that last number higher, since you can buy a 300-gigabyte hard disk for less than $200 and a new computer for about $300.
Recently, David Beckman took out 25 of our old hard disks. For each one, he carefully unscrewed the casing, gaining access to the naked disk, sometimes having to pry the case apart. Wearing goggles, long sleeves, long pants, leather shoes and gloves—and wielding a sledge hammer—he placed the disks one by one into a plastic bag to contain flying parts. And then he smashed.
The hard disks were fragmented beyond reconstructability. For added measure, Beckman sprayed the pieces with salt water, then let them dry.
Some might say there must be an easier way. You can always purchase a machine to do the task. Some are available from Garner Products. One option is what we term the “vampire killer”: a machine that pounds stakes into the hard disk after degaussing.
Destruction machines are not cheap. Ideally, a small firm should find a vendor, or perhaps a bar association, that provides disk destruction service.
A news report not long ago spoke of an individual who returned a failed hard disk to a major technology retailer. The retailer replaced the hard disk at no charge but did not return the failed disk, saying it was being replaced under warranty and the retailer would dispose of it. The hard disk wound up in a flea market a thousand miles away. The flea-market customer found personal information on the disk and called the original owner.
That would be a lawyer’s worst nightmare.
If you are unwilling to physically destroy old hard disks, you might want to encrypt them. While likely not good enough for the determined cybersnoop, encryption probably would protect confidential data from being recovered after a yard sale. An encryption program we like, TrueCrypt, is open source, free and runs on both Windows and Linux. Steganos LockNote is a similar program.
Long ago, when hard disks were relatively new in desktop machines, we decided no floppy disk should ever go to a third party unless it is new. We recognized that no wipe is perfect.
If that rule was good for floppy disks, which stored much less data and were easier to wipe and destroy than hard disks, it is also good for any digital storage device (with the arguable exception of RAM).
It is too easy to casually discard an old computer (or parts). But even with hard disk files erased, sectors overwritten several times and disks reformatted, some data will still be there. Kill the beast. Or if you are unwilling to destroy the hard disks, at least find a secure place to permanently store them.
David Beckman and David Hirsch practice in the law firm of Beckman & Hirsch in Burlington, Iowa. Contact Beckman by e-mail at firstname.lastname@example.org or Hirsch at email@example.com.