This morning, I took a sledge hammer to the bad disk drive of my old laptop computer. In fact, since I was having too much trouble getting it out of the computer, I trashed the entire motherboard. This made me a little sad, because in fact that old laptop had traveled with me across continents and several 100’s of thousands of miles. But only a fool gets emotional over an inanimate object. What I was actually perturbed by was that I wasn’t going to be able to make a few bucks on E-Bay selling the laptop for its component parts. So, one might ask, why did I trash the thing?

My decision was influenced by a classic “risk/reward ” balancing act. Should I get twenty five or thirty bucks into my Paypal account, or should I take draconian measures in order to ensure my privacy?

The answer to that conundrum was simple: the sure-bet chance of making a few bucks is more than outweighed by the off-chance of losing control over my personal information from data theft. This is the new age of consumer sensitivity to issues surrounding identity theft, and what powerfully came to my mind was a presentation I saw in 2005 by Simson Garfinkel of the Center for Research on Computation and Society at Harvard University. In his presentation, Garfinkel stated that over 210 million disk drives would be “retired ” in that year alone, but that at the same time, about 1000 “used ” disk drives were being sold on E-Bay every single day. According to Garfinkel, this created the potential for data and identity theft, since there are forensic tools readily available that make it relatively easy for hackers to recreate data even from “bad ” disk drives. Of the three methods to ensure that your data isn’t “steal-able ” (encrypting data when it’s stored, clearing the drive before discarding it, or physically destroying the device), physically destroying the drive is the only fool proof way to protect yourself. So I gave the offending disk drive an extra whack for good measure.

I’ve never thought of myself as particularly paranoid. I still use a credit card when paying for dinner in NYC, and so far, I haven’t worried about the waiter storing my Track 2 data on a collection device used to trap such data in order to sell it to the highest bidder. But times have changed, and we’re not just talking about con artists anymore. We’re now talking about organized crime syndicates methodically collecting and then using personal identity data. According to the Privacy Rights Clearinghouse, a non-profit consumer advocacy organization, the dubious milestone of 100 million personal records stolen was reached in December, 2006. And well over 50 million more have been reported so far this year (the most notable being TJX) – and counting.

Companies have a responsibility to their employees and their customers to ensure the privacy and security of personal information that is collected for business purposes. VISA and the other major credit card networks are pushing retailers to comply with a set of commercial standards known as the PCI data security standards. One standard, (9.10) states that companies must “Purge, degauss, shred, or otherwise destroy electronic media so that cardholder data cannot be reconstructed. “Beyond PCI, companies also must comply with HIPAA regulations, including the 2003 Fair and Accurate Credit Transactions Act, which states that anyone retaining consumer information for business purposes must destroy that information before discarding it. Although the focus of the news media has been on large breaches such as the TJX story, stolen laptops are also frequently cited as a common cause of security breaches. And, no one knows how many “used ” disks bought on the open market are the source of identity theft cases.

In the meantime, in July 2007, the U.S. Secret Service announced that it had discovered Eastern European cyber-thieves using TJX customers’ credit card numbers to create counterfeit credit cards. Perhaps it’s time for consumers to get really concerned about this issue. So I used my sledgehammer. I hope it did the trick.