{"id":7681,"date":"2020-12-08T11:18:06","date_gmt":"2020-12-08T16:18:06","guid":{"rendered":"https:\/\/www.itadsummit.com\/?page_id=7681"},"modified":"2020-12-08T11:18:06","modified_gmt":"2020-12-08T16:18:06","slug":"itad-blog-data-center-decommissioning-companies-managing-the-security-risk","status":"publish","type":"page","link":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/","title":{"rendered":"ITAD Blog:  Data Center Decommissioning Companies: Managing The Security Risk"},"content":{"rendered":"<h1>\n\t\tITAD Blog\n\t<\/h1>\n<h6>\n\t\tData Center Decommissioning Companies: Managing The Security Risk\n\t<\/h6>\n\t\t\t\t\t\t\t\t\t\t<img decoding=\"async\" src=\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg\" alt=\"Security\" itemprop=\"image\"  \/>\n\t<h1>ITAD Blog<\/h1>\n<h3>DATA DECOMMISSIONING COMPANIES: MANAGING THE SECURITY RISKS<\/h3>\n\t<p>The sensitive work performed by data center decommissioning companies is more critical than ever. In a world increasingly driven by data, how data-bearing hardware is securely disposed of is enough to keep CIOs awake at night.<\/p>\n<p>So when federal authorities recently slapped a\u00a0$60 million fine\u00a0on Morgan Stanley for failures in its data center decommissioning processes<strong>\u00a0<\/strong>dating back to 2016, industry leaders unsurprisingly paid attention. The ruling served as a timely (albeit expensive) reminder of the rigor required in protecting customer data.<\/p>\n<p>While it\u2019s clear the relationship between data center operators and data center decommissioning companies demands close management, what does this mean in practice? Here are four lessons to draw from\u00a0the penalty notice\u00a0issued to the banking giant:<\/p>\n<h2><strong>1. The Ultimate Responsibility For Data Oversight Is Yours\u00a0<\/strong><\/h2>\n<p>According to the\u00a0 OCC\u2019s (Office of the Comptroller of the Currency)\u00a0consent order, Morgan Stanley failed to exercise proper oversight of the decommissioning of two of its data centers in the United States.<\/p>\n<p>The bank failed to sufficiently vet and monitor third-party vendors, including subcontractors. It also failed to maintain an appropriate inventory of customer data stored on the decommissioned devices, the ruling asserts.<\/p>\n<p>As a data center operator and custodian of personally identifiable information (PII), you must remember:<\/p>\n<p>The ultimate responsibility for customer data sits with the business that the customer entrusts the data with\u2014and that is you.<\/p>\n<p>This is why the companies you hire to assist with decommissioning work must be thoroughly vetted and comprehensively monitored. You cannot hide behind shortcomings in your contractor\u2019s work.<\/p>\n<h4><strong>Action Points for Mitigating Risk<\/strong><\/h4>\n<ul>\n<li>Adequately assess the risk of using third-party vendors. Are your vendor contracts clear on the use of subcontractors?<\/li>\n<li>Ensure due diligence in selecting third-party vendors. How do you assess for relevant certifications and\u00a0experience?<\/li>\n<li>Agree with your vendors on a framework for performance monitoring.<\/li>\n<li>Maintain a comprehensive inventory of the types of customer data stored across devices.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2><strong>2. Build A Solid Framework For Data Management<\/strong><\/h2>\n<p>For many businesses nowadays, data is the lifeblood. This is almost certainly true for your company, too.<\/p>\n<p>With this in mind, organizations must commit to the strongest possible practices around data management.<\/p>\n<p>This includes how you manage the decommissioning and disposal of the data center equipment you no longer need. Most firms don\u2019t have sufficient expertise or capacity to do all the decommissioning work themselves.<\/p>\n<p>In your data management framework, take care to specify:<\/p>\n<ul>\n<li>in what circumstances you might seek third party support for the decommissioning of your data centers<\/li>\n<li>your process for selecting qualified decommissioning vendors and undertaking due diligence<\/li>\n<li>core standards for supervising your vendors as they perform the work<\/li>\n<\/ul>\n<p>Morgan Stanley\u2019s failure to sufficiently vet and monitor its decommissioning partners doesn\u2019t mean decommissioning work shouldn\u2019t be outsourced.<\/p>\n<p>What it does mean is that your organization must include (and enforce) clear direction around 1) the handling of data-bearing hardware and 2) the hiring and supervision of data center decommissioning companies\u00a0in your data management policy.<\/p>\n<p>\u201cThere is no statute of limitations or safe harbor for improperly discarded IT assets. The equipment at Morgan Stanley was discarded four years ago. If a hard drive turns up five or ten years down the road with personal information on it, it is still a data breach plain and simple.\u201d<\/p>\n<p><strong>NAID \/ i-sigma<\/strong><strong>\u00a0boss Bob Johnson<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h2><strong>3. Cultivate A Culture That Prioritizes Data Security<\/strong><\/h2>\n<p>Your policies are only as good as the culture that sustains them.<\/p>\n<p>Develop in your organization a\u00a0strong culture\u00a0around data security. This culture should permeate all aspects of your operation, from staffing and software to physical premises and hardware.<\/p>\n<p>As with any culture, its development starts at the top. While the responsibility in larger firms rolls up to the management board, mid-sized companies and start-ups must also embrace core principles of data security at the highest level.<\/p>\n<p>Bear in mind:<\/p>\n<p>Data security is a leadership issue that touches all corners of a company, from accounting and product development to sales and marketing.<\/p>\n<p>Your data management policy sets the framework for data security throughout your organization, from the physical security of data centers and hardware reuse to due diligence protocols and vendor management.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>Hold Your Horses!<\/strong><\/h2>\n<p>Destroying data-bearing hardware may seem like the safest move of all, but it is not necessarily the smartest.<\/p>\n<p>The rush to destroy end-of-use equipment is a product of\u00a0legacy thinking, a knee-jerk reaction that leads firms to leave money on the table and destroy otherwise functioning hardware.<\/p>\n<p>Fully explore the conversation around\u00a0secure reusing\u00a0and remarketing of hardware with your decommissioning partner.<\/p>\n<p>&nbsp;<\/p>\n<h2><strong>4. No Business Sector Is Exempt From Data Protection Requirements\u00a0<\/strong><\/h2>\n<p>It doesn\u2019t matter whether you\u2019re on the cutting edge of fintech, running a B2B e-commerce operation, or offering video streaming and adtech services, data protection regulation cuts across sectors. These days, pizza chains and florists are as dependent on customer data as they are on fresh dough and flowers.<\/p>\n<p>Consider the European Union\u2019s\u00a0General Data Protection Regulation (GDPR), which requires tight standards for any organization holding the data of individuals in the EU, wherever\u00a0that company operates in the world. Or the California Consumer Privacy Act, which is\u00a0widely seen as the first step\u00a0toward a more comprehensive approach to data privacy in the United States.<\/p>\n<p>In Morgan Stanley\u2019s case, it was ruled to be \u201cengaging in unsafe or unsound practices relating to information security and non-compliance under 12 C.F.R. Part 30.\u201d<\/p>\n<p>Bottom line: it doesn\u2019t matter what sector you operate in, where you\u2019re headquartered, or to what degree you contract out the work, the protection of your customer data ultimately remains your responsibility\u2014and that extends to the practice of decommissioning data centers.<\/p>\n<h2><strong>Manage Your Risk<\/strong><\/h2>\n<p>Working with data center decommissioning companies shouldn\u2019t be unduly burdensome. A good data center decommissioning company will help securely solve your problems and save you headaches.<\/p>\n<p>Invest time in the vetting process. Identify firms that<\/p>\n<ol>\n<li>offer flexible solutions for the needs of your data center environment<\/li>\n<li>confidently demonstrate knowledge of your regulatory framework<\/li>\n<li>display a deep commitment to compliance and adherence to process<\/li>\n<\/ol>\n<p>Once you find the right partner, you\u2019ll be in good hands.<\/p>\n<p>&nbsp;<\/p>\n<p><em>Author: Horizon Technology<\/em><\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p class=\"post-excerpt\" class=\"post-excerpt\">ITAD Blog Data Center Decommissioning Companies: Managing The Security Risk ITAD Blog&hellip;<\/p>\n<div class=\"link-more\"><a href=\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\">Continue reading<span class=\"screen-reader-text\"> &#8220;ITAD Blog:  Data Center Decommissioning Companies: Managing The Security Risk&#8221;<\/span>&hellip;<\/a><\/div>\n<div class=\"link-more\"><a href=\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\">Continue reading<span class=\"screen-reader-text\"> \"ITAD Blog:  Data Center Decommissioning Companies: Managing The Security Risk\"<\/span>&hellip;<\/a><\/div>","protected":false},"author":7,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-7681","page","type-page","status-publish","hentry","entry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v25.6 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk - ITAD Summit - Las Vegas - August 2026 - Conference<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk - ITAD Summit - Las Vegas - August 2026 - Conference\" \/>\n<meta property=\"og:description\" content=\"ITAD Blog Data Center Decommissioning Companies: Managing The Security Risk ITAD Blog&hellip;\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"ITAD Summit - Las Vegas - August 2026 - Conference\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\",\"url\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\",\"name\":\"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk - ITAD Summit - Las Vegas - August 2026 - Conference\",\"isPartOf\":{\"@id\":\"https:\/\/www.itadsummit.com\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg\",\"datePublished\":\"2020-12-08T16:18:06+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#primaryimage\",\"url\":\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg\",\"contentUrl\":\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.itadsummit.com\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.itadsummit.com\/#website\",\"url\":\"https:\/\/www.itadsummit.com\/\",\"name\":\"ITAD Summit - Las Vegas - August 2026 - Conference\",\"description\":\"ITAD Summit - Las Vegas - August 2026 - Conference\",\"publisher\":{\"@id\":\"https:\/\/www.itadsummit.com\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.itadsummit.com\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.itadsummit.com\/#organization\",\"name\":\"ITAD Summit - Las Vegas - August 2026 - Conference\",\"url\":\"https:\/\/www.itadsummit.com\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.itadsummit.com\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/2025\/09\/ITAD-white-and-red.png\",\"contentUrl\":\"https:\/\/www.itadsummit.com\/wp-content\/uploads\/2025\/09\/ITAD-white-and-red.png\",\"width\":744,\"height\":289,\"caption\":\"ITAD Summit - Las Vegas - August 2026 - Conference\"},\"image\":{\"@id\":\"https:\/\/www.itadsummit.com\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk - ITAD Summit - Las Vegas - August 2026 - Conference","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/","og_locale":"en_US","og_type":"article","og_title":"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk - ITAD Summit - Las Vegas - August 2026 - Conference","og_description":"ITAD Blog Data Center Decommissioning Companies: Managing The Security Risk ITAD Blog&hellip;","og_url":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/","og_site_name":"ITAD Summit - Las Vegas - August 2026 - Conference","og_image":[{"url":"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg","type":"","width":"","height":""}],"twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/","url":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/","name":"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk - ITAD Summit - Las Vegas - August 2026 - Conference","isPartOf":{"@id":"https:\/\/www.itadsummit.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#primaryimage"},"image":{"@id":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg","datePublished":"2020-12-08T16:18:06+00:00","breadcrumb":{"@id":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#primaryimage","url":"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg","contentUrl":"https:\/\/www.itadsummit.com\/wp-content\/uploads\/bb-plugin\/cache\/Security-circle.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.itadsummit.com\/index.php\/itad-blog-data-center-decommissioning-companies-managing-the-security-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.itadsummit.com\/"},{"@type":"ListItem","position":2,"name":"ITAD Blog: Data Center Decommissioning Companies: Managing The Security Risk"}]},{"@type":"WebSite","@id":"https:\/\/www.itadsummit.com\/#website","url":"https:\/\/www.itadsummit.com\/","name":"ITAD Summit - Las Vegas - August 2026 - Conference","description":"ITAD Summit - Las Vegas - August 2026 - Conference","publisher":{"@id":"https:\/\/www.itadsummit.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.itadsummit.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.itadsummit.com\/#organization","name":"ITAD Summit - Las Vegas - August 2026 - Conference","url":"https:\/\/www.itadsummit.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.itadsummit.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.itadsummit.com\/wp-content\/uploads\/2025\/09\/ITAD-white-and-red.png","contentUrl":"https:\/\/www.itadsummit.com\/wp-content\/uploads\/2025\/09\/ITAD-white-and-red.png","width":744,"height":289,"caption":"ITAD Summit - Las Vegas - August 2026 - Conference"},"image":{"@id":"https:\/\/www.itadsummit.com\/#\/schema\/logo\/image\/"}}]}},"_links":{"self":[{"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/pages\/7681"}],"collection":[{"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/comments?post=7681"}],"version-history":[{"count":2,"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/pages\/7681\/revisions"}],"predecessor-version":[{"id":7719,"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/pages\/7681\/revisions\/7719"}],"wp:attachment":[{"href":"https:\/\/www.itadsummit.com\/index.php\/wp-json\/wp\/v2\/media?parent=7681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}