Proper hard drive destruction is crucial for maintaining data security and privacy in our increasingly digital world. When computers and storage devices are discarded or repurposed, the data stored on them can still be recovered if not properly destroyed. This poses a significant risk of sensitive information falling into the wrong hands, leading to identity theft, breaches of confidential business information, or the disclosure of personal data.
The cost of failure can be enormous. In 2021, Morgan Stanley agreed to a settlement of $60 million for failing to protect customer data stored on decommissioned IT equipment. And that doesn’t even include the class action lawsuit, lost revenue, and reputational damage.
The Risks of Inadequate Hard Drive Destruction
Effective hard drive destruction methods, such as shredding, degaussing, or using specialized software to securely erase data, ensure that any sensitive or confidential information is permanently and irretrievably destroyed.
If you fail to take proper steps to destroy your decommissioned hard drives, that data could fall into the wrong hands. That’s a far more common scenario than most people might think.
In a 2017 study by NAID, investigators analyzed over 250 second-hand tech devices. They were able to retrieve sensitive information from 40% of those devices using widely available tools, including credit card information, usernames and passwords, company and personal data, tax details, and more.
Data breaches impact businesses in a number of different ways:
- Loss of trust: When customers learn that their data may have been compromised, it undermines their trust in your company. They may reduce their use of your organization’s digital services, leading to higher costs for you. In many cases, they’ll simply move their business to your competitor.
- Negative publicity: News travels fast in today’s information-obsessed society. That’s especially true in the age of social media, where unhappy customers can readily express their outrage to the whole world. Companies that don’t proactively protect customer data are more likely than ever to feel the heat of bad publicity.
- Legal action: Numerous data breaches have resulted in class action lawsuits, investor lawsuits, and multistate settlements. Costs can run into the tens of millions of dollars. In addition, protracted suits tend to perpetuate the bad publicity surrounding a data breach, prolonging the reputational damage.
- Regulatory penalties: Government regulators are increasingly focused on data security as well. Depending on the industry in which you operate, you may be subject to various regulatory guidelines, including HIPAA, GLBA, GDPR, CCPA, and more.
Notable Cases of Improper Hard Drive Destruction
Unfortunately, there are plenty of examples of situations in which companies simply did not properly destroy the hard drives containing sensitive or confidential information.
When Morgan Stanley decommissioned some of their IT equipment in 2016 and 2019, they entrusted it to a disposal firm that was supposed to destroy all of the data it contained. Unfortunately, they sold the equipment without properly destroying the hard drives. An astute buyer who had acquired some of Morgan Stanley’s old equipment on eBay noticed that the hard drives still contained customer data. They reported it to authorities and a full investigation ensued. That stirred up some very bad publicity, prompted a class action lawsuit, and ultimately ended up costing the company $60 million in fines.
A few years before the Morgan Stanley fiasco, a similar incident happened in the healthcare industry. Affinity Health Plan had leased some copiers, and returned them to the lessor without first destroying the data on their hard drives. Those machines contained sensitive health information, the exposure of which constituted a violation of the Health Insurance Portability and Accountability Act (HIPAA). The fine in that case was $1.2 million.
There are even cases in which sensitive trade secrets were leaked because of improper disposal of electronic equipment. The most notable of these is Apple, which on several occasions has allowed prototype devices to end up in the hands of individuals outside the company. That has resulted in the unauthorized disclosure of device specifications, software features, and new technology that Apple was planning to introduce.
In 2010, an Apple employee lost an iPhone 4 prototype, which was sold to a technology blog soon thereafter. Although this wasn’t a data breach in the usual sense of the word, the incident highlighted the risks associated with physical prototypes and the importance of secure handling and destruction of proprietary information.
Lessons Learned from Real-Life Cases
What’s the solution to all these problems? IT asset disposition companies (ITAD companies, for short) follow a body of best practices for collecting, transporting, and destroying unwanted IT equipment. The best ITAD services companies also follow rigorous standards for environmental sustainability, repurposing or recycling e-waste to the greatest extent possible.
There are a handful of widely recognized certifications and memberships that attest to the fact that an ITAD provider adheres to industry standard processes and guidelines. These include several distinct ISO standards, e-Stewards, Ecovadis, and NAID.
Employee training and awareness is also critical for preventing data breaches. If an old phone or laptop ends up in the wrong hands, it can lead to severe negative consequences. Imagine that a branch office manager discovers a handful of old computers in a storage closet. Since they’re no longer of any use to your company, he decides to donate them to a local charity, thinking that he’s doing the right thing. Unfortunately, that could lead to some of the problems we described earlier. Train your employees to understand the implications of improper IT asset disposal.
It’s also important to document your data destruction policies and procedures clearly, so that employees at all levels of the organization understand both the reasons for secure data destruction and the affirmative steps required to safeguard your data.
Preventative Measures for Secure Hard Drive Destruction
Regardless of your company size, it’s important to invest in secure data destruction technologies and methods. Partner with a reputable ITAD service provider who will take the time to understand your unique needs and offer personalized service for your organization.
Look for an ITAD company with independent certifications attesting to the quality of their services, and ask for customer references. It’s also important to work with a company that offers end-to-end auditability, supported by GPS tracking, video surveillance, tamper evident seals, and more. Your ITAD provider must be prepared to give you detailed reports about the entire process, as well as sustainability reports that document their use of environmentally responsible practices.
Take time to periodically review and update your data security policies and data destruction practices. We recommend doing so at least once a year.
Conclusion
The real-life consequences of improper hard drive destruction underscore the critical importance of secure data management. High-profile cases, such as Morgan Stanley, Affinity Health Plan, and Apple underscore the financial, legal, and reputational risks involved. These incidents illustrate the necessity of robust IT asset disposition (ITAD) practices, including secure data destruction methods like shredding, degaussing, or software-based erasure.
The Morgan Stanley case, in particular, emphasizes the importance of working with a reputable and auditable ITAD provider with strong industry certifications. Want to learn more? Contact one of our data destruction specialists at NCS Global.
