Data Center Decommissioning Companies: Managing The Security Risk



The sensitive work performed by data center decommissioning companies is more critical than ever. In a world increasingly driven by data, how data-bearing hardware is securely disposed of is enough to keep CIOs awake at night.

So when federal authorities recently slapped a $60 million fine on Morgan Stanley for failures in its data center decommissioning processes dating back to 2016, industry leaders unsurprisingly paid attention. The ruling served as a timely (albeit expensive) reminder of the rigor required in protecting customer data.

While it’s clear the relationship between data center operators and data center decommissioning companies demands close management, what does this mean in practice? Here are four lessons to draw from the penalty notice issued to the banking giant:

1. The Ultimate Responsibility For Data Oversight Is Yours 

According to the  OCC’s (Office of the Comptroller of the Currency) consent order, Morgan Stanley failed to exercise proper oversight of the decommissioning of two of its data centers in the United States.

The bank failed to sufficiently vet and monitor third-party vendors, including subcontractors. It also failed to maintain an appropriate inventory of customer data stored on the decommissioned devices, the ruling asserts.

As a data center operator and custodian of personally identifiable information (PII), you must remember:

The ultimate responsibility for customer data sits with the business that the customer entrusts the data with—and that is you.

This is why the companies you hire to assist with decommissioning work must be thoroughly vetted and comprehensively monitored. You cannot hide behind shortcomings in your contractor’s work.

Action Points for Mitigating Risk

  • Adequately assess the risk of using third-party vendors. Are your vendor contracts clear on the use of subcontractors?
  • Ensure due diligence in selecting third-party vendors. How do you assess for relevant certifications and experience?
  • Agree with your vendors on a framework for performance monitoring.
  • Maintain a comprehensive inventory of the types of customer data stored across devices.


2. Build A Solid Framework For Data Management

For many businesses nowadays, data is the lifeblood. This is almost certainly true for your company, too.

With this in mind, organizations must commit to the strongest possible practices around data management.

This includes how you manage the decommissioning and disposal of the data center equipment you no longer need. Most firms don’t have sufficient expertise or capacity to do all the decommissioning work themselves.

In your data management framework, take care to specify:

  • in what circumstances you might seek third party support for the decommissioning of your data centers
  • your process for selecting qualified decommissioning vendors and undertaking due diligence
  • core standards for supervising your vendors as they perform the work

Morgan Stanley’s failure to sufficiently vet and monitor its decommissioning partners doesn’t mean decommissioning work shouldn’t be outsourced.

What it does mean is that your organization must include (and enforce) clear direction around 1) the handling of data-bearing hardware and 2) the hiring and supervision of data center decommissioning companies in your data management policy.

“There is no statute of limitations or safe harbor for improperly discarded IT assets. The equipment at Morgan Stanley was discarded four years ago. If a hard drive turns up five or ten years down the road with personal information on it, it is still a data breach plain and simple.”

NAID / i-sigma boss Bob Johnson


3. Cultivate A Culture That Prioritizes Data Security

Your policies are only as good as the culture that sustains them.

Develop in your organization a strong culture around data security. This culture should permeate all aspects of your operation, from staffing and software to physical premises and hardware.

As with any culture, its development starts at the top. While the responsibility in larger firms rolls up to the management board, mid-sized companies and start-ups must also embrace core principles of data security at the highest level.

Bear in mind:

Data security is a leadership issue that touches all corners of a company, from accounting and product development to sales and marketing.

Your data management policy sets the framework for data security throughout your organization, from the physical security of data centers and hardware reuse to due diligence protocols and vendor management.


Hold Your Horses!

Destroying data-bearing hardware may seem like the safest move of all, but it is not necessarily the smartest.

The rush to destroy end-of-use equipment is a product of legacy thinking, a knee-jerk reaction that leads firms to leave money on the table and destroy otherwise functioning hardware.

Fully explore the conversation around secure reusing and remarketing of hardware with your decommissioning partner.


4. No Business Sector Is Exempt From Data Protection Requirements 

It doesn’t matter whether you’re on the cutting edge of fintech, running a B2B e-commerce operation, or offering video streaming and adtech services, data protection regulation cuts across sectors. These days, pizza chains and florists are as dependent on customer data as they are on fresh dough and flowers.

Consider the European Union’s General Data Protection Regulation (GDPR), which requires tight standards for any organization holding the data of individuals in the EU, wherever that company operates in the world. Or the California Consumer Privacy Act, which is widely seen as the first step toward a more comprehensive approach to data privacy in the United States.

In Morgan Stanley’s case, it was ruled to be “engaging in unsafe or unsound practices relating to information security and non-compliance under 12 C.F.R. Part 30.”

Bottom line: it doesn’t matter what sector you operate in, where you’re headquartered, or to what degree you contract out the work, the protection of your customer data ultimately remains your responsibility—and that extends to the practice of decommissioning data centers.

Manage Your Risk

Working with data center decommissioning companies shouldn’t be unduly burdensome. A good data center decommissioning company will help securely solve your problems and save you headaches.

Invest time in the vetting process. Identify firms that

  1. offer flexible solutions for the needs of your data center environment
  2. confidently demonstrate knowledge of your regulatory framework
  3. display a deep commitment to compliance and adherence to process

Once you find the right partner, you’ll be in good hands.


Author: Horizon Technology