Every high-profile data breach is a reminder of the importance of the need for information protection. An organization’s information is one of its most valuable assets. Both paper and digital records must be protected from careless loss and both internal and external theft. The Identity Theft Resource Center has been identifying breaches since 2005. In 2022, there were 1,802 data compromises reported which is the second highest number reported in a single year. Your asset disposal policy should not rely on luck.
Back in 2005, virtually all breaches involved paper records, lost or stolen laptops or data tapes lost in the mail. In 2022, cyberattacks were responsible for 90% of all data breaches. But there was a notable breach from devices that still contained data when they were retired. It was just settled in the fall of 2022. You don’t want your organization to be one of the 10%! It was not because of bad luck but instead one of the most “astonishing security mistakes” in the disposal of end-of-life electronics. Here are some lessons.
“Morgan Stanley to Pay $35M After Hard Drives with $15M Customers’ Personal Data Turn Up in Auction”
What Happened?
Outsourcing the decommissioning of surplus and obsolete electronics devices is recommended practice. There are a several excellent reasons to “leave it to the experts.” Information Technology Asset Disposal companies (ITAD) are specialists in decommissioning and retiring technology that potentially contains personally identifiable information (PII), patient health information (PHI), and proprietary information – anything you would not want an unauthorized entity to get a hold of. Reputable ITAD firms…
- Are capable of sanitizing a large number of devices at one time, saving you time and money
- Can verify that the wipe or sanitization is complete and successful, giving you peace of mind
- Maintain the equipment to thoroughly destroy any units that fail the wiping process
- Possess a deep knowledge of the market that facilitates resale vs. simple scrap value, providing you a better return on your investment.
So What Went Wrong?
Morgan Stanley Smith Barney (now Morgan Stanley Wealth Management) was moving out of several locations in 2016 and 2019 and hired a moving and storage company, allegedly in order to save money. The contract required that the data be destroyed on all devices but the moving company had no background in ITAD. They initially subcontracted an IT firm to wipe the drives, but the business relationship went sour. The mover then started selling the storage devices to another firm which auctioned them online without erasing them. Whatever agreement the two third parties had with each other did not contain the secure destruction protocol that was in the contract between Morgan Stanley and the moving company.
Trust But Verify
It is critical that you thoroughly vet your 3rd party vendors. Every data protection law holds the client responsible for ensuring their data destruction provider meets regulatory requirements and security standards. You can outsource the service but you cannot outsource the responsibility. In the unfortunate event that a breach occurs, your documented due diligence will make a difference. At a bare minimum:
- Ask about their hiring protocols and continuous security awareness training
- Visit their facility
- Inquire about THEIR downstream vendors
- Review contract language and make sure any third party downstream vendors meet the same criteria as the primary contractor.
- Be wary of advice to encrypt the data and destroy the decryption key. Perhaps the technology of tomorrow will make the security measures of today useless. In 1994, a computer scientist demonstrated that quantum computers could break most of the encryption that protects transactions on the internet. Who knows what the future holds?
- With your reputation at stake and large financial penalties being levied, you can’t let your asset disposal policy rely on luck. You must have a clear and concise policy that communicates your rules and expectations to every employee.
Have a Written Data Destruction Policy That Includes Your Electronic Storage Devices
Put your policy in writing. Every data protection law on the books requires that information destruction policies and procedures be provided in writing.
Communicate your policy before employees are exposed to sensitive information. Review it during the on-boarding process and make it part of your new-hire packet.
Inform them of your records retention policy so they know when it’s time to dispose of the various types of information.
Describe the appropriate method of disposition for each type of media. For paper this may be shredding, for hard drives it may be physical destruction or degaussing or sanitization, and for micro media, it may be incineration.
Review your policies and procedures periodically, updating them as necessary. For instance, as solid-state devices become more prevalent and you may need to include them, and the proper method of destruction.
“Other businesses must use this case as an example of why it is critical to have processes in place on how to properly dispose of IT equipment. IT systems hold confidential information, so working with a trusted provider that can destroy data without putting it at risk is essential,” according to Jordan Schroeder, managing CISO at Barrier Networks.
Don’t rely on luck. You need a trusted ITAD provider, whether you’re a global financial institution, a regional bank or a local nursing home. Contact EVR for safe, reliable information technology disposition.
- This article is not intended to represent legal advice. Contact legal representation to ensure you are following current legal requirements in your area.
