Light Dark
April 14, 2021 By Sue Poremba 4 min read
Data Protection

It’s just part of the job: at some point in a device’s lifecycle, data must be destroyed. While deleting files may mean users and apps can’t access them, simple deletion isn’t enough to truly destroy the data. To be most effective, secure data destruction has to be complete. This is especially true when your organization needs to stay compliant with changing local and global data privacy regulations.

What is Data Destruction? It Isn’t Always Common Sense

ZDNet reported 59% of hard drives sold used or refurbished on online marketplaces contained data from the previous owner, including data that had been ‘deleted’ and easily recovered. In some cases, the drive had been reformatted but data was still recoverable.

“The drives contained a wide array of data, from including employment and payroll records, family and holiday photos (along with intimate photos and sexualized content), business documents, visa applications, lists of passwords, passport and driver’s license scans, tax documents, bank statements and lists of students attending senior high schools,” the article reports.

This level of data recovery on retired or re-instituted electronic equipment is never acceptable. However, it is even less so in enterprise settings. This is especially true now that a growing list of data privacy regulations dictates the way organizations approach data storage, transmission, sharing and destruction. You need to know where all your data lives so nothing lingers for a potential breach. In addition, you should conduct an audit to ensure that data is not lingering on third-party systems when it is time for data destruction.

Knowing Your Data

Before you destroy your data, you need to know your data. Where are all of the possible places it lives? In addition, you need to know which pieces of data are the most sensitive for both the organization and customers.

With data privacy laws, consumers have more control over their personal data than organizations do. They get to decide if they want to be forgotten or how they want their data used. You have to be able to oblige. The right to be forgotten is now part of the data destruction process, making it vital that the cybersecurity team knows everywhere data is stored. Don’t forget paper files, virtual formats or individual devices and drives.

Conducting a data audit will provide a clear picture of where your data is and how it is used. You are also responsible for any third party using your data, so the audit can help identify how spread out your information is.

Have a Data Destruction Policy in Place

Even as you destroy data, you are still responsible for protecting it from compromise or theft. Bringing hardware to the end of its lifecycle is just as important as onboarding devices. It requires careful planning and a clear process.

That process begins with any typical data compliance. Some regulations have restrictions on how long you can store data, so your data destruction may need to take place at regular intervals. This can include determination on whether just data is being eliminated or if the hardware is also at end of life.

Create a budget for end-of-life data and hardware. There are tools and software to assist with permanent data deletion and hardware destruction. This is not an area to try to save a few bucks; if the data is recoverable and breached, you will pay the penalty.

Have a team in charge of determining end-of-life for both data and hardware. Additionally, make it clear to employees what the process is. If employees are using personal devices to access company data that is going to be destroyed, their devices will have to be scrubbed. They can’t just hit ‘delete’ and consider it done.

Staying Compliant

Once you know where all sensitive data is and your destruction processes are in place, the next step is to make sure you are following any data privacy compliance laws for your industry and location.

The European Union’s General Data Protection Regulation (GDPR), for example, classifies data destruction as a method of data processing and requires organizations to follow certain steps before destroying anything. Owners of the data have the ultimate say over their data, even when it comes to destruction. Additionally, data on end-of-life devices must be completely erased and not just deleted. Destroy hardware in such a way that it can no longer be used (i.e., magnetic strips removed or devices physically destroyed or shredded).

Most — but not all — states have laws surrounding destruction of data.

According to the National Conference of State Legislatures, “at least 35 states, D.C. and Puerto Rico have enacted laws that require either private or governmental entities or both to destroy, dispose, or otherwise make personal information unreadable or indecipherable.”

Also, the Federal Trade Commission requires any business or individual that uses a consumer report for business purposes must dispose of that data under strict guidelines. Paper records, for instance, must be burned, pulverized or shredded, while electronic files must be erased or destroyed so the consumer data can’t be read nor reconstructed.

Also, industry compliance regulations have their own sets of instructions for how data should be destroyed.

Failure to follow the correct procedures can result in a data breach, which results in financial consequences for the company and puts consumers at risk for identity theft and fraud.

Tools for Data Destruction

If you can afford the equipment, it is safer to keep the destruction process within the company. There are also companies that will outsource data and hardware destruction, but this adds risk of a data breach. You can acquire shredders to destroy hardware, or physically destroy a device with an old-fashioned hammer. Degaussing wipes clean magnetic strips, and degausser machines can be purchased for in-house use.

Data privacy regulations have put heightened attention on consumer information and how it is used — and how it is destroyed. Recognizing that destruction is simply part of the data protection process should keep the data secure through the entire lifecycle and keep your organization compliant.

 

Clients are responsible for ensuring their own compliance with various laws and regulations. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation.

 |  |  | 
Sue Poremba

More from Data Protection
March 27, 2024

3 Strategies to overcome data security challenges in 2024

3 min read - There are over 17 billion internet-connected devices in the world — and experts expect that number will surge to almost 30 billion by 2030.This rapidly growing digital ecosystem makes it increasingly challenging to protect people’s privacy. Attackers only need to be right once to seize databases of personally identifiable information (PII), including payment card information, addresses, phone numbers and Social Security numbers.In addition to the ever-present cybersecurity threats, data security teams must consider the growing list of data compliance laws…

March 12, 2024

How data residency impacts security and compliance

3 min read - Every piece of your organization’s data is stored in a physical location. Even data stored in a cloud environment lives in a physical location on the virtual server. However, the data may not be in the location you expect, especially if your company uses multiple cloud providers. The data you are trying to protect may be stored literally across the world from where you sit right now or even in multiple locations at the same time. And if you don’t…

March 5, 2024

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature