REMOTE EMPLOYEES AND DATA SECURITY: A CAUTIONARY TALE
REMOTE EMPLOYEE AND DATA SECURITY: A CAUTIONARY TALE
A major investment bank and financial services company recently became the target of multiple lawsuits filed by clients for possible data breaches stemming from the improper handling of decommissioned computer equipment at the firm’s branch offices.
This type of nightmare scenario can happen to virtually any type or size of businesses, even large multinational corporations with well-staffed IT departments. Throw in a pandemic, driving the migration of employees to a work-from-home model, and I fear the risk has increased significantly.
Think about it. IT departments, accustomed to functioning in a highly controlled, centralized manner, now must manage laptops and other devices at hundreds or even thousands of remote locations. So, what happens when those devices need to be decommissioned? And how does a company safeguard sensitive data on those devices, especially while in transit?
As reported in an industry trade journal, the financial institution mentioned above trusted an IT asset disposition (ITAD) vendor to scrub data from the decommissioned devices. You would think a company specializing in ITAD would be extra vigilant in the handling of hardware with sensitive data, particularly at a time when data security has received so much attention.
In fact, doing ITAD right is inherently difficult — and the challenges are compounded when employees and their devices are widely dispersed, as they certainly are with today’s work-from-home model. Clearly, it’s more important than ever to choose a partner that possesses a proven track record with remote IT hardware services (RITHS). Criteria used in the vendor evaluation process should include:
- Robust industry certifications, especially NAID AAA Certification, which verifies compliance with all known data protection laws through surprise audits by trained, accredited security professionals
- Data sanitization or destruction that complies with Department of Defense, National Institute of Standards and Technology (NIST) 800-88, and NAID standards
- Control over the entire “chain of custody,” from the time a device is picked up at an employee’s work location until it is processed and scrubbed of sensitive data
- The option of a cloud-based, scalable solution for employees to perform their own data sanitization before shipping decommissioned hardware
- Adequate liability insurance (minimum $10 million) to cover data breaches
Author: Dynamic Lifecycle Innovations