Tale of the tape raises alarms

Although there have been numerous incidents of lost or stolen data storage devices dangerously exposing thousands of confidential and private information files, a fiasco that came to light in British Columbia in March came with a twist: this time, the data was neither lost nor stolen; it was sold, albeit unknowingly, by the B.C. government through an auction of over 40 data tapes.

The incident highlighted the great risk that organizations take when selling off old data tapes to third-party resellers, said Tim Bjork, market development manager for enterprise at Imation Corp. in Oakdale, Minn., a global provider of data storage products.

The practice of selling old data tapes to third-party resellers is common for organizations across all industries. Old tapes are sold for as low as $1 and as high as $15, said Bjork.

Third-party tape resellers would typically undertake the task of either degaussing or overwriting the data tapes to erase the content and sell them as used blank tapes. But these cartridges are often never fully degaussed or overwritten, said Bjork.

He explained that fully degaussing data tapes is not always possible, particularly with newer cartridges such as the LTO Ultrium, 9840, 9940, 3590 and 3590E. These tapes contain a factory-written configuration called servo track, which can be erased when degaussing newer types of cartridges, making them unusable and they therefore cannot be resold, said Bjork.

Overwriting cartridges, on the other hand, may prove effective but not economically practical for resellers, he said. “To overwrite an entire 9840 cartridge, for example, would take anywhere from 20 to 22 minutes. If you’re selling 10,000 cartridges, how realistic is it that a third-party vendor will take that kind of time to overwrite the entire length of every cartridge?”

There is a big chance the resellers would simply “take some short cuts because time is money, and they are buying those tapes to make money,” he added. Imation was able to put its theory to the test when it bought some used LPO cartridges from a tape reseller, said Bjork. “We found that a lot of times, there were still data on those tapes and [the resellers] have simply moved up the end-of-data marker or erased the header so it appeared like the data was gone, but they were still on the entire tape.”

Because organizations are held accountable for protecting and securing personal information, legal implications can be avoided by taking the safer route, which is the secure destruction of old data tapes, said Bjork.

Current privacy statutes in the U.S. and Canada, however, are silent on whether organizations should be prohibited from selling old tapes that contain sensitive and personal data.

Toronto-based privacy lawyer Jason Young stressed, though, that the law is “fairly clear” on the obligations of data collectors to impose reasonable safeguards to secure personal information.

“The threshold as to what is going to be deemed reasonable, or what the courts would deem reasonable, is a floating one. The more sensitive the information, the higher the threshold will be,” said Young, who works at law firm Deeth Williams Wall LLP.

He stressed that the obligation of organizations to protect personal information does not end with the sale of old data tapes. “If the B.C. government, for example, collected personal information and outsourced the management or processing of the personal information to another company, [the B.C. government] remains liable to what happens to that information.”

The B.C. tape auction incident also demonstrated the need to enact mandatory disclosure laws in Canada, similar to those enforced in California and about 20 other states in the U.S., said Young.

Mandatory disclosure legislation requires organizations to inform concerned individuals in the event of a breach, which could potentially expose their personal information.

Such legislation also prohibits unauthorized disposal or disclosure of personal information without the consent of the individuals involved.

Young does not believe that the law should prohibit companies from selling their old tapes, but added that firms should exhaust all means possible to ensure that those tapes are completely degaussed or erased.

QuickLink 062508

Related Download
How Well Do You Know Your Apps? How to Implement a Continuous Application Monitoring Initiative Sponsor: HPE
How Well Do You Know Your Apps? How to Implement a Continuous Application Monitoring Initiative
Watch our insightful security webinar to learn more about how to implement a continuous application monitoring initiative.
Register Now