Language You Use For Data Destruction

[RichmondTech]

I've been recycling computers for my clients now and always wipe the drive before it leaves my possession. I was looking to provide disk wiping as a stand-alone service and was wondering what language others use to protect themselves from liability.

I took in a laptop hard drive the other day and the customer wanted me to copy their data onto an external hard drive and then wipe the original. Here is the language I'm currently using to describe the data wipe. Feedback is suggested. I'm giving them seven days to make sure they have everything they wanted before I proceed with the wipe. I have them initial on the description line and sign at the bottom of the invoice.

Hard drive data destruction. Customer has until 09/22/2011 to verify all the data they want is on another storage device. Customer can request additional data be extracted from hard drive prior to data destruction date at no additional charge. On the data destruction date (09/22/2011), hard drive will be run through seven passes to erase data using a DoD-compliant disk sanitation software program. Customer acknowledges that after this process has started there will be no way for <my business> to extract any additional data off of the drive and will not hold <my business> liable for any data loss. Customer initials: ______________

Of course if someone just comes in with a disk they want wiped I obviously wouldn't wait seven days.

 

[PC-MOT]

Seems quite long winded to me.
I would just put:

I understand that after (date) my system will be recycled and therefore all data will be lost and unrecoverable.
Customer Signed_____________________

 

[RichmondTech]

Seems quite long winded to me.
I would just put:

I understand that after (date) my system will be recycled and therefore all data will be lost and unrecoverable.
Customer Signed_____________________

Yeah, I wish home purchase contracts were like that too.

"I'm buying the house from <seller>. Customer Signed ______________"

I don't mean for it to be long winded but it does have to be complete as far as what the expectations are. Things like this are put in place to help avoid litigation and I'm not sure a one-liner is gonna cut it.

 

[ATTech]

Yeah, I wish home purchase contracts were like that too.

"I'm buying the house from <seller>. Customer Signed ______________"

Wiping a hard drive vs buying a house is a bad analogy.

I don't mean for it to be long winded but it does have to be complete as far as what the expectations are. Things like this are put in place to help avoid litigation and I'm not sure a one-liner is gonna cut it.

In that case, I would check with a Lawyer, as they are the most qualified to help prevent/minimize litigation.

 

[Tony_Scarpelli]

I have a couple of thoughts-

First, I recycled over 5 years now probably averaging between 5-20 pc's a week. I don't give any receipts nor written explanation of what I do with the equipment. I just tell them all HD's are wiped unless they are failed in which case they are destroyed.

Second, I do not know why you would hamstring yourself by putting in writing a requirement that effects your timing and operations of moving your recycled equipment. Does not make sense to me to do this for free.

Third, I offer "If you want a piece of paper, a "certified wipe" is $35 per drive and it comes with a pretty certification and tech's signature and serial number of each drive, date and time of wipe." I have a machine that supposedly does Hipca/DoD level wipes. I thought I would offer this service so I got a multi-thosand dollar hd analyzer machine to do it along with hd analysis and recovery. I have yet to collect a single fee in 3 years or 100's of computers.

I don't think there is any liability against you for accepting their recycling. Its all on them. Unless you commit yourself in writing to something. Then you just put your tail on a hook. If they need it, let them pay you for it, otherwise why trouble yourself and your operations? I wouldn't do that unless i collect a fee for it. One more thing, you are offering a DOD wipe, I have a friend who has a contract with the military and he has to drill holes through the drives and certify their physical destruction. So I wonder if you are not opening yourself up to a law suit in that if you told me a DOD level cleaning I could come back and say where is the proof of destruction? When you don't have it, now I have something for the lawyers to go after you with.

I just don't get why you would do that?

 

[RichmondTech]

First, I recycled over 5 years now probably averaging between 5-20 pc's a week. I don't give any receipts nor written explanation of what I do with the equipment. I just tell them all HD's are wiped unless they are failed in which case they are destroyed.

This is what I have been doing as well.

Second, I do not know why you would hamstring yourself by putting in writing a requirement that effects your timing and operations of moving your recycled equipment. Does not make sense to me to do this for free.

I have not done this for recycled equipment. I did it for the customer who was paying me to copy data onto an external drive then erase the original drive for disposal. The last thing I wanted was to immediately do the wipe and have her say "I forgot to tell you about getting this file (that's in some cryptic location deep in the filesystem)". If someone walked in off the street and just wanted me to wipe a drive I'd do it immediately.

Third, I offer "If you want a piece of paper, a "certified wipe" is $35 per drive and it comes with a pretty certification and tech's signature and serial number of each drive, date and time of wipe." I have a machine that supposedly does Hipca/DoD level wipes. I thought I would offer this service so I got a multi-thosand dollar hd analyzer machine to do it along with hd analysis and recovery. I have yet to collect a single fee in 3 years or 100's of computers.

Yeah, I wasn't going to get a special device just for this. I'd never see the return on investment.

If they need it, let them pay you for it, otherwise why trouble yourself and your operations? I wouldn't do that unless i collect a fee for it. One more thing, you are offering a DOD wipe, I have a friend who has a contract with the military and he has to drill holes through the drives and certify their physical destruction. So I wonder if you are not opening yourself up to a law suit in that if you told me a DOD level cleaning I could come back and say where is the proof of destruction? When you don't have it, now I have something for the lawyers to go after you with.

You're right. I will change the description to "hard drive will be run through seven passes to erase data using a disk sanitation software program" and not mention DoD. Thanks Tony.

 

[Tony_Scarpelli]

OK what I do in that case is offer to keep her drive for 7 days and destroy it. If she finds that some files are missing then she can call me and I can do another search.

Yes, it is a big problem finding files in the wrong folder, or some program that segregates it to another folder out of the my docs.

 

[NETWizz]

I don't work with clients, but I do sign a standard form certifying that I carried out destruction of data pursuant to DOD 5220.22-M.

 

[PDXMicro]

Personally, I like your statement and think it should be good. If you are really paranoid though, I would take the advice of ATTech and get a lawyer to look over it and modify it for you.

 

[maclaptech]

Just buy a hard drive shredder...

 

[Wheelie]

Just buy a hard drive shredder...

Or take it outside and beat it with a hammer ... then recycle it.