Although there have been numerous incidents of lost or stolendata storage devices dangerously exposing thousands of confidentialand private information files, a fiasco that came to light inBritish Columbia in March came with a twist: this time, the datawas neither lost nor stolen; it was sold, albeit unknowingly, bythe B.C. government through an auction of over 40 data tapes.
The incident highlighted the great risk that organizations takewhen selling off old data tapes to third-party resellers, said TimBjork, market development manager for enterprise at Imation Corp.in Oakdale, Minn., a global provider of data storage products.
The practice of selling old data tapes to third-party resellersis common for organizations across all industries. Old tapes aresold for as low as $1 and as high as $15, said Bjork.
Third-party tape resellers would typically undertake the task ofeither degaussing or overwriting the data tapes to erase thecontent and sell them as used blank tapes. But these cartridges areoften never fully degaussed or overwritten, said Bjork.
He explained that fully degaussing data tapes is not alwayspossible, particularly with newer cartridges such as the LTOUltrium, 9840, 9940, 3590 and 3590E. These tapes contain afactory-written configuration called servo track, which can beerased when degaussing newer types of cartridges, making themunusable and they therefore cannot be resold, said Bjork.
Overwriting cartridges, on the other hand, may prove effectivebut not economically practical for resellers, he said. “Tooverwrite an entire 9840 cartridge, for example, would takeanywhere from 20 to 22 minutes. If you’re selling 10,000cartridges, how realistic is it that a third-party vendor will takethat kind of time to overwrite the entire length of everycartridge?”
There is a big chance the resellers would simply “take someshort cuts because time is money, and they are buying those tapesto make money,” he added. Imation was able to put its theory to thetest when it bought some used LPO cartridges from a tape reseller,said Bjork. “We found that a lot of times, there were still data onthose tapes and [the resellers] have simply moved up theend-of-data marker or erased the header so it appeared like thedata was gone, but they were still on the entire tape.”
Because organizations are held accountable for protecting andsecuring personal information, legal implications can be avoided bytaking the safer route, which is the secure destruction of old datatapes, said Bjork.
Current privacy statutes in the U.S. and Canada, however, aresilent on whether organizations should be prohibited from sellingold tapes that contain sensitive and personal data.
Toronto-based privacy lawyer Jason Young stressed, though, thatthe law is “fairly clear” on the obligations of data collectors toimpose reasonable safeguards to secure personal information.
“The threshold as to what is going to be deemed reasonable, orwhat the courts would deem reasonable, is a floating one. The moresensitive the information, the higher the threshold will be,” saidYoung, who works at law firm Deeth Williams Wall LLP.
He stressed that the obligation of organizations to protectpersonal information does not end with the sale of old data tapes.“If the B.C. government, for example, collected personalinformation and outsourced the management or processing of thepersonal information to another company, [the B.C. government]remains liable to what happens to that information.”
The B.C. tape auction incident also demonstrated the need toenact mandatory disclosure laws in Canada, similar to thoseenforced in California and about 20 other states in the U.S., saidYoung.
Mandatory disclosure legislation requires organizations toinform concerned individuals in the event of a breach, which couldpotentially expose their personal information.
Such legislation also prohibits unauthorized disposal ordisclosure of personal information without the consent of theindividuals involved.
Young does not believe that the law should prohibit companiesfrom selling their old tapes, but added that firms should exhaustall means possible to ensure that those tapes are completelydegaussed or erased.
