Crush, Kill, Destroy
When it comes to deciding what data you should jettison, I'm going to have to leave that up to you and your legal counsel (did I mention that I'm not a lawyer?). Basically, if you're not legally obligated to keep it, and there's no real technical reason, I'd encourage you to get rid of it. Erase it, and make sure that you remove the backups as well. If you're really going to destroy data, then make sure you get all of it, which of course leads to another important consideration: where is the data we want to get rid of stored?
One of the most obvious locations of data that should be removed is the hard drive. Unfortunately, this is also where a lot of mistakes are made. Simson Garfinkel recently published a fascinating and revealing article titled "Remembrance of Data Passed: A Study of Disk Sanitization Practices" (882 kb PDF) that every security pro should read. Garfinkel and his associate acquired more than 150 hard drives from eBay and offline sales, many of which were supposed "erased". They were able to recover data from 64 per cent of the drives. Some of the data they recovered included:
- 3,722 credit card numbers
- Bank account numbers, access dates, account balances, and even ATM software from a hard drive used in an ATM machine in Illinois
- Memos about corporate personnel issues
- Email messages
Garfinkel's larger point in his article is that merely formatting or fdisking a drive really does very little (in fact, fdisk only overwrites about 0.01 per cent of the drive's sectors). Data is still easily recoverable. To really erase the contents of a drive, sanitization software is required. Fortunately, there is some very good, very inexpensive (or even free) software available that can take care of this problem, no matter if you're using Windows, Mac OS, or *nix. Garfinkel recommends some software, but you can easily find other lists elsewhere.
Keep in mind that the software above will truly erase a drive, but still leave it usable. If you really want to make sure that data from a drive can't be recovered, and you want to work out your frustrations, then get a ball-peen hammer and beat the hell out of that drive until it's in pieces. Ain't no recovering that data.
Of course, you need to worry about more than just hard drives. What about USB drives? Palms and Pocket PCs? Cell phones? Laptops used by employees? Backup tapes, CDs, and DVDs? Routers? All these devices have the ability to store data on them that you may want to wipe. Heck, even the Furby - a talking doll - was a problem for the NSA a few years ago. All of these devices need to be covered by your policy, since any of them could be requested in a lawsuit.