Keeping the information contained in the company's ITequipment secure is an obvious priority. But as technology becomesoutdated and is recycled, replaced or repurposed, keeping the datasecure is still a vital part of the process.

“Confidential information has a lifecycle: it is created; it isstored; it is transferred; it is deleted or destroyed,” advisesMark Lobel, a partner in security, privacy and risk practice atPricewaterhouseCoopers. “Each part of that lifecycle should beimportant to companies.”

The security issues involved in IT disposal gained prominencefrom a 2010 CBS News investigation into data stored on digitalphotocopiers. But with new technologies come new challenges.

Solid-state drives, which are faster than traditional harddrives and used in many laptops, tablets and cellphones, and mostrecently wereoffered by Amazon's cloud service, cannot be wiped clean in thesame manner as traditional disk drives.

About a billion pieces of computer equipment will be retiredthis year, according to Jim O'Grady, the director of assetmanagement at HP Financial Services, and the disposal of ITassets is subject to 163 regulations worldwide.

To securely remove data, traditional drives undergo a processcalled a “military wipe,” which overwrites old data, erasing theprevious data as it goes. Simply hitting “delete” will erase theindex that points to where a file is stored on a disk, but thosefiles would still be accessible using forensic technology.Government and industry standards typically call for multipleoverwrites to insure all data is removed.

However, even a military wipe isn't effective on a solid-statedrive, which stores information directly in the hardware. Amilitary wipe erases only 20% to 30% of the data on a solid-statedrive, according to PwC's Lobel. “Some organizations have tested itand they recovered quite a lot of data,” he notes.

Companies can make data unreadable using hardware-basedencryption, which is effective and doesn't take as many iterationsto wipe clean. “But you have to know [the encryption function is]there, and you have to know this is an issue and take the extrastep to enable the hardware-based encryption,” Lobel says.

When erasing the data is possible, it comeswith its own challenges. Solid-state drives have to be programmedcorrectly to successfully implement an erase command, cautionsSteven Swanson, an associate professor of computer science at theUniversity of California, San Diego, who studies solid-state memorytechnologies. Some drives don't implement the command at all, andsome have bugs and don't implement it correctly. In the case of USBthumb drives, there is no reliable way at all to erase data shortof physically destroying the drive, Swanson adds, unless you areusing a high-end, secure drive that can wipe itself.

“There's not an easy way for a user to check,” he says. “Ifthere's a bug or an error in the software that runs inside yourdrive, you may tell it to erase the drive, it may tell you that itdid that successfully, and if you go back and look for that data,you won't find any—but that data can actually still be there.”

Some systems may even claim to be securely erasing data in a waythat's not currently possible. On a Mac laptop or desktop, Swansonsays, “there's a command to securely erase the trash, and thatinvolves just going in and erasing particular files.” But therecould be many older versions of that file in other locations, “soerasing a single file is really, really hard. I don't know of areliable way to do it currently.”

Swanson recommends asking manufacturers about it to ensure thatthey're aware of the problem. “That will make it clear to them thatthey need to provide a good solution. It's not hard to do…but itdoes require that you know a little bit of what you're doing on themanufacturer's side.”

And just as it's not hard for manufacturers, it's not verydifficult for someone looking to recover your data: Swanson says anelectrical engineer with a four-year degree and a moderatelywell-equipped laboratory could manage.

Keeping data around longer than required is a liability, PwC'sLobel says, even if the company isn't getting rid of the hardware.“If you have the IT assets and you aren't disposing in a securefashion, you have a fiduciary responsibility,” he says. Companiescould face an economic liability if information iscompromised.

Even after a company sells IT assets, it is still heldresponsible. “Once you're in that chain, you can't separateyourself—that's a big surprise for a lot of our clients,” O'Gradysays. “Never let your asset off your premise site without wipingthe data. There's lot of leakage that can occur.”

“You're putting your company's brand at risk,” O'Grady adds.“Especially when we talk to CFOs and treasury, they clearly seethat how they treat e-waste is a major brand concern for them.”

For more on IT risk management, see CyberSecurity Review and Fail-Safefor Clouds.