Vol. 78, No. 3, March
2005
Dumpster Disasters: Tips for Retiring Old Computers
Don't risk potential malpractice claims, ethical violations,
embarrassment, or environmental contamination when it's time to dispose
of computer equipment. Here are some tips to safely and ethically
dispose of your old computers.
by Ross L. Kodner & Courtney G. Kennaday
In a regular and predictable ritual, law offices need to replace PCs,
laptops, and network file servers. Not that the equipment necessarily
wears out, but it may no longer be up to the task of running
contemporary software. Even a three- or four-year-old desktop PC may
barely limp along.
What happens to elderly PC systems relegated to the dustbin of
techno-history? What are your choices for disposal? Tossing them in a
Dumpster® seems wasteful; also, much of this equipment
is considered hazardous to the environment and must be managed and
disposed of in compliance with federal, state, and local laws and
regulations. You might try to sell old computers for a few cents on eBay
or donate them to charity.
Any of these disposal choices could cost you your law license.
Why? Because old computers are packed with confidential client
information that you have an ethical duty to protect. Further, the
computers undoubtedly contain sensitive firm information and software
licensed to your firm or organization (for which you have specific
obligations under end-user license agreements). Giving away control of
and access to old computers - through the Dumpster approach, an eBay
sale, or a charitable donation - can lead to malpractice claims and
ethical violations at worst and serious embarrassment at best. There
could even be claims for violating HIPAA (for disclosing employee or
client healthcare information) and Sarbanes-Oxley (for giving away
corporate documents that you must maintain). So what should you do?
D.U.M.P. Your Files
You need to create a D.U.M.P. - a disposal un-malpractice plan. The
key to an effective D.U.M.P. is ensuring, to the greatest extent
reasonably practical, that you remove confidential client information,
firm or organization information, and licensed software that you do not
intend to formally transfer with the PC to the new owner. This means
using a technical process to effectively remove information, rendering
the information as unrecoverable as is reasonably possible. It may not
be possible to delete information so that no one could ever recover it.
Practically speaking, given enough time and money, someone probably
could find a way to recover at least some of your data, no matter what
you do. But the reality is that the standard to meet is one of
reasonableness. What steps must a lawyer take to ensure the reasonably
effective removal of sensitive information?
First, here is what doesn't work:
-
deleting files using Windows Explorer or the Windows My Computer
function. Even unsophisticated computer users know to click the Recycle
Bin to quickly undelete files. It's fairly well known that deleting
files using Windows or DOS command line functions does not remove the
files but instead merely removes the "directory listing" so that Windows
can no longer "see" the files. Think of it as akin to removing the
address number from your house. The house will be more difficult to
find, but it still exists. Even reformatting a hard drive or removing a
storage "partition" does not prevent easy recovery of information;
plenty of cheap or free utilities can perform such recoveries.
- deleting the files and emptying the Recycle Bin. This is a little
more clever, but the files are still easily recoverable.
- burning the hard drive in an incinerator. Still not good enough.
Data recovery experts at companies such as Kroll Ontrack
(www.krollontrack.com) and Drive-savers (www.drivesavers.com), for
instance, can probably recover most, if not all, of the information from
utterly scorched hard drives.
- dropping the hard drive from a 40-story building. Entertaining, but
equally ineffective.
So what does work?
Electronic "File-Shredding" Software
Electronic file-shredding software systems delete files in ways that
cannot be accomplished using Windows alone. These systems typically run
a routine that deletes files and then overwrites the areas where the
files are or were located on the hard drive with repeated patterns of
random characters. The more "passes" made by the overwriting routine,
the harder it becomes to recover the original information. The
file-shredding product and methodology used should comply with the
standards promulgated by the U.S. Department of Defense (DOD). Deleting
information pursuant to the DOD standard should satisfy the
"reasonableness" requirement.
The DOD has published guidelines related to the clearing and
sanitizing of PC media (DOD 5220.22-M, available at
www.dss.mil/isec/chapter8.htm, then see section 8-306), which recommend
that you "overwrite all addressable locations with a character, its
complement, then a random character and verify for all writable media"
(that is, hard drives, floppy drives, backup tapes, ZIP disks, flash
drives, and so on). An example of an electronic shredder that can
perform these functions is the DataEraser software system, produced by
zDelete. Its Web site (www.zdelete.com/dod.htm) displays the DOD's table
prescribing the specific methods required for adequate and compliant
information destruction on all sorts of media types in common use in law
practices.
Be aware of all the places where data may be located. These include
but are not limited to:
- hard drives in PCs
- old hard drives that are no longer used but still contain
recoverable information
- floppy disks of all sizes (don't forget those in storage)
- ZIP disks and other removable data cartridges
- backup tapes
- the newer "flash drives"
Many software products will accomplish electronic file shredding to
DOD standards. A Google search of "file deletion software" will yield a
treasure trove of capable utilities. Products such as DataEraser,
CyberScrub (www.cyberscrub.com), and many others are suitable. DOD
5220.22-M certification indicates that a product meets the DOD
standards. Be certain to read the instructions and use the product
correctly.
Finalize a D.U.M.P.
It is imperative, from a legal and ethical perspective, to comply
with software license agreements. You must remove all licensed software
that you do not intend to formally transfer with the PC system. Read
each end-user license agreement to learn precisely what you must do with
each software product on any computer hard drive or other electronic
media you plan to get rid of. This means considering media like CD-ROMs,
DVDs, floppy disks, backup tapes, digital film, and so on.
Then, a "best practices" approach is to create a formal written
computer usage policy detailing the goal of the D.U.M.P. process, the
process itself, and the requirement that the process always be used when
disposing of PCs or electronic media. This is the most complete way to
protect yourself.
Be sure to inform your clients of their need to take the same
precautionary measures when they dispose of their PC systems and media.
There have been many instances in which corporate clients have tossed
backup tapes - packed with damaging information about a matter in
litigation - into a Dumpster, and Dumpster divers hired by the
opposition have found the tapes and used them against the corporate
clients.
Technical Assistance
If you don't understand, or don't want to acquire and learn to use,
electronic file-shredding software, hire an expert to handle the
disposal process for you - it will be money well spent. Be certain to
get a written statement from the service provider documenting its
destruction of the information, the methodology and software used, and
its compliance with the DOD standards. Ideally, such a written statement
also would contain language indemnifying you or your firm's lawyers from
liability for the service provider's failure to adequately destroy the
information.
Computer Retirement Options
Once the critical step of removing the data and licensed software is
accomplished, consider how to dispose of the computer. The main options
are sale, donation, and recycling.
Sale or donation to employees. To avoid the hassle
of selling computers in the marketplace, sell or donate them instead to
your employees. Offering to your employees relatively recent PCs that
are still usable for personal or educational use may make a lot of sense
and be seen as an employee benefit.
Donation to a charitable entity. Do not foist your
computer disposal problems on a charity. Charities often have the same
software and hardware needs as you do. They may not be able to use
486-class or older PCs or even early generation Pentiums 4s, although
some charities might want them for vocational training or for parts. In
fact, many well-known charitable organizations have stopped accepting
computers and monitors altogether. Check with the organization before
you donate.
If you cannot find a local organization to donate to, think
nationally. One group to consider is the National Cristina Foundation
(www.cristina.org), which matches companies and individuals interested
in donating computer equipment with nonprofit organizations and schools
that serve people with disabilities in the United States and abroad.
Donors send equipment directly to the beneficiary. Run the Google search
"donating used computers" to locate other donation recipients.
Recycling. Taking up space in landfills is one
problem. In addition, computers and monitors contain high levels of
lead, mercury, and other environmental contaminants. The good news,
according to the U.S. Environmental Protection Agency (EPA), is that 50
percent of the materials in a personal computer can be recycled.
To find a reuse and recycling program in your area, contact your
state or local waste management agency or try the Electronic Industries
Alliance Environment Web page at www.eiae.org. For basic information on
how to reduce electronic waste, along with related Web links, see the
EPA's Web site,
www.epa.gov/epaoswer/hazwaste/recycle/ecycling/basic.htm.
Some computer manufacturers (including Dell, Gateway, HP, IBM, and
Apple) also offer product take-back services to their customers for
trade-in on a new product, recycling, or donation to needy people or
groups.
For those of you who prefer to think of old PCs as antiques or
historical relics, there's a Web site for you, too:
www.old-computers.com. Wax nostalgic for your old computer among more
than 800 examples in their computer "museum." If you don't find your
computer there, try Google's collection of historical computers at
http://directory.google.com/Top/Computers/History. You never know, your
old PC might be just the one some museum is looking for.
The bottom line is simple. PC in the Dumpster = potential malpractice
claims, ethical violations, and embarrassment. Develop a D.U.M.P. for
your firm or law department, then make the plan official policy, and use
it.
Ross L. Kodner is
president and founder of MicroLaw Inc., a national legal technology
consultancy based in Milwaukee. He can be reached at rkodner@microlaw.com, www.microlaw.com, and (414)
540-9433.
Courtney G. Kennaday is the practice
management advisor for the South Carolina Bar where she helps lawyers
deal with a myriad of law office issues. She can be reached at courtney.kennaday@scbar.org.
Wisconsin Lawyer