Keith and I were recently featured in the March 2008 edition of Entrepreneur magazine discussing the challenges of data retention and data destruction for small businesses.  The article "Storage Smarts" by Amanda C. Kooser, Entrepreneur's Assistant Technology Editor on page 28 of the magazine is kind of short but has a great picture of us.  I wanted to take this opportunity to expand a little bit on what was covered in the article.

Amanda's article focused on the difficulties and expense that small businesses face when trying to determine how long they have to retain various types of data and how to go about proper destruction of the data when it is no longer needed.  When we get questions like this from our clients I like to point to the 1999 Gramm-Leach-Bliley Act, commonly known as GLB or GLBA, as a model for what to protect and how to properly dispose of it later.  Better yet the GLBA charges the Federal Trade Commission with developing standards for protection and destruction of "personal information".  The FTC defines personal data as:

• Names
• Addresses
• Phone numbers
• Bank and credit card account numbers
• Income and credit histories
• Social Security numbers

While the GBLA and the FTC's Safeguard and Disposal Rules are really intended to address the responsibilities of "financial institutions", I believe they are excellent policies for almost every organization.  The FTC has created clear and concise documentation that is designed with enough flexibility that even the smallest company could implement a safeguard and disposal program without great difficulty or expense.

In paragraph four of the article Amanda asked me how we stored sensitive client data that was no longer being used.  We were specifically discussing the data storage problems associated with long term storage of large quantities of client data from our e-discovery and computer forensic services.  I know that I come off sounding kind of old school stating "Hard drives fail. If we have to hold data for more than six months, we transfer it to tape."  I know that kind of thinking gets a lot of SAN, NAS and other RAID storage vendors sputtering but I live in the real world where hardware just inexplicably dies.  The average expected life time of a hard disk is 5 years while the expected life time of a tape is 30 years.  I don't expect you to take my word for this; I direct your attention to the really smart guys at Google Research and their award winning paper "Failure Trends in a Large Disk Drive Population", where they go into great detail on how and why hard disks fail.  They also debunk the myth that hard drives fail due to heat or overuse.  One of my other references for hard disk failure is a highly technical paper from the Computer Science Department at Carnegie Mellon University, with the provocative tile "Disk failures in the real world: What does an MTTF of 1,000,000 hours mean to you?" (Beware: there is math with Greek characters and Poisson assumptions) where researchers are able to show that the Mean Time To Failure (MTTF) of a hard drive is actually much lower than what drive manufactures suggest.   

On the other hand, tape drives have actually been around since 1951, although they didn't start to see common use until the IBM System/360 "9 track" tapes arrived in 1964.  I was personally still using the IBM System/360 tapes on military systems as late as 1995 and I'm sure there are still some in use today.  To summarize my point, magnetic data tapes are very survivable, highly portable and with proper care will store large amounts of data for decades.  I know that some people also dismiss tape as being too slow.  For data that needs to be accessed on a regular basis I completely agree that tape is not the ideal storage media.  When we are talking about long term data retention of large amounts of data, the current generation of LTO-4 tapes store 1.2-1.4TB at a transfer rate of 120MB/sec.  In real world daily use we can typically transfer a little over 100GB of data from SATA II disks to LTO-4 tape in one hour.  Things like hashing, encryption and Write Once Read Many (WORM) can all slow down the tape speed.  The ability to easily do WORM on LTO-4 tape is a big bonus if you are required to be Health Information Portability and Accountability Act (HIPAA) compliant.  By simply using WORM tapes in a most LTO-4 drives you get a tape that can be read but not altered.  We have found the Exabyte/Tandberg Data external SCSI LTO-4 drives to be easy-to-use and very reliable.

As for destruction of large amounts of magnetic media, check back for our upcoming paper on the disposal process of over 600 (60TB) pieces of media.  We'll discuss everything from the initial planning through physical shredding of hard disks.

I want to express our thanks to Amanda C. Kooser, Matt Samarin and everyone else at Entrepreneur magazine.