It’s just part of the job: at some point in a device’s lifecycle, data must be destroyed. While deleting files may mean users and apps can’t access them, simple deletion isn’t enough to truly destroy the data. To be most effective, secure data destruction has to be complete. This is especially true when your organization needs to stay compliant with changing local and global data privacy regulations.
What is Data Destruction? It Isn’t Always Common Sense
ZDNet reported 59% of hard drives sold used or refurbished on online marketplaces contained data from the previous owner, including data that had been ‘deleted’ and easily recovered. In some cases, the drive had been reformatted but data was still recoverable.
“The drives contained a wide array of data, from including employment and payroll records, family and holiday photos (along with intimate photos and sexualized content), business documents, visa applications, lists of passwords, passport and driver’s license scans, tax documents, bank statements and lists of students attending senior high schools,” the article reports.
This level of data recovery on retired or re-instituted electronic equipment is never acceptable. However, it is even less so in enterprise settings. This is especially true now that a growing list of data privacy regulations dictates the way organizations approach data storage, transmission, sharing and destruction. You need to know where all your data lives so nothing lingers for a potential breach. In addition, you should conduct an audit to ensure that data is not lingering on third-party systems when it is time for data destruction.
Knowing Your Data
Before you destroy your data, you need to know your data. Where are all of the possible places it lives? In addition, you need to know which pieces of data are the most sensitive for both the organization and customers.
With data privacy laws, consumers have more control over their personal data than organizations do. They get to decide if they want to be forgotten or how they want their data used. You have to be able to oblige. The right to be forgotten is now part of the data destruction process, making it vital that the cybersecurity team knows everywhere data is stored. Don’t forget paper files, virtual formats or individual devices and drives.
Conducting a data audit will provide a clear picture of where your data is and how it is used. You are also responsible for any third party using your data, so the audit can help identify how spread out your information is.
Have a Data Destruction Policy in Place
Even as you destroy data, you are still responsible for protecting it from compromise or theft. Bringing hardware to the end of its lifecycle is just as important as onboarding devices. It requires careful planning and a clear process.
That process begins with any typical data compliance. Some regulations have restrictions on how long you can store data, so your data destruction may need to take place at regular intervals. This can include determination on whether just data is being eliminated or if the hardware is also at end of life.
Create a budget for end-of-life data and hardware. There are tools and software to assist with permanent data deletion and hardware destruction. This is not an area to try to save a few bucks; if the data is recoverable and breached, you will pay the penalty.
Have a team in charge of determining end-of-life for both data and hardware. Additionally, make it clear to employees what the process is. If employees are using personal devices to access company data that is going to be destroyed, their devices will have to be scrubbed. They can’t just hit ‘delete’ and consider it done.
Once you know where all sensitive data is and your destruction processes are in place, the next step is to make sure you are following any data privacy compliance laws for your industry and location.
The European Union’s General Data Protection Regulation (GDPR), for example, classifies data destruction as a method of data processing and requires organizations to follow certain steps before destroying anything. Owners of the data have the ultimate say over their data, even when it comes to destruction. Additionally, data on end-of-life devices must be completely erased and not just deleted. Destroy hardware in such a way that it can no longer be used (i.e., magnetic strips removed or devices physically destroyed or shredded).
Most — but not all — states have laws surrounding destruction of data.
According to the National Conference of State Legislatures, “at least 35 states, D.C. and Puerto Rico have enacted laws that require either private or governmental entities or both to destroy, dispose, or otherwise make personal information unreadable or indecipherable.”
Also, the Federal Trade Commission requires any business or individual that uses a consumer report for business purposes must dispose of that data under strict guidelines. Paper records, for instance, must be burned, pulverized or shredded, while electronic files must be erased or destroyed so the consumer data can’t be read nor reconstructed.
Also, industry compliance regulations have their own sets of instructions for how data should be destroyed.
Failure to follow the correct procedures can result in a data breach, which results in financial consequences for the company and puts consumers at risk for identity theft and fraud.
Tools for Data Destruction
If you can afford the equipment, it is safer to keep the destruction process within the company. There are also companies that will outsource data and hardware destruction, but this adds risk of a data breach. You can acquire shredders to destroy hardware, or physically destroy a device with an old-fashioned hammer. Degaussing wipes clean magnetic strips, and degausser machines can be purchased for in-house use.
Data privacy regulations have put heightened attention on consumer information and how it is used — and how it is destroyed. Recognizing that destruction is simply part of the data protection process should keep the data secure through the entire lifecycle and keep your organization compliant.
Clients are responsible for ensuring their own compliance with various laws and regulations. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.