The Decision of Whether to Destroy Data On-Site or Off-Site
THE DECISION OF WHETHER TO DESTROY DATA ON-SITE OR OFF-SITE
When discussing IT asset disposition (ITAD) security protocols with clients there is an elephant in the room that often does not get directly acknowledged. And that is the fact that there is a risk of data loss while equipment is in transit between the client’s site and the ITAD vendor’s facility. If there is equipment containing confidential data, and the media is not encrypted, then this could result in a data breach incident, which is most IT departments’ worst nightmare. The consequences include customer/patient/employee private information being exposed, massive financial losses for the company, executives losing their jobs, and lawsuits between the parties involved. Nobody wants that to happen!
And the truth is that this risk is entirely avoidable. As an ITAD vendor, we have to walk the fine line of providing a solution that is both secure and also prices competitive. While we know the safest bet for our clients is to destroy their data before equipment is picked up, many companies simply do not have the budget or internal resources to make sure this happens. The more economical solution is to maintain chain-of-custody from the time equipment is picked up and until it is delivered to the ITAD facility where the data will then be destroyed. But chain-of-custody is more of a paper trail than a preventative action. And because most ITAD companies rely on third-party transportation partners, there can be inherent risks outside of their control. These risks would mainly include a shipment going missing or an intentional theft occurring.
Thankfully, at Avail Recovery, we have not actually had this happen, in part because we require our transportation partners to follow strict guidelines for packing and transporting equipment in compliance with R2 and the TSA. But we also do not have control over whether our clients decide to ship equipment to us that contains confidential data. In order to mitigate the potential exposure to all parties, we also carry a Cyber Liability insurance policy which will kick in to cover data breach costs if an incident occurs while protected information is in our care. However, this is not a clear cut process since the insurance company would be looking at all parties to determine who was at fault before paying out a claim.
So what do we recommend our clients do to protect themselves and completely avoid this potential risk to their organization? Here are some options and recommendations:
- Make sure encryption is being used for any media leaving the premises of your offices or data centers (this would also apply to assets at employees’ homes).
- Have your own staff or a vendor wipe the drives before being sent off-site using NIST 800-88 approved software and keep the erasure logs on record for your next security audit.
- Pay a little extra to have your hard drives, SSDs, tapes, and other storage devices physically shredded on-site while witnessed by your staff.
- For any activity that is outsourced, make sure the vendor is certified for data destruction (R2, e-Steward, or NAID AAA) and is issuing you a formal Certificate of Destruction with serial numbers captured.