Powered By Blogger

DATA WIPING- From the Legal Perspective

 

DATA WIPING- From the Legal Perspective



Secure Data Wiping is very important, since if both individuals and companies dispose of their old computing devices without taking measures to prevent unwanted recoveries, they put their security and confidentiality at risk.

01.- DELETED Why don't we delete them with a simple click?

When disposing of a computer, many people maintain the false idea, that it does not store any important data in it, or that nobody can be interested or will bother to check it. Nothing could be further from the truth. The operating system of our computer equipment –Windows, Linux, OS X- makes us believe that when we send data or documents to the recycle bin or format the hard drive, the deletion is permanent. But this is not the case. The space occupied by these files is available to be reused by others that we store later, but as long as this does not occur, the information is still stored on the hard drive. This is due to the fact that most operating systems simply assign as empty the sectors where the file that we have tried to permanently delete is located, without actually deleting that information, waiting for it to be overwritten with new data. What we stop seeing at first glance is still available if the appropriate means are known to be used for its recovery.

Can it affect us?

Both companies and Public Administrations are increasingly aware of the importance of new information and communication technologies -ICT- to manage their functions and services with full efficiency and effectiveness.

But there is no perceived threat looming over their information systems, each day more complex and with threats that advance at the same speed as technology.

The simple act of disposing of a company's desktop computer can allow competitors or former employees to take advantage of it, even to appropriate confidential and highly relevant information for the company or customer contact data.

The Public Administrations manage millions of personal data and varied information of citizens in their daily functions, allowing in case of developing a correct disposal policy, the seizure of all this with a simple recovery procedure.

Every day we find in the different media, news about information that appears in the garbage or is on the street. But really when we eliminate our papers we try to tear them or use a paper shredder, without realizing that when we dispose of a computer equipment or an electronic device or support, we are throwing away millions of electronic papers.

When the information refers to personal data, there may be sanctions from the Spanish Agency for Data Protection and even criminal sanctions. But avoiding damage by preventing is easier than it seems, because discarding equipment due to a breakdown, to change it for a more current one, because it does not support certain applications or for any reason, can open the door to our lives, our business and our bank accounts.

The conviction that Information Security should be a priority in companies and Public Administrations, has to be a reality, which in many cases will require financial endowments, to the same extent that an organization is concerned about having a company security and surveillance to prevent access to the facilities.

02.- THE DATA WIPING PROCEDURE. What is it?

We all know that file deletion is the action we take to eliminate certain information that is no longer useful or we need, but from a technical perspective, it would be “the action of a hard disk drive when marking a group of occupied sectors of the same as free sectors. ”. Common Wiping implies that the hard drive does not carry out the complete Data Wiping task, but marks space in use for free space, thus being able to become free space, to be used by other files that we would like to store in the future.

But secure deletion goes further. When you delete a file, this procedure overwrites a certain combination on it, thus avoiding that if done correctly, this file can be recovered. This procedure must be done in a certain way to achieve the goal, because a simple overwriting does not achieve the goal. Is it really no use simply formatting the computer?

By formatting the equipment or device or support that we want, we can see that its capacity has increased, and the space previously occupied by the files will appear as free. But the only thing that has been done with the formatting action is preparing the disk to store more information, keeping all the files intact so they can be recovered by third parties.
What are the dangers of not performing a secure erase?

The generation, storage and flow of information in computer systems today is constant and is increasing year after year. Many times we are not aware that we use systems that have previously been used by other people or that our old or useless systems may be in the hands of others.

Currently, it is not strange to acquire or eliminate equipment in companies or Public Administrations or in our own homes, through the sale of second hand, leasing or renting contracts, reuse of equipment, donations or a simple restructuring of areas or of personal. And the vast majority of them without proceeding to a secure deletion or encrypting their content, so that the new acquirer with some computer skills, will be able to access and recover what we had stored.

And that without taking into account that, the picaresque or bad faith, can make that information a real gold mine, through extortion, bribery, resale or use for their own benefit. And they are not rare cases or that are not occurring every day, for example the BBC chain, denounced a new type of business detected in Nigeria. The government of this country had sent their old computers to this country, but what they also sent was the content of all of them, which were on their hard drives, so the sale of bank details of British customers and many other information are in the hands of those who knew how to recover data that had been "formatted" or simply "deleted after being sent to the recycle bin."

It is not the only case. From personal photos, passwords, confidential documents, banking information, and all the multitude of data that we store, it can end up in the wrong hands if we do not take the appropriate measures.


03.- HARD DISK RECOVERY


Did you delete that file that you didn't want anyone to see? Do you know that there is a way to get it back? Whether you intentionally or inadvertently erased a document, without employing a secure erase procedure, it can be recovered.

Sometimes it is necessary to recover information from old equipment, devices or media, because a breakdown, a virus, an accident, a blow or a power surge have caused the document or file that we need to be lost. One of the applications of computer forensics is precisely to examine and recover residual data from different equipment or media, which have previously been tried to eliminate to avoid leaving traces.

The information that can be recovered from the devices, media and computer equipment, will be determined by the use that was given to it and by the process that has been followed to eliminate the data or files. Taking this into account, IP addresses, email addresses, bank account numbers, passwords, photographs, documents, reports, videos and all kinds of information that could have been stored a priori are susceptible to recovery.

Data recovery is a true science. Its purpose is to attempt to rebuild the file system so that the data file can be accessed. But the problem is that each operating system has its own system to index and monitor the files that are generated and each one of them is especially complex.


04.- WHAT THE LAW SAYS

We must bear in mind that regardless of what the law tells us, any act of loss of information in an organization or company damages its image and reputation, in addition to undermining the confidence of the consumer and the client, and may lead to contract losses. or of high economic or time amounts.

Our regulations on data protection are very strict regarding the treatment of waste information and personal data, demanding high levels of security in the destruction of documents not only with paper support, but also contained in plastics, microfiches, storage formats. Optical -CD, CD-RW, HD DVD, VMD and Blue Ray-, video tapes, medical plates, triacetate films and any other storage medium, USB flash drives, external and internal drives, mobile phones, PDA's, multimedia containers , etc.

The Organic Law 15/1999 on the Protection of Personal Data and its development regulations, Royal Decree 1720/2007, impose a series of mandatory measures on companies and Public Administrations, to guarantee the security of the personal data they handle from the citizens. Among these measures, the legislator has wanted to reflect the problem of the data stored in computer devices and media regarding the insufficient elimination of the same by the means that are usually used, the simple Wiping.

Articles 4.5 of the Organic Law on Data Protection and 8.6 of the Regulation for the development of the law provide that the personal data that has been collected must be canceled, when they are no longer necessary for the purposes for which they were collected, at the time that they will have to be kept for a minimum period of 3 years, if there is no other law that determines the time in which liability actions could be carried out where the documents containing the personal data could be involved.

After the legally stipulated time has elapsed, the data must be destroyed -unless they are disassociated-, by a safe procedure that prevents their reuse or violates the duty of secrecy of article 10 of the Organic Law on Data Protection. The legislator has especially wanted to reinforce this measure of safe disposal of documentation and computer media or equipment, and in such a way has included it among the measures to be carried out, in article 92 of the Regulation of development of the law, "Whenever it is going to be discarded Any document or medium that contains personal data must be destroyed or erased, through the adoption of measures aimed at preventing access to the information contained therein or its subsequent recovery. ".

The Spanish Data Protection Agency, has imposed many sanctions -ej. PS / 00534/2008 or PS / 00137 / 2010- related to documents or computer equipment from which the information has been recovered, “should, therefore, adopt the necessary measures to prevent any subsequent recovery of the information contained in said documents. . Such measures were not fully adopted in the present case, as evidenced by the fact that said documentation was found by the complaining entity, on the public highway, outside the containers and scattered. "

The National Court has also resolved different appeals from entities sanctioned for not having correctly eliminated supports or documents; 1182/2001, 1517/2001, 160/2006; ruling in common that “It is not enough, then, with the adoption of any measure, as they must be those necessary to guarantee those objectives set by the precept. And, of course, the formal approval of security measures is not enough, since it is mandatory that they be put in place and put into practice effectively. (…) They were documents for internal use that should not be accessed by people outside the organization chart of… and if they did, it was anomalous, that is,

If a company or administration does not comply with the provisions of Article 10 - duty of secrecy - and 9 of the Law or what is developed in Royal Decree 1720/2007, regarding the disposal of supports or documents, it would be incurring two offenses typified in Article 44.2 e) or 44.3 g) and 44.2. h) of Organic Law 15/1999, which may be classified as a serious offense, which could be sanctioned with a fine that would range from € 60,101.21 to € 300,506.05.

Organizations –public and private- must have an adequate data processing system and guarantee full compliance with the measures imposed by law, but in particular they must:

Classify the information and treat it according to its security level.
Ensure compliance with the specific related regulations.
Destroy or erase information according to the medium in which it is found in a safe way and that prevents its later recovery. Many companies or Administrations have been of no use, presenting certificates or invoices from recycling or erasing companies, which provided services to them, but not with the efficiency imposed by law, because the truth is that the procedures carried out must ensure the result , not just the mere attempt.

But we must be aware that the legal obligation falls on all types of media, where data can be stored, and from a computer equipment point of view, it includes Information on hard and removable drives, Information on mobile phones, Information on PDAs, Information in images, videos and the like.

 

at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Necessity of a Secure Data Wipe

  Necessity of a Secure Data Wipe According to projections from  The Radicati Group , in 2021 we will be sending 320,000 million emails pe...