Warranty void if seal shredded?

Published: 2009-05-15
Last Updated: 2009-05-15 14:16:14 UTC
by Daniel Wesemann (Version: 2)
5 comment(s)

Fellow ISC handler Patrick Nolan commented earlier on the changes to HIPAA requirements that the recent HITECH act brings to hospitals and health care providers in the U.S. The portion that I want to dive into with a bit more detail is

"Electronic media [must be] cleared, purged, or destroyed consistent with NIST Special Publication 800-88, Guidelines for Media Sanitization such that [sensitive information cannot] be retrieved."

NIST 800-88  is pretty succinct and explicit in its demands on how media and harddisks are to be purged or destroyed. "Purging" refers to making the contents unreadable by "degaussing" the disk or using the "secure erase" command in the drive's firmware. "Destroying" in the words of NIST includes "Disintegration, Pulverization, Melting, and Incineration".

So far, so good. But there's a catch. Let's assume that you have a hard drive which contains sensitive data. It doesn't really matter if you are a bank or a hospital or a cutting-edge research shop: The data on the disk is vital. And the disk just snuffs it one day and refuses to spin. Let's further assume that - not uncommon for servers - the disk is still under warranty, and if you ship it back to your vendor, you'll get it replaced for free.

Now what? According to NIST 800-88, a disk with sensitive content which leaves your organization's control has to be destroyed. I strongly suspect though that shipping a baggie of metal confetti back to your vendor could slightly impair your warranty rights. Shipping the disk as-is, on the other hand, exposes your data to all sorts of nightmares, not the least of which being your vendor getting it back to spin and reselling it on eBay as "used, in working condition".

How do you deal with this problem? Do you shred all the disks that leave your shop, forgoing the warranty? Do you degauss the disks before returning, hoping that the degausser actually does its job and the vendor's check doesn't mind? Did you carefully vet your vendor's media handling and have full traceability for all disks returned? Or do you simply take the plunge and hope that your old disk vanishes in the sea of disks offered for resale?

Please let us know by participating in the poll to the right!

Update 1400 UTC: Here's a summary of the responses we received so far. Thanks for all the comments!

The consensus of the responses we received is that saving the cost for a harddrive replacement is never worth the embarrassement, loss of customer confidence and legal mess to be expected when the drive turns up somewhere down the road with the data still intact.

How this is achieved seems to depend on the "muscle" that a firm can bring into negotiations with the vendor. Readers from larger firms and government entities reported that their contract allows them to destroy drives and still get replacement under warranty.

Smaller entities usually just "take the hit", shred the drive, and chalk the replacement down as cost of doing business.

We also received a few responses of readers who use a degausser, and then ship the drive back for warranty replacement. This seems to be a minority though - from the responses we got, most firms don't bother with degaussing, and go for physical destruction in all cases.

Several readers also pointed out that the whole problem starts one step prior .. you need to first find out which of your devices contain disks (multi-functional printers, anyone?) and make sure that your purging/destruction process chosen actually catches them all.

Some comments indicated that full hard disk encryption has made it possible to ship disks around, no problem, but others said that even with encryption, they would not take the risk.

5 comment(s)

Comments

My company has a deal with HP. If a drive fails we fill out a form to confirm that the drive has failed and has been destroyed and they send a replacement. We locally destroy the drive by pulverizing it. That's the fun part!
One way to solve such a problem is to use encryption. Many commercial DB will allow you to fully encrypt your data and store the key on a separate location (for instance, a USB stick inside your machine). Full disk encryption for DAS is still problematic, but it's another worthwhile solution and there are product that works with SANs at various level that will ensure all data in store is encrypted. All these solution will pretty much make sure no one can recover data off failed hard drive. And as a poor man's solution, you can always use hardware RAID5 which will make sure no single disk contains more than a fraction of your complete data, usually in a pretty useless way.
Most large vendors (in my experience) will either sell you a "keep your bad disks" rider on your warranty or will allow you to certify the destruction of a disk for warranty replacements. Alternatively, a degaussed disk is externally indistinguishable from a non-degaussed disk...
RAID5 isn't much of a solution. Most RAID5 approaches default to a chunk size of at least 64K, and my personal experience is that performance is roughly optimal when the chunk size is roughly equal to (avg_seek_time + avg_rotational_latency) * physical_transfer_rate (that is to say, when the time to get to a random piece of data on the disk is roughly equal to how long it takes to read a chunk from the disk). For modern drives, that's 512K or larger. That means you're looking at pretty big chunks, so while you're not going to reconstruct a file system or large files in whole, a inquisitive adversary will find plenty of large chunks of your data . . .
In addition to large vendors that already offer a "keep your bad disks" support plan, there is also at least one vendor that will accept the top cover of the drive as evidence that it has been destroyed.

Diary Archives