Sign In
    Wisconsin Lawyer
    March 01, 2005

    Technology: Dumpster Disasters: Tips for Retiring Old Computers

    Don't risk potential malpractice claims, ethical violations, embarrassment, or environmental contamination when it's time to dispose of computer equipment. Here are some tips to safely and ethically dispose of your old computers.

    Ross Kodner; Courtney Kennaday

    Wisconsin Lawyer
    Vol. 78, No. 3, March 2005

    Dumpster Disasters: Tips for Retiring Old Computers

    Don't risk potential malpractice claims, ethical violations, embarrassment, or environmental contamination when it's time to dispose of computer equipment. Here are some tips to safely and ethically dispose of your old computers.

    by Ross L. Kodner & Courtney G. Kennaday

    In a regular and predictable ritual, law offices need to replace PCs, laptops, and network file servers. Not that the equipment necessarily wears out, but it may no longer be up to the task of running contemporary software. Even a three- or four-year-old desktop PC may barely limp along.

    What happens to elderly PC systems relegated to the dustbin of techno-history? What are your choices for disposal? Tossing them in a Dumpster® seems wasteful; also, much of this equipment is considered hazardous to the environment and must be managed and disposed of in compliance with federal, state, and local laws and regulations. You might try to sell old computers for a few cents on eBay or donate them to charity.

    Any of these disposal choices could cost you your law license.

    Why? Because old computers are packed with confidential client information that you have an ethical duty to protect. Further, the computers undoubtedly contain sensitive firm information and software licensed to your firm or organization (for which you have specific obligations under end-user license agreements). Giving away control of and access to old computers - through the Dumpster approach, an eBay sale, or a charitable donation - can lead to malpractice claims and ethical violations at worst and serious embarrassment at best. There could even be claims for violating HIPAA (for disclosing employee or client healthcare information) and Sarbanes-Oxley (for giving away corporate documents that you must maintain). So what should you do?

    D.U.M.P. Your Files

    You need to create a D.U.M.P. - a disposal un-malpractice plan. The key to an effective D.U.M.P. is ensuring, to the greatest extent reasonably practical, that you remove confidential client information, firm or organization information, and licensed software that you do not intend to formally transfer with the PC to the new owner. This means using a technical process to effectively remove information, rendering the information as unrecoverable as is reasonably possible. It may not be possible to delete information so that no one could ever recover it. Practically speaking, given enough time and money, someone probably could find a way to recover at least some of your data, no matter what you do. But the reality is that the standard to meet is one of reasonableness. What steps must a lawyer take to ensure the reasonably effective removal of sensitive information?

    First, here is what doesn't work:

    • deleting files using Windows Explorer or the Windows My Computer function. Even unsophisticated computer users know to click the Recycle Bin to quickly undelete files. It's fairly well known that deleting files using Windows or DOS command line functions does not remove the files but instead merely removes the "directory listing" so that Windows can no longer "see" the files. Think of it as akin to removing the address number from your house. The house will be more difficult to find, but it still exists. Even reformatting a hard drive or removing a storage "partition" does not prevent easy recovery of information; plenty of cheap or free utilities can perform such recoveries.
    • deleting the files and emptying the Recycle Bin. This is a little more clever, but the files are still easily recoverable.
    • burning the hard drive in an incinerator. Still not good enough. Data recovery experts at companies such as Kroll Ontrack (www.krollontrack.com) and Drive-savers (www.drivesavers.com), for instance, can probably recover most, if not all, of the information from utterly scorched hard drives.
    • dropping the hard drive from a 40-story building. Entertaining, but equally ineffective.

    So what does work?

    Electronic "File-Shredding" Software

    Electronic file-shredding software systems delete files in ways that cannot be accomplished using Windows alone. These systems typically run a routine that deletes files and then overwrites the areas where the files are or were located on the hard drive with repeated patterns of random characters. The more "passes" made by the overwriting routine, the harder it becomes to recover the original information. The file-shredding product and methodology used should comply with the standards promulgated by the U.S. Department of Defense (DOD). Deleting information pursuant to the DOD standard should satisfy the "reasonableness" requirement.

    The DOD has published guidelines related to the clearing and sanitizing of PC media (DOD 5220.22-M, available at www.dss.mil/isec/chapter8.htm, then see section 8-306), which recommend that you "overwrite all addressable locations with a character, its complement, then a random character and verify for all writable media" (that is, hard drives, floppy drives, backup tapes, ZIP disks, flash drives, and so on). An example of an electronic shredder that can perform these functions is the DataEraser software system, produced by zDelete. Its Web site (www.zdelete.com/dod.htm) displays the DOD's table prescribing the specific methods required for adequate and compliant information destruction on all sorts of media types in common use in law practices.

    Be aware of all the places where data may be located. These include but are not limited to:

    • hard drives in PCs
    • old hard drives that are no longer used but still contain recoverable information
    • floppy disks of all sizes (don't forget those in storage)
    • ZIP disks and other removable data cartridges
    • backup tapes
    • the newer "flash drives"

    Many software products will accomplish electronic file shredding to DOD standards. A Google search of "file deletion software" will yield a treasure trove of capable utilities. Products such as DataEraser, CyberScrub (www.cyberscrub.com), and many others are suitable. DOD 5220.22-M certification indicates that a product meets the DOD standards. Be certain to read the instructions and use the product correctly.

    Finalize a D.U.M.P.

    It is imperative, from a legal and ethical perspective, to comply with software license agreements. You must remove all licensed software that you do not intend to formally transfer with the PC system. Read each end-user license agreement to learn precisely what you must do with each software product on any computer hard drive or other electronic media you plan to get rid of. This means considering media like CD-ROMs, DVDs, floppy disks, backup tapes, digital film, and so on.

    Then, a "best practices" approach is to create a formal written computer usage policy detailing the goal of the D.U.M.P. process, the process itself, and the requirement that the process always be used when disposing of PCs or electronic media. This is the most complete way to protect yourself.

    Be sure to inform your clients of their need to take the same precautionary measures when they dispose of their PC systems and media. There have been many instances in which corporate clients have tossed backup tapes - packed with damaging information about a matter in litigation - into a Dumpster, and Dumpster divers hired by the opposition have found the tapes and used them against the corporate clients.

    Technical Assistance

    If you don't understand, or don't want to acquire and learn to use, electronic file-shredding software, hire an expert to handle the disposal process for you - it will be money well spent. Be certain to get a written statement from the service provider documenting its destruction of the information, the methodology and software used, and its compliance with the DOD standards. Ideally, such a written statement also would contain language indemnifying you or your firm's lawyers from liability for the service provider's failure to adequately destroy the information.

    Computer Retirement Options

    Once the critical step of removing the data and licensed software is accomplished, consider how to dispose of the computer. The main options are sale, donation, and recycling.

    Sale or donation to employees. To avoid the hassle of selling computers in the marketplace, sell or donate them instead to your employees. Offering to your employees relatively recent PCs that are still usable for personal or educational use may make a lot of sense and be seen as an employee benefit.

    Donation to a charitable entity. Do not foist your computer disposal problems on a charity. Charities often have the same software and hardware needs as you do. They may not be able to use 486-class or older PCs or even early generation Pentiums 4s, although some charities might want them for vocational training or for parts. In fact, many well-known charitable organizations have stopped accepting computers and monitors altogether. Check with the organization before you donate.

    If you cannot find a local organization to donate to, think nationally. One group to consider is the National Cristina Foundation (www.cristina.org), which matches companies and individuals interested in donating computer equipment with nonprofit organizations and schools that serve people with disabilities in the United States and abroad. Donors send equipment directly to the beneficiary. Run the Google search "donating used computers" to locate other donation recipients.

    Recycling. Taking up space in landfills is one problem. In addition, computers and monitors contain high levels of lead, mercury, and other environmental contaminants. The good news, according to the U.S. Environmental Protection Agency (EPA), is that 50 percent of the materials in a personal computer can be recycled.

    To find a reuse and recycling program in your area, contact your state or local waste management agency or try the Electronic Industries Alliance Environment Web page at www.eiae.org. For basic information on how to reduce electronic waste, along with related Web links, see the EPA's Web site, www.epa.gov/epaoswer/hazwaste/recycle/ecycling/basic.htm.

    Some computer manufacturers (including Dell, Gateway, HP, IBM, and Apple) also offer product take-back services to their customers for trade-in on a new product, recycling, or donation to needy people or groups.

    For those of you who prefer to think of old PCs as antiques or historical relics, there's a Web site for you, too: www.old-computers.com. Wax nostalgic for your old computer among more than 800 examples in their computer "museum." If you don't find your computer there, try Google's collection of historical computers at http://directory.google.com/Top/Computers/History. You never know, your old PC might be just the one some museum is looking for.

    The bottom line is simple. PC in the Dumpster = potential malpractice claims, ethical violations, and embarrassment. Develop a D.U.M.P. for your firm or law department, then make the plan official policy, and use it.

    Ross L. Kodner is president and founder of MicroLaw Inc., a national legal technology consultancy based in Milwaukee. He can be reached at rkodner@microlaw.com, www.microlaw.com, and (414) 540-9433.

    Courtney G. Kennaday is the practice management advisor for the South Carolina Bar where she helps lawyers deal with a myriad of law office issues. She can be reached at courtney.kennaday@scbar.org.


Join the conversation! Log in to comment.

News & Pubs Search

-
Format: MM/DD/YYYY