What happens to your data when you decommission your IT assets? If you don’t know the answer to that question, your organization may be at substantial risk of exposing confidential customer data, employee information, financial details, trade secrets, and more.
In 2017, NAID conducted an experiment, analyzing over 250 second-hand tech devices, including hard drives, tablets, and smartphones. Using widely available tools, they retrieved sensitive information from 40% of those devices, including credit card information, contact information, usernames and passwords, company and personal data, tax details, and more.
It’s worth noting that NAID didn’t repair or modify any of the devices, and they didn’t use highly specialized tools. One of the project’s leaders put it this way: “a five-year-old with some free software off of the web could have done it.”
What is Secure Data Destruction?
Secure data destruction is a process designed to ensure that sensitive or confidential information is completely and irreversibly destroyed. This is crucial when disposing of old storage devices or when data is no longer needed, to prevent unauthorized access or data breaches.
When you delete a file using the delete key or a menu command, you’re not actually removing the data from your computer’s hard drive. Instead, the system marks the space occupied by that file as available for reuse. The actual data remains intact until that space is used to store new information.
Secure data destruction, in contrast, makes data recovery impossible. Methods for accomplishing this include physical destruction, degaussing, and software-based wiping. When performed properly, the process is irreversible, ensuring that unauthorized parties will never be able to access the data.
Why is Secure Data Destruction Necessary?
Hackers can hold your data for ransom, threatening to disclose sensitive information contained on your decommissioned devices. They can also use stolen credentials to access your systems, install ransomware, and inflict even greater damage. In one recent case, a gang of cybercriminals even filed a formal complaint with the SEC after their victims failed to voluntarily disclose the data breach to authorities.
Very often, companies may not even be aware that their devices contain sensitive data. Consider the case of Affinity Health Plan, which was important to pay over $1.2 million for HIPAA violations. The company returned multiple photocopiers at the end of their lease, failing to first destroy the data contained on the copiers’ hard drives.
Numerous industries are subject to the kind of regulatory oversight that could lead to such penalties, including financial services, healthcare, education, defense, and others. Many regions and sectors have strict regulations governing data protection, such as GDPR in the European Union and CCPA in California. Public companies in the United States are subject to stringent SEC regulations as well.
Non-compliance due to improper data destruction can lead to legal actions, hefty fines, and sanctions, not to mention reputational damage.
Methods of Secure Data Destruction
It’s important, therefore, to implement a comprehensive strategy for IT asset disposal that includes provisions for secure data destruction.
Popular methods of secure data destruction include:
- Physical destruction entails destroying storage devices such as hard drives or USB drives using a high-pressure shredder, making data recovery impossible. This is most appropriate for high-security environments, or where regulations require it.
- Degaussing exposes storage media to very strong magnetic fields, erasing all of the data stored on the device. It provides rapid results and is suitable for environments with stringent security requirements.
- Digital erasure securely overwrites and erases the data on any drive, making it impossible to recover the original information. It is suitable for organizations with strict security requirements, but is more environmentally friendly than techniques like physical destruction. Digital erasure using proprietary tools like NCS Global’s EcoErase is the best option for most corporate clients, and is suitable for routine data sanitization and disposal.
Best Practices in Secure Data Destruction
Every organization should include secure data destruction as part of its information security policies. Develop a records retention strategy, and follow up to make sure it’s being applied consistently.
Your secure data destruction policies should cover the disposition process for all IT assets, from USB thumb drives to photocopiers and servers. Determine which industry standards, government regulations, and contractual requirements apply to your organization, – then choose a secure data destruction method that addresses those needs.
Document your data destruction processes, and include measures for validating them. The best IT asset disposition (ITAD) vendors will provide detailed, fully auditable records detailing the chain-of-custody. By tracking every movement of your unwanted assets, from the moment they leave your facility to the time that your data is destroyed, you can be assured that sensitive information will not fall into the wrong hands.
The Role of Professional Data Destruction Services
It’s also critically important that you work with a vendor who has deep expertise in secure data destruction and proper IT asset disposition.
In 2022, Morgan Stanley was fined $35 million for failing to ensure the proper disposal of hard drives containing personally identifiable information. One point of failure was Morgan Stanley’s reliance on a moving and storage company to handle the decommissioning of its hard drives. That company had no expertise in secure data destruction. Although they had promised to partner with a firm specializing in data destruction, the moving company ultimately sold Morgan Stanley’s hard drives to various third parties, compromising the personally identifiable information of around 15 million customers.
IT asset disposition (ITAD) is a specialized function, and secure data destruction is a core competency within that domain. Look for an ITAD services company with certifications like NAID, E-Stewards, and ISO-9001. Ask if they provide certificates of destruction that include serial numbers, types of media destroyed, and the method of data destruction. Look for an organization that enforces strict security policies and maintains an audit trail for all IT assets.
Future Trends in Data Security and Destruction
As regulators and consumers focus greater attention on data security and sustainability, we are likely to see even stricter standards and stiffer penalties in the future. The move toward environmental sustainability is prompting more and more companies to opt for greener methods of IT asset disposal.
Technology innovation will improve the economic viability of recycling e-waste, delivering a dual benefit to both the environment and the bottom line.
Secure data destruction can no longer be an afterthought. In our highly connected world, safeguarding information is a critical element of the IT asset disposition process. The best ITAD services companies offer a range of data destruction methods, with systems and processes to guarantee and certify results.
The time to develop a sound data destruction strategy is now. By preparing an IT asset disposition plan in advance, you can ensure that your sensitive data will remain secure.
Interested in learning more? Contact our expert team at NCS Global to discuss your needs.