Disposing aging, depreciated or unneeded tape cartridges is an age old problem that companies resolve in one of three ways: they destroy them; they store them; or, they trade them in for hard cash or credits from resellers. This last option generates more than passing interest from companies since it offers them the opportunity to generate some revenue (or at least offset the cost of new tape cartridges). However the liabilities associated with the data on these recycled tape cartridges landing up in the wrong hands may outweigh whatever cost savings companies hope to achieve.
On the surface, trading in tape cartridges sounds like a win-win scenario for both your company and the reseller. Your company gains some additional revenue or credit towards the purchase of new tape cartridges while the reseller obtains used tape cartridges that it can resell at a nice mark-up. This also alleviates that nagging issue of managing the disposal of tape cartridges since this task rarely makes it to the top of anyone’s to-do list.
However the risk that companies run when they dispose of tape cartridges in this manner is when resellers who claim they will erase or destroy the data fail to follow-through on their promise or do not do a thorough job of destroying the data on the tape. The emergence of more laws in the last few years holds companies liable for customer data on whatever media it resides (to include tape cartridges) regardless of who ends up with it. So companies need to understand the risks they assume when they trade-in tape cartridges to resellers who promise to erase and destroy data on these tape cartridges. However companies may fail to understand how they can still run afoul of the law when resellers do not make good on their pledge to delete the data on the tape or destroy the tape as promised.
For example, if a reseller fails to erase or destroy the data on the tape cartridge before they resell it, this may sound like a simple matter of neglect on the part of the reseller and the company is off the hook from a liability perspective. However this is not necessarily the case. If the company did not sign a certificate with the reseller in which the reseller guarantees that the data and/or tape will be destroyed and the reseller assumes all liabilities for the data after it is in its possession, guess what? The company may still be on the hook for the data on that tape regardless of where that data eventually shows up.
Also, do not assume that even if the company and the reseller do sign a guarantee that the reseller assumes all liabilities as companies like Imation tell me they stop short of making such guarantees. Even when resellers demonstrate that the tape is erased before they resell it, not every reseller erases tapes in the same manner that leaves readable data still intact. At the beginning of each tape cartridge, there is a bit set to either “0” or “1” such that if the bit is set to “0” the tape drive reading the tape interprets this “0” to mean that the tape cartridge is empty. Conversely, if the bit is set to “1”, it means that the tape cartridge contains data on it.
The problem that emerges is there an option where erasing tape cartridges that allows the tape drive to perform a “quick” erase by flipping this bit from “1” to “0” which indicates to the tape drive that the tape cartridge is “erased” and empty. The problem with adopting this approach to tape erasure is that all someone needs to do is flip this bit on the tape cartridge from “0” to “1” and the data on the tape cartridge becomes accessible again.
To prove the ease in which data can be recovered by just flipping this bit on tape cartridges, Imation recently conducted a test in its labs to figure out just how many “recertified” used tapes available through standard commercial channels fall into this category. For the purposes of this test, Imation acquired 100 “recertified” used LTO tape cartridges and then used off-the-shelf computers, LTO tape drives and storage devices in conjunction with Internet access to see how many tapes it could retrieve data from. The results of the test were notable in that Imation was able to retrieve data on nearly one-third of the tape cartridges with minimal effort by just flipping the bit on the tape cartridge and then trying to read back data from the tapes. Most notable was the sensitive data that it was able to recover which included:
- Internal bank auditing procedures, account numbers, employee credit card records, computer user names and computer server inventories from a global banking institution
- Patient names, addresses, phone and Social Security numbers, clinical records and doctor diagnoses from a major US hospital
- Field research data including geographic coordinates and conditions, names and email addresses of researchers from a tape from a scientific research center
Further, Subodh Kulkarni, Imation’s VP of Global Commercial Business, R&D and Manufacturing, said that Imation did not take extraordinary efforts in trying to recover this data such as using specialized tools that data recovery companies like Kroll Ontrack might utilize. If the individuals in Imation’s labs who were performing the tests could not recover or read the data on the tape cartridge within a few minutes after flipping the bit, they simply discarded that tape and went on to the next one. However the tapes that were unreadable and inaccessible were the exception, not the norm. According to Kulkarni, “Most of the tapes just had the bit flipped so it was easy to recover the data since in all of these cases the data on the tapes was unencrypted.”
Companies may hope to make a fast buck and alleviate themselves of some responsibility of deleting data from old tape cartridges by outsourcing this responsibility to third party resellers. However in this day and age, companies need to carefully evaluate the short and long term liabilities of such a strategy since it appears that the job that resellers do in re-formatting tapes is poor to say the least and make it far too easy for almost any individual with basic skills and computer equipment to recover this data as Imation so aptly demonstrated in its labs