A colleague of mine may be getting sued...

[RJM62]

...for intentionally wiping a hard drive, at the client's request.

It turns out the client had an important document stashed in some odd location, and forgot to back it up when he gave the PC to my friend for secure data deletion / recycling. Now he wants his document back, and my buddy already wiped the drive -- using the Gutman method, no less. Talk about irrecoverable data.

Unfortunately, he didn't obtain any sort of written document from the client, who now claims he didn't know that the data would really be irrecoverable, and is threatening to sue.

I do a lot of those jobs myself, usually on a handshake. Not any more. I just finished drafting a form that future clients will have to sign stating that they are indeed hiring me for the specific purpose of rendering their data irrecoverable. I'll have my lawyer look it over tomorrow. A lot of these jobs come up this time of the year, as people get rid of their old computers after the holidays.

-Rich

 

[poadeleted20]

In business, it's usually better to bring in the lawyer for advice before you do something, rather than after.

 

[DawnW]

Let's just hope the client understands that he/she would have to make a sworn statement that he/she didn't know the data would really be deleted when contracting to have a hard drive wiped. Some people (but surprisingly, not all) are averse to intentionally making themselves look like idiots, especially on the record.

 

[RJM62]

In business, it's usually better to bring in the lawyer for advice before you do something, rather than after.

True, but at least my form will give him an idea of what the service I'm offering consists of, and what protections I want the form to provide.

The way it usually works is that I create a document in such a way as to clearly spell out what I want it to say, and then I pay the lawyer to make it incomprehensible.

-Rich

 

[RJM62]

Let's just hope the client understands that he/she would have to make a sworn statement that he/she didn't know the data would really be deleted when contracting to have a hard drive wiped. Some people (but surprisingly, not all) are averse to intentionally making themselves look like idiots, especially on the record.

Good point. Thanks. Maybe that will cheer him up.

-Rich

 

[Pi1otguy]

Not to nitpik too much, but should #4 be changed a bit? Something like " ... it will not be recoverable by any means whatsoever that are currently available." incase someone with too much time wants to sue over the theoretical recoverability of the data. Basically, the whole CIA using magnetic force microscopes theory.

I'd say don't worry, but shakedown lawsuits are a problem for certain industries as defense cost and discovery can be costly.

 

[RJM62]

Not to nitpik too much, but should #4 be changed a bit? Something like " ... it will not be recoverable by any means whatsoever that are currently available." incase someone with too much time wants to sue over the theoretical recoverability of the data. Basically, the whole CIA using magnetic force microscopes theory.

I'd say don't worry, but shakedown lawsuits are a problem for certain industries as defense cost and discovery can be costly.

Thank you. Good point.

-Rich

 

[jesse]

Not to nitpik too much, but should #4 be changed a bit? Something like " ... it will not be recoverable by any means whatsoever that are currently available." incase someone with too much time wants to sue over the theoretical recoverability of the data. Basically, the whole CIA using magnetic force microscopes theory.

I'd say don't worry, but shakedown lawsuits are a problem for certain industries as defense cost and discovery can be costly.

Thank you. Good point.

-Rich

Keep in mind that such a thing could also be used *against* you if there were ever a data-theft issue. For example, 2 million credit card numbers slip out onto the internet. It gets traced back to the company you did the work for. They say that the data was on the hard drive and they paid you to destroy that data. They have a document where you state that the data can't be recovered once you take possession of the drive. Now they blame the data-theft on you, claiming you didn't adequately destroy the data as per your agreement.

You need to protect yourself from any responsibility FOR the data on the drive - destroyed or not destroyed.

 

[TangoWhiskey]

I like the idea of the document. Instead of "one or several hard drives" as listed in item 1, I'd get specific, and list the HD manufacturer, model, and serial number of the drives I'm being contracted to wipe. If you really want to cover yourself, photograph that info off the drives and keep it with the signed contract in your files, and just like a doctor does with a patient before surgery, verify each drive against your inventory before you "do the deed."

If you don't inventory them, and stay generic, you could still get sued that "it wasn't THAT drive I wanted wiped!! I gave him two drives, I wanted one wiped and one FIXED!"

 

[RJM62]

Keep in mind that such a thing could also be used *against* you if there were ever a data-theft issue. For example, 2 million credit card numbers slip out onto the internet. It gets traced back to the company you did the work for. They say that the data was on the hard drive and they paid you to destroy that data. They have a document where you state that the data can't be recovered once you take possession of the drive. Now they blame the data-theft on you, claiming you didn't adequately destroy the data as per your agreement.

You need to protect yourself from any responsibility FOR the data on the drive - destroyed or not destroyed.

Hmm... Also a good point. Thanks.

Maybe something like, "The data on the drives will be erased using [DoD, NSA, DOE, Gutmann, or whatever other method comes down the pike], which is believed to render the data irrecoverable by any currently known method."

In practice, because many of the drives I get are old and I can't be bothered looking up what encoding method they used, I usually use all 35 passes of the Gutmann / Plumb method -- which even Peter Gutmann thinks is overkill on newer drives that don't use the older encoding.

That's why these documents seem to get so incomprehensible by the time the lawyer gets done with them, I guess.

Thanks

 

[RJM62]

I like the idea of the document. Instead of "one or several hard drives" as listed in item 1, I'd get specific, and list the HD manufacturer, model, and serial number of the drives I'm being contracted to wipe. If you really want to cover yourself, photograph that info off the drives and keep it with the signed contract in your files, and just like a doctor does with a patient before surgery, verify each drive against your inventory before you "do the deed."

If you don't inventory them, and stay generic, you could still get sued that "it wasn't THAT drive I wanted wiped!! I gave him two drives, I wanted one wiped and one FIXED!"

I thought about that. I do keep serial numbers on file and I do include them on the certification letters I send to the clients when the wipe is done. But I usually don't do it until I get back to the office. All I do in the field is put a big red X and the client's name on the drive label. It makes more sense to put the serial number information on the form itself right from the start.

Thanks.

 

[Dave Siciliano]

A lot of people threaten to sue. Few do. Don't mix up an emotional outburst with actuality. I've been in a position many times where folks never did what they first threatened; they were venting. Sometimes, they are mostly mad at a mistake they made, but they blame you (at first).

Written agreements are good, but the number one rule should be to know your customer (it that's possible). Most folks are still reasonable and try to live up to their word.

If it's a high volume, retail business without a lot of repeat customers, the agreement makes more sense. Repetitive work with folks with which you have a good relationship; makes less sense.

If you ever do get through motions and discovery and actually wind up in the courthouse, it's a long, expensive, frustrating process. Most folks don't get very far when they find that out.

Best,

Dave

 

[Doggtyred]

So.. the guy got what he paid for.. and is ****ed..

Gotta love it

 

[RJM62]

Dave, my friend's business is a high-volume storefront. I do almost all my work on the road. I tend not to know these people well because most of my clients on these particular jobs are strangers. Typically they're small business or home users who are replacing their machines, and are looking both to wipe the drives and to get rid of the old boxes. This usually is our first meeting.

I pick up the machines, wipe and dispose of the drives (or return them to the owner for an additional ten bucks), and decide what to do with the machines. Most often I reinstall an OS on a refurb drive, replace whatever else is broken or needful of upgrading, and give the machines away. They're usually too old to be salable, but very welcome by people who can't afford a computer.

I presently am rehabilitating five machines for a nursery school run by a synagogue. (The machines they're presently using are 15 years old.) I'm putting Edubuntu on them because it runs reasonably well on older machines and has hundreds of simple educational games.

Last week I gave away a couple of machines to a senior center, and one to a family I met through a friend. The old folks got Windows XP, the family got a dual-boot XP/Ubuntu machine.

Once in a while, though, I'll get a machine that's perfectly fine except that the user screwed up the OS and "hates the computer" as a result. Those ones I refurbish, reinstall, and resell on Craigs List or eBay. I use the money to help pay for the parts for the ones I give away for free.

I also get old machines from regular clients from time to time, but it's less common. I follow the same basic procedure, except that it's a lot less formal because trust is already there (and because I'm usually the one doing the upgrade and/or migration).

I don't know how much money I make doing these things. If I considered all the time (including refurbishing the machines) that I spend on this, I'm sure I'd be losing money. But it's a mitvah, and I also have lined up some decent clients whose first contact with me came from a secure data deletion job.

Oh, by the way, here's draft 2 of the form.

-Rich

 

[gprellwitz]

Rich,
I just want to thank you publicly for recycling these computers and making them available to those who may not otherwise be able to afford them.

Thanks,
Grant

 

[TMetzinger]

Your lawyer will probably do this, but one of the best "weasel-words" I see in these types of contracts is "in accordance with industry best practices", usually followed by an example. So:

The data on the hard disk will be destroyed using software in accordance with industry best practices, such as those defined in US Gov't Standard XXXX.

might be appropriate.

 

[Henning]

Let's just hope the client understands that he/she would have to make a sworn statement that he/she didn't know the data would really be deleted when contracting to have a hard drive wiped. Some people (but surprisingly, not all) are averse to intentionally making themselves look like idiots, especially on the record.

Now there is some real advice from a lawyer. Make sure that the dude understands you will make them look like a complete idiot and would be willing to go in front of Judge Judy and let her call you an idiot too. But then, people compete to get on Springer! He might like it.... "Just what part of you wanting this disc erased for the fee that you paid me did you not exactly understand would erase your disc? What were you expecting from the term "erase all data" when you used it?"

 

[RJM62]

Rich,
I just want to thank you publicly for recycling these computers and making them available to those who may not otherwise be able to afford them.

Thanks,
Grant

Thanks, Grant. It's pretty rewarding, actually. It's also one of the things that keeps me sane these days, with the economy being slow and there not being as much work to fill my days as there was a few years ago.

Doing the rehabs keeps me busy working on physical machines, which is what I enjoy more. I've been a tinkerer since childhood and originally was trained in hardware electronics. But physical repairs and upgrades aren't as lucrative as they used to be, back when computers cost thousands of dollars and people actually paid people to repair and upgrade them. Nowadays, with respectable new systems available in the $500 - $700 range and a new version of Windows that actually works well, it's harder to sell people on repairs / upgrades.

In fact, the Win7 launch alone has resulted in my having a lot more not-so-old, serviceable PCs under my workbench at one time than is usual. I also have one I'll be picking up later today, one still in the trunk of my car (sans hard drive), another in Scarsdale awaiting the arrival of its replacement, and another sitting eight feet away from me on my "software bench" (basically, a workstation with a bunch of cables running into a KVM switch) getting its hard drive nuked.

The machine on the KVM is actually in great shape and was received from an older lady who simply decided she wanted a new machine with Win7. There was nothing at all wrong with the old one, and in fact I advised her to hold off until Win7 SP1. But she wanted a new toy. The machine has a second hard drive (Seagate 160) that I installed only a couple of months ago for backup purposes, so I'm going to re-use the second drive as the system drive after I wipe it (with her consent). The machine may be salable because it's in good condition and I have all the media. I'll decide once I reinstall the OS.

I expect the holidays will bring even more old machines looking for new homes.

-Rich

 

[RJM62]

Your lawyer will probably do this, but one of the best "weasel-words" I see in these types of contracts is "in accordance with industry best practices", usually followed by an example. So:

The data on the hard disk will be destroyed using software in accordance with industry best practices, such as those defined in US Gov't Standard XXXX.

might be appropriate.

Thanks Tim. I emailed him the drafts and expect he'll get back to me later today.

-Rich

 

[RJM62]

Now there is some real advice from a lawyer. Make sure that the dude understands you will make them look like a complete idiot and would be willing to go in front of Judge Judy and let her call you an idiot too. But then, people compete to get on Springer! He might like it.... "Just what part of you wanting this disc erased for the fee that you paid me did you not exactly understand would erase your disc? What were you expecting from the term "erase all data" when you used it?"

Thanks. My buddy's actually the one who may be sued, and I'm going to stop by his place later. He's fretting. The problem is that he has no paperwork that he can use to prove that the client specifically wanted the drive wiped. He just took the guy's drive and his money and did what he was paid to do, but without any proof that he was paid to do so. Hence my deciding to avoid the same possible fate myself by coming up with a form.

-Rich

 

[Geico266]

Thanks. My buddy's actually the one who may be sued, and I'm going to stop by his place later. He's fretting. The problem is that he has no paperwork that he can use to prove that the client specifically wanted the drive wiped. He just took the guy's drive and his money and did what he was paid to do, but without any proof that he was paid to do so. Hence my deciding to avoid the same possible fate myself by coming up with a form.

-Rich

I don't know how (in today's world) anyone could not have a back up of their computer. If the document he lost was that important he is a fool to have not had Carbonite or similar. I just don't see the liability being on the technition. He did what he was suppose to do and made the drive unrecoverable. Too bad , so sad.

Tell the guy suing if he purses a law suit your buddy has proof that there was (insert bad things here; IE child porn) on the hard drive and he will turn that info over to the cops. I'm sure he would be happy regeristering a child sex offender for the rest of his life.

 

[RJM62]

I don't know how (in today's world) anyone could not have a back up of their computer. If the document he lost was that important he is a fool to have not had Carbonite or similar. I just don't see the liability being on the technition. He did what he was suppose to do and made the drive unrecoverable. Too bad , so sad.

Tell the guy suing if he purses a law suit your buddy has proof that there was (insert bad things here; IE child porn) on the hard drive and he will turn that info over to the cops. I'm sure he would be happy regeristering a child sex offender for the rest of his life.

Ohhh.... that's mean!

 

[DawnW]

Thanks. My buddy's actually the one who may be sued, and I'm going to stop by his place later. He's fretting. The problem is that he has no paperwork that he can use to prove that the client specifically wanted the drive wiped. He just took the guy's drive and his money and did what he was paid to do, but without any proof that he was paid to do so. Hence my deciding to avoid the same possible fate myself by coming up with a form.

-Rich

It works both ways. The other party probably can't prove that he requested anything to be saved, either.

 

[Dave Siciliano]

I don't know how (in today's world) anyone could not have a back up of their computer. If the document he lost was that important he is a fool to have not had Carbonite or similar. I just don't see the liability being on the technition. He did what he was suppose to do and made the drive unrecoverable. Too bad , so sad.

Tell the guy suing if he purses a law suit your buddy has proof that there was (insert bad things here; IE child porn) on the hard drive and he will turn that info over to the cops. I'm sure he would be happy regeristering a child sex offender for the rest of his life.

I sure would hesitate to do that.

I have a friend that owned several businesses. Was wealthy by most people's standards. Caught a receptionist stealing money--she would get the mail and submit checks to the bank. They installed a camera system and cross checks with vendors which lead to the discovery. Had her dead to rights. He tried to prosecute her after letting her go. The DA said it just wasn't worth pursuing. So, my friend went to her Dad, who he know, and told her Dad he was going to pursue her if she didn't pay. The Dad went to an attorney who threatened to file several charges. Now, we get into how the system works: the employee and her Dad didn't have much in the way of assets, the attorney agreed to work on a contingency fee and was well known. My friend had several businesses and significant assets.

His attorney strongly suggested he settle for several reasons: the time and effort it would take away from the business to defend; the cost and the fact that they couldn't win anything if the prevailed. Her termination letter was very nice and he found her working at another near-by place a few weeks later.

Be careful in circumstances where you have a lot to lose and nothing to gain.

Best,

Dave

 

[RJM62]

Here's what the lawyer came up with. Not sure if I like, but I think it'll serve the purpose.

 

[TMetzinger]

Looks like it protects you quite well.

 

[alaskaflyer]

What $damages can he demand in this situation? At most your friend might be out his original fee + cost of the defense. Money talks, BS walks, and who is actually right, fairness of the universe, logic etc. is not relevant...

Edit: I see Dave S hit on this already, from a different direction. The exact story he related above is rampant in retail.

 

[Flyfishingpilot]

...for intentionally wiping a hard drive, at the client's request.

It turns out the client had an important document stashed in some odd location, and forgot to back it up when he gave the PC to my friend for secure data deletion / recycling. Now he wants his document back, and my buddy already wiped the drive -- using the Gutman method, no less. Talk about irrecoverable data.

Unfortunately, he didn't obtain any sort of written document from the client, who now claims he didn't know that the data would really be irrecoverable, and is threatening to sue.

-Rich

So... how will the disk owner prove that his stashed files were on that hard drive in the first place?

 

[RJM62]

So... how will the disk owner prove that his stashed files were on that hard drive in the first place?

I talked to my friend today, and he thinks the guy's bluffing. Also, he was using Mozy.com for backup, but because the file allegedly was stashed somewhere other than the usual folders that are backed up, it never made it.

I think this is going to blow over. But it's been a good lesson. Sometimes we're a bit too trusting.

Also, I think I may adopt a waiting period before erasing drives, advising the client to hold on to the drive for a period of time before I erase it. If they want to get rid of the rest of the machine, I'll take it; but have them store the hard drive themselves for a while. (I'd rather do it that way than lock it in my safe.)

-Rich

 

[RJM62]

Looks like it protects you quite well.

Yeah, I think it does, Tim.

I did find a couple of typos, but I fixed them myself. Now I'm debating whether to let my printer print them up as carbonless NCR forms, or just print them on the laser printer and make them out in duplicate.

-Rich

 

[gkainz]

a full dirlist of the contents, returned to the client, with a "sign here to approve removal of ALL CONTENTS of this hard drive" before the hammer falls ...

 

[Clark1961]

Also, I think I may adopt a waiting period before erasing drives, advising the client to hold on to the drive for a period of time before I erase it. If they want to get rid of the rest of the machine, I'll take it; but have them store the hard drive themselves for a while. (I'd rather do it that way than lock it in my safe.)

From a business perspective, this sounds like a darn good approach. It shows you have the clients best interests at heart and are really giving good service and advise. Of course no one is certain that drive will ever work again after setting for a few months but at least the attempt was made.