Seek and Destroy: Steer Clear of These Data Destruction Gotchas
Secure data destruction is essential to your enterprise. But are you doing it correctly? Here’s how to avoid the three most common oversights and mistakes in data destruction policies and procedures.
FAST FACT: Fully 83% of consumers believe organizations that fail to protect their personal information are “untrustworthy,” and 63% say companies should compensate customers in some way after a data breach, according to a June 2012 report by Ponemon Institute and Experian.
DID YOU KNOW? More than 11.6 million U.S. adults were victims of identity theft in 2011, an increase of 13% from 2010, according to Javelin Strategy & Research’s 2012 Identity Fraud Report.
An enterprising “entrepreneur” of sorts who delights in Dumpster diving finds a discarded computer in the trash behind your office complex. In it is a long-forgotten CD containing thousands of customer credit card numbers. He’s off to the races with a new identity theft project that will affect the financial well being of households worldwide, thanks to a negligent (albeit unintentional) misstep.
Such a data destruction gotcha isn’t the stuff of dramatic TV shows: If your company simply tossed such data in the garbage along with old takeout menus and coffee grounds, it could suffer irreparable damage to its reputation—as well as become the subject of lawsuits, fines and even criminal sanctions. Scary thought, right?
The fact is, your firm must protect all of the private customer data and other sensitive records it holds—even after the information’s shelf life has expired. To avoid being snared in a data breach, you and your team must understand that secure media destruction is not as simple as throwing out the trash.
Admitting Your Data Management Shortcomings
The bad news: Data destruction gotchas that lead to huge headaches or financial losses are common. The good news: They’re completely avoidable. All it takes is foresight and follow-through.
The first step to solving a problem is realizing that you have one. If you answer yes to any of these questions, it’s time to implement a new data destruction plan:
1. Do you lack a comprehensive information destruction policy?
Many types of information that companies collect have an expiration date. But only 20 percent of business technology professionals say their company has a policy for electronic data disposal that they stick to, according to a 2011 InformationWeek survey. That leaves a lot of room for potentially scary data-disposal improvisation.
The starting point of any workable and defensible data-destruction strategy is to formulate a plan identifying when, where and how certain kinds of data should shuffle off this mortal coil. That strategy should encompass the proper disposal of electronic media, as well as x-rays or other digital images.
Your team also needs the right tools to monitor whether your strategy is effective in practice. Otherwise, you’re at the same risk of suffering financial losses or being noncompliant with data privacy and security regulations (see below) as if you had done nothing at all. If your organization doesn’t have the time or expertise to effectively design and implement a media-destruction program, look to a partner for help.
2. Are you breaching data-handling laws and/or regulations?
Numerous federal and state laws regulate data destruction in certain industries or among businesses of any type that deal with personal data. Laws that cover data destruction include the Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX). In addition, the Federal Trade Commission has many general and industry-specific rules covering privacy and security.
It’s simple: If you’re not familiar with the rules that apply to your business, get acquainted with them—as soon as possible. A good place to start is your state’s Office of the Attorney General. Its team can help you identify how state regulations differ from federal ones and guide you toward complete compliance.
3. Do you think your garbage is not interesting?
That tired old saying—one man’s trash is another man’s treasure—has endured for a reason. It’s hard to know just which aspects of your corporate garbage will most appeal to wrongdoers. That’s why it’s essential to avoid the guesswork and institute a comprehensive data disposal system. This step is critical to your firm’s information security.
As you set out to satisfy this goal, enlist a partner that specializes in disposing of documents and media. For decommissioned media such as backup tapes or hard drives, look for services certified by e-Stewards®, an international program that sets environmental standards for recyclers. If you’re shredding paper documents, make sure your partner is certified by the National Association of Information Destruction (NAID), which sets standards for operational security, employee screening and other procedures.
It’s critical for your business to maintain a well-conceived and closely followed data destruction program. With smart planning and diligent monitoring—and the help of a trusted partner—your old data can go quietly into that good night.
Iron Mountain Suggests: Wipe Out Old Data for Good
Make sure your company’s data never comes back from the Great Beyond to haunt you like the zombies in Night of the Living Dead. Iron Mountain provides reliable and secure information disposal services—covering a wide variety of media, IT equipment and other materials—to help your organization ensure customer privacy and maintain regulatory compliance. Iron Mountain’s Secure Media Destruction suite of services provide:
- Reliable and secure disposal of backup tapes, hard drives DVDs and other non paper media by expert personnel.
- Comprehensive processes that include erasing or demagnetizing select electronic media prior to shredding.
- Both onsite or offsite media destruction, depending on your company’s requirements, with secure transportation of sensitive material that leaves your premises.
- Certificates of destruction verifying that data was properly destroyed.
- Environmentally friendly destruction or recycling of materials in accordance with local, state and federal regulations.
- Destruction services for IT assets and office equipment, including laptops, servers and printers; offsite destruction also can dispose of microfilm, ID badges, bankcards, photographs and audio and videotapes.
Do you have questions about data backup and recovery? Read additional Knowledge Center stories on this subject, or contact Iron Mountain’s Data Backup and Recovery team. You’ll be connected with a knowledgeable product and services specialist who can address your specific challenges.
With LTFS, Tape Goes Back to the Future
Data Backups in the Cloud: Sorting Illusions from Reality
Storing the Future: New Tech and Strategies for Tape Backup and Archiving