Is data destruction and verification mandatory in your IT asset management activities? If it’s not, it should be. Failing to destroy data before retiring digital assets is a major data security breach—the fallout of which could severely damage your reputation and cost you dearly. If the data loss is bad enough, the cost to set the data security breach right could put you out of business.
If you’re a financial firm or a healthcare organization, you have an added incentive to destroy data when retiring an asset: It’s the law. Failure to comply with the laws governing this type of data security breach can result in not only huge fines and legal bills but also jail time for the violator’s executives. Put another way, it’s a data security nightmare you don’t want to have.
A good example of these laws in the U.S. can be found in the Healthcare Insurance Portability and Accountability Act (HIPPA) Act. It requires you to delete all personal data before retiring electronic assets. Failure to adhere to this federal law carries with it great risk, including possible jail time, according to The Legal Risks of Data Loss in the United States, a white paper from by Becrypt and written by Robinson Cole, LLP.
Shredding A Lax Approach to Data Destruction
Despite the potential fallout from data security breaches, many companies take a lax approach to data destruction when discarding assets—carelessly exposing themselves to a mountain of trouble. That’s because few companies consider it a necessary step in their IT asset management activities or put safeguards in their IT asset management plans to guarantee data dissolution.
Let’s be clear: Destroying data is an IT asset management imperative. You ignore it at your peril.
Here’s what Paul Henry, a data security consultant at Blancco Technology Group says in an article about companies that are lax about destroying data: “If they fail to obtain verification that all data has been removed permanently, it’s simply irresponsible and can cause serious financial, legal, and reputational damage.”
One way to make data destruction a priority at your company is to make it a mandatory step in your IT asset management plan, a step your company must take religiously before you retire, discard, or sells all electronic asset, regardless of the asset—desktop, laptop, mobile phone, or printer. Employees that fail to do it should face a stiff penalty.
No Shortage of Data Security Horror Stories
How bad can the fallout from data loss be? It can be devastating. There’s no shortage of data security horror stories in business that provide a good example of the impact data loss brings to reputable companies.
Take J.P Morgan Chase’s recent experience. Data loss from a cyber attack on the financial giant compromised the accounts of more than 70 million accounts, making it among the largest data security intrusions ever.
It was also among the costliest. Experts say the cost to J.P. Morgan to clean up the mess was staggering. One news article put the cost at about USD $12.782 billion. The costs included J.P. Morgan’s commitment to spending more than USD $250 million yearly to improve data security.
The question is: Could your company withstand a financial and public relations hit like the one J.P. Morgan—never mind the hit to its public image?
Probably not. Even a small financial and/or public relations hit due to data loss could derail a company. So don’t ignore this step when it comes to IT asset management activities.
Destroying Data on Mobile Devices
Data is storable on any electronic device with permanent memory, including a fax machine and a printer as well as a device with removable memory, such as digital cameras. Mobile devices seem particularly vulnerable to the failure to destroy data before the asset is retired or discarded.
A recent study by Kroll Ontrack and Blanco Technology Group, for example, found that 35 percent of the mobile devices it examined as part of its research had residual data on them, including emails, texts, and SMS.
Researchers bought these mobile devices on eBay, Amazon.com, and Gazelle. After buying them, they retrieved more than 2,150 emails and 10,838 texts, SMS and instant messages. Odds are the companies retiring these assets didn’t have an IT asset management plan with mandatory data destruction guidelines and or verification protocols
Here’s the scary part: Anyone with the right tools—even a cheap data recovery program—can easily obtain data from your retired asset, including files you’ve deleted. That’s because you don’t physically erase files when deleted. The old data remains there until the space they occupy overwritten.
Developing Guidelines for an IT Asset Management Plan
The study cited above also found that many businesses don’t fully understand the data dissolution methods available to them. Below is a short primer on the topic, something to remember when developing data destruction guideline for you IT asset management plan.
The National Institute of Standards and Technology (PDF: NIST Special Publication 800-88) lists three ways to destroy data on a hard drive.
- Clearing data from a hard drive— This method of clearing data requires you to overwrite the entire drive with new data making the old data no longer readable. This method isn’t foolproof. Hackers can still retrieve some data in a lab using special processing equipment and highly trained person technicians.
- Purging data from a hard drive — This method removes the data at a more basic level using the drive’s controller electronics. Or, you can “degauss” the drive by placing it in a machine that generates a strong magnetic field. That removes all traces of data, making it impossible to recover it.
- Destroying a hard drive — Physically destroying a hard drive is a third method of destroying data. You can accomplish this result in a variety of ways—disintegration, incineration, pulverizing, shredding, and melting. This data security method is effective, but it prevents you from reselling the electronic asset.
Each method has its advantages and disadvantages. For example, you can clear data from a hard drive using a program called Darik’s Boot and Nuke (DBAN). But clearing data from a drive using DBAN often takes hours or days. It’s also not the best solution in all cases. Make sure you know the pros and cons of each data destruction method before choosing one.
If you’re not comfortable destroying data yourself, you can always turn the job over to professional firms that specialize in destroying data. Firms like Sims Recycling Solution, Securis, and Iron Mountain can help you with your data destruction needs. Using one of these firms is worth the cost.
Data destruction and verification is a critical data security step when disposing of electronic assets. Make it a mandatory step in any IT asset management plan you develop. Failing to clear data from an asset risks millions in fines, penalties, and legal fees. The fallout could even put you out of business or cost you some jail time.
A good first step in developing data destruction guidelines for your IT asset management plan is to read the NIST publication mentioned above and then go from there. Choose the method that best suits your needs. Or, hire a firm to destroy the data for you. And make sure you verify that data destruction has taken place. Doing so will save you from a data security nightmare you don’t want to have.