Tale of the tape raises alarms

Although there have been numerous incidents of lost or stolen data storage devices dangerously exposing thousands of confidential and private information files, a fiasco that came to light in British Columbia in March came with a twist: this time, the data was neither lost nor stolen; it was sold, albeit unknowingly, by the B.C. government through an auction of over 40 data tapes.

The incident highlighted the great risk that organizations take when selling off old data tapes to third-party resellers, said Tim Bjork, market development manager for enterprise at Imation Corp. in Oakdale, Minn., a global provider of data storage products.

The practice of selling old data tapes to third-party resellers is common for organizations across all industries. Old tapes are sold for as low as $1 and as high as $15, said Bjork.

Third-party tape resellers would typically undertake the task of either degaussing or overwriting the data tapes to erase the content and sell them as used blank tapes. But these cartridges are often never fully degaussed or overwritten, said Bjork.

He explained that fully degaussing data tapes is not always possible, particularly with newer cartridges such as the LTO Ultrium, 9840, 9940, 3590 and 3590E. These tapes contain a factory-written configuration called servo track, which can be erased when degaussing newer types of cartridges, making them unusable and they therefore cannot be resold, said Bjork.

Overwriting cartridges, on the other hand, may prove effective but not economically practical for resellers, he said. “To overwrite an entire 9840 cartridge, for example, would take anywhere from 20 to 22 minutes. If you’re selling 10,000 cartridges, how realistic is it that a third-party vendor will take that kind of time to overwrite the entire length of every cartridge?”

There is a big chance the resellers would simply “take some short cuts because time is money, and they are buying those tapes to make money,” he added. Imation was able to put its theory to the test when it bought some used LPO cartridges from a tape reseller, said Bjork. “We found that a lot of times, there were still data on those tapes and [the resellers] have simply moved up the end-of-data marker or erased the header so it appeared like the data was gone, but they were still on the entire tape.”

Because organizations are held accountable for protecting and securing personal information, legal implications can be avoided by taking the safer route, which is the secure destruction of old data tapes, said Bjork.

Current privacy statutes in the U.S. and Canada, however, are silent on whether organizations should be prohibited from selling old tapes that contain sensitive and personal data.

Toronto-based privacy lawyer Jason Young stressed, though, that the law is “fairly clear” on the obligations of data collectors to impose reasonable safeguards to secure personal information.

“The threshold as to what is going to be deemed reasonable, or what the courts would deem reasonable, is a floating one. The more sensitive the information, the higher the threshold will be,” said Young, who works at law firm Deeth Williams Wall LLP.

He stressed that the obligation of organizations to protect personal information does not end with the sale of old data tapes. “If the B.C. government, for example, collected personal information and outsourced the management or processing of the personal information to another company, [the B.C. government] remains liable to what happens to that information.”

The B.C. tape auction incident also demonstrated the need to enact mandatory disclosure laws in Canada, similar to those enforced in California and about 20 other states in the U.S., said Young.

Mandatory disclosure legislation requires organizations to inform concerned individuals in the event of a breach, which could potentially expose their personal information.

Such legislation also prohibits unauthorized disposal or disclosure of personal information without the consent of the individuals involved.

Young does not believe that the law should prohibit companies from selling their old tapes, but added that firms should exhaust all means possible to ensure that those tapes are completely degaussed or erased.

QuickLink 062508

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now