Culture and Context:
Data destruction
By Susan Miller
Published on February 9, 2006 - 03:52 AM
Rep. Edward Markey (D-MA) introduced a bill called the Eliminate Warehousing of Consumer Internet Data Act of 2006. The bill would require “owners of Internet websites to destroy obsolete data that can be used to individually identify a consumer, including credit card numbers, bank numbers, and date of birth, home address and Social Security numbers.‿ Here’s the press release, but it’s not on Thomas yet. This snippet sounds more like grand-standing than like any real attempt to institutionalize data privacy policies:
“In this digital information age, personal identifiers are the keys which unlock the personal lives and valuable possessions of millions of Americans. Internet companies are often able to glean personal information through a computer user’s surfing and searching of Internet sites. Such entities should not hoard these personal identifiers in databases that often hold the imprints of millions of individuals and their Internet use. This warehoused personal information about consumers’ Internet use should not be needlessly stored to await compromise by data thieves or fraudsters, or disclosure through judicial fishing expeditions.‿ said Rep. Markey, who is also the author of H.R. 1078, “The Social Security Number Protection Act,‿ a bill aimed at protecting consumers from the abuse of the purchase and sale of social security numbers.
That graph that boggles my mind, but I'll put it down to politics.
Meanwhile, I’ll be interested in the details of the bill – who exactly is identified as the “owner‿ of the Website (the company or the ISP), what’s the difference between the Website records and company records, how old is data before it’s considered “obsolete‿ and what method of data destruction is recommended. With all the press on data mining searches, cookies, discarded computers and dumpster diving, I can see why such a bill would get popular support. But at the same time (and I’m speaking in the most general of terms), I don’t know how happy I’d be to be required to destroy info about my customers. Plus, there’s all those privacy, secrurity, compliance and record retention laws to work within too.
In the event that companies do have to destroy data, NIST has just released draft guidelines for media “sanitation‿ (NIST Special Publication 800-88, February 2006).
When storage media are transferred, become obsolete, or are no longer usable or required by an information system, it is important to ensure that residual magnetic, optical, or electrical representation of data that has been deleted is not easily recoverable. Sanitization refers to the general process of removing data from storage media, such that there is reasonable assurance, in proportion to the confidentiality of the data, that the data may not be retrieved and reconstructed.
The NIST guide is designed “to assist organizations and system owners in making practical sanitization decisions based on the level of confidentiality of their information. It does not, and cannot, specifically address all known types of media; however, the described sanitization decision process can be applied universally.‿
|
|
 |
|
There are currently no comments to display.
|
|
|
|
To post a comment, you must be a registered user of FCW.com and be logged in. Use one of the forms below to login or register for FREE to FCW.com. To protect your privacy, you can use an alias as your username.
|
|
|
|
