When A Business Fails, Where Does The Data Go?

When Circuit City went out of business recently, where did all of their data go?

I have seen a couple of articles lately on this and thought it would make a good discussion topic in light of PCI compliance and the fact that this topic is not discussed by the PCI DSS.  Given the economic contraction we are in, this will likely become a big point of discussion for the PCI SSC and the card brands.  I have also been part of a couple of going out of business shutdowns, so I can give you some first hand experience of what can happen.

In the case of Circuit City, Systemax, Inc., owners of the TigerDirect and CompUSA brands purchased the online assets of Circuit City and the right to use the Circuit City logos, trademarks and other intellectual property.  However, the Circuit City online presence was only a portion of the total automated presence of Circuit City.  What happened with all of the transaction data from Circuit City’s brick and mortar stores?  From the news releases, it is unclear what happened to the data generated by the stores, so time will tell if this data was handled properly.

From my own experience, what happens to an organization’s data when it ceases to be an organization can be haphazard at best.  The reason is that many of the key people that know where all of the data resides have usually left by the time the liquidation team arrives.  For most organization of reasonable size, documentation is usually available, but the necessary detail to point out non-obvious locations may not be in any of the available documentation.  The reason for the gaps in documentation is not deliberate or for job security.  It typically occurs because people forget all the details unless they are prompted.  This is why professional documentation analysts can be invaluable because they are trained to dig out this level of detail for documentation.  Unfortunately, most organizations cannot afford this cost and, as a result, the documentation does not contain all relevant details.

While data obviously resides on servers and data storage systems, organizations can have off-site storage as well as numerous other locations where data can be stored.  I had an organization that had data stored at three different off-site storage vendors.  The reason was that they had had four different CFOs in the last three years and three of those individuals changed off-site storage vendors for reasons of cost and level of comfort with the vendor.  By the time I got there, I was only able to find two of those vendors as they were still transitioning to the new vendor.  I got lucky about the other vendor when I happened to run into a former employee who let me know about the other vendor during our conversation.  Had I not had this fluke of a run in, I would have never known about the third vendor.

Then there is the documentation related to the applications that store data.  It is difficult enough when the business is running to get people to determine what applications store PCI in-scope data, let alone other personally identifiable information (PII).  However, it is 100 times more difficult when a business is going out of business to locate the important data to ensure that it is handled properly.  Even when a business is going out of business, there is certain data that still needs to be retained for historical or customer service purposes.  While you do the best you can to get it all, I will guarantee you that you will miss something.

And retaining data is just not about doing back ups.  You also need to capture the operating system, system software such as any RDBMS and the application software.  After all, if you only have the data, how do you make heads or tails out of it if you cannot restore the application?  As a result, you need the application and its operating environment in order to ensure you can get at the data intelligently.  However, because of hardware changes, your ability to recover may be severely limited or may become impossible.

Once the data that needs to be retained has been captured and backed up, it is time to properly get rid of the rest of the data by ensuring that data that can be destroyed is properly destroyed.  Just going through and deleting files is not good enough.  If the hard drives will not be sold or fail after being powered down, then they should be physically destroyed.  If the hard drives will be sold for reuse, you need to follow the Department of Defense National Industrial Security Program Operating Manual (NISPOM) standard 5220-220M that states:

“Overwriting is a software procedure that replaces the data previously stored on magnetic storage media with a predefined set of meaningless data.  Overwriting is an acceptable method for clearing.  Only approved overwriting software that is compatible with the specific hardware intended for overwriting will be used.  Use of such software will be coordinated in advance with the Customer.  The success of the overwrite procedure will be verified through random sampling of the overwritten media.  The effectiveness of the overwrite procedure may be reduced by several factors: ineffectiveness of the overwrite procedures, equipment failure (e.g., misalignment of read/write heads), or inability to overwrite bad sectors or tracks or information in inter-record gaps.  To clear magnetic disks, overwrite all locations three (3) times (first time with a character, second time with its complement, and the third time with a random character). Items which have been cleared must remain at the previous level of classification and remain in a secure, controlled environment.”

There are all sorts of shareware programs available for all platforms for conducting a NISPOM-compliant disk wiping programs.  So, there is no excuse for not properly wiping the drives before you sell them off.  While hard drives can be degaussed, I have found that the degaussing process can sometimes cause the controller board or other electronics of the hard drive to fail.  So, if you are reselling the hard drives, I recommend using a DoD-compliant wiping program to ensure that the hard drive is still in working order after the data is destroyed.

For magnetic tape, you need to either degauss or destroy the tapes.  If the tapes will not be resold, then they should be physically destroyed.  If they will be resold, I highly recommend hiring a professional company to degauss the tapes before you resell them.  Degaussing is not just running the tapes past a magnet a couple of times.  It requires professional degaussing equipment that costs tens of thousands of dollars to ensure that the magnetic field is strong enough to wipe the bits on all recording surfaces.


0 Responses to “When A Business Fails, Where Does The Data Go?”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


If you are posting a comment, be patient, as the comments will not be published until they are approved.

If your organization has a PCI opportunity, is in need of assistance with a PCI issue or if you would like the PCI Guru to speak at your meeting, you can contact the PCI Guru at pciguru AT gmail DOT com.

I do allow vendors to post potential solutions in response to issues that I bring up in posts. However, the PCI Guru does not endorse any specific products, so "Caveat Emptor" - let the buyer beware. Also, if I feel that the response is too "sales-ee", I reserve the right to edit or not even authorize the response.


May 2009
« Apr   Jun »

Enter your email address to subscribe to the PCI Guru blog and receive notifications of new posts by email.

Join 1,941 other followers


%d bloggers like this: