Why in House Data Destruction
So you’re looking to delete unwanted files on your hard disk to free up storage capacity for its redeployment. Or perhaps you want to discard it as it carries redundant or outdated data.
Whatever the case: it should be clear that you can’t achieve permanent deletion of confidential files with commands like emptying the recycle bin. Well, at least not in this era where insider threats and corporate cyberattacks are increasing: leading to loss of sensitive information, costly fines, and damaged corporate reputation.
In other words: the criticality of data security throughout your company’s data lifecycle, including its end-of-life, cannot be overstated.
Data Security Laws and Regulations
Regulations and legislation regarding data destruction are getting more stringent. That’s more so for organizations handling:
- Classified information, controlled unclassified information (CUI)
- Personally identifiable information (PII)
- Sensitive but unclassified information (SBU), or
- Information for official use only (FOUO)
The General Data Protection Regulation, for example, classifies data sanitization as a data processing technique and requires organizations that process personal data for EU residents to follow specific steps before destroying the data or the associated hardware.
For instance, data owners have the ultimate control over what should happen to their data – and data destruction is no different. At the same time: you should completely erase data on end-of-life devices instead of just deleting it. And destroy end-of-life hardware in a way that renders it completely useless. Think of the hardware stripped off its magnetic strips, physically destroyed, or shredded.
Besides the European GDPR: most US states have data destruction laws, too. That requires government or private entities to dispose of, destroy, or make personal information indecipherable.
Added to that is the Federal Trade Commission that requires individuals or businesses that use consumer reports for business sake to dispose of the resulting data under strict guidelines. Electronic files, for instance, must be destroyed or erased in a way that makes consumer data unreadable. Paper records, on their end, must be burned, shredded, or pulverized.
Industry compliance regulations boast their own sets of data destruction instructions, too. As does HIPAA for organizations disposing of health-related information.
Now: these laws and regulations have varying restrictions. Some like HIPAA limit how long you can store sensitive data. That means you may need to destroy data regularly. Any non-compliance can attract hefty fines. For instance, not adhering to GDPR requirements can risk your organization a fine of £18m or 4% of the organization’s global turnover, whichever amount is higher.
Non-compliance can also increase the risk of a data breach, further escalating the financial consequences of compensations and lawsuits. All while putting data owners at risk of fraud and identity theft.
When you combine compliance with the need to understand your data: where it lives, how widespread it is, the pieces that are the most sensitive, etc. And the need to safeguard the data under destruction from theft or compromise makes data sanitization a challenging task.
The Challenge of Destroying Data Securely
Data destruction is an increasingly robust task. And in a bid to mitigate in-house workload, companies are increasingly outsourcing data sanitization to third parties.
Unfortunately, relying on third-party solutions can expose the organization to data insecurity risks at multiple touchpoints within the data destruction process. Think of when transferring the data to the vendor’s destruction facility.
Here’s a rundown of research showcasing the risks inherent in retaining off-site sources for data and hardware disposition. (More so because some vendors don’t destroy the IT assets as promised, but rather; sell them – sometimes to malicious players.)
In one instance, journalism students from the University of Vancouver bought seven hard drives at $35 per drive from Agbogbloshie e-waste dealers. Agbogbloshie is a digital graveyard in Ghana, home to discarded electronic devices from the United States and other developed nations.
In just the seven drives, these students found: bank statements, social security numbers, credit card numbers, and other personal information. They also retrieved a highly-sensitive $22m US defense contract in a drive, which also had contracts with Homeland Security, NASA, and TSA.
In 2003, two MIT graduates bought 158 hard drives from eBay, small salvage companies, etc. Upon investigation, they found that 49 of those drives contained sensitive information, including medical data, corporate financials, PII, and more than 5,000 credit card numbers.
In 2006, Idaho Power Company discovered that 84 of the 230 drives they had contracted Grant Korth, a salvage vendor, to sanitize had been sold to parties on eBay. Yet, those drivers contained sensitive information, such as confidential correspondence, proprietary company information, and employees’ data.
In 2009, Kessler International bought 100 hard drives from eBay for six months. Upon investigation: they found 40% of the drives to contain sensitive information.
The list is long.
And goes to show that many companies trust third-party solutions to do as they promised. Unbeknownst to them: the number of reputable data destruction companies is declining. As more vendors are driven by greed. Some even offer to recycle personal computers for free, only to sell them to cybercriminals.
Then there’s the human error. For instance, Morgan Stanley was 2020 alleged to have breached their clients’ financial information. That’s after their data sanitization vendor misplaced several computer equipment storing customers’ PII.
It’s therefore not a wonder that a recent ZDNet study found that 59% of second-hand or refurbished hard drives on online marketplaces have identifiable data of the previous owner.
Add that to the growing cyberattacks on third-party vendors. As criminals target companies that deliver data destruction services to multiple entities, to increase the amount of information they can harvest from one source.
All the while, organizations remain fully liable for the data they process, and no amount of third-party mishaps can deflect liability.
The Solution: In-house Data Destruction
All data, including CUI, PII, FOUO, and SBU, should be destroyed at end-life on-site, with adequately rated equipment.
Here are additional reasons to destroy data and associated IT devices in-house:
Control over the destruction process
Sensitive data controlled by the government or private organizations should be accounted for at all times. That means going beyond keeping it safe to document what your organization has done to safeguard it.
Such measures can quickly become cumbersome when your organization has to track decommissioned hard disks manually. I.e., monitor their processing before shipment, track them during shipment to the vendor’s destruction facility, and confirm they have been wholly obliterated,
Moving these data destruction processes in-house ease the documentation by removing:
- Third-party stakeholders
- Invisibility issues associated with relying on an outside partner to destroy data
The gained control over the data being destroyed is helpful from a regulatory compliance perspective. It also makes it easier to safeguard against insider threats.
Sure, persons in your organization can still access decommissioned IT assets, but you limit that possibility. Instead of being in the dark, not knowing who handled your decommissioned hard disks at what point in time increases the risk of insider threat.
Plus, it’s easy to monitor and safeguard disposable IT assets when dealing with a few of them. Unlike a disposition vendor who is handling 1000s of such daily.
Guarantee of destruction
You have multiple options when it comes to destroying data. However, they all function differently.
For instance, physical destruction is ineffective if the IT asset is not shredded completely. (As any access to substantial parts of the decommissioned hardware can allow malicious players to recover data.) It gets worse in software data wipes, as those are more vulnerable to leaving recoverable data.
Yet, inferior destruction methodologies, human error, and other problems can slip in: if your organization fails to vet the data disposition company they partner with properly.
That makes it upon you to ensure they have the right sanitization tools and expertise to destroy all the decommissioned IT assets – it could be hard disks, USB sticks, or smartphones. You should also check that they have a solid reputation in your niche. (As well as genuine certifications from government agencies, such as NAID AAA or GSA Schedule 70.)
Then again: Keeping the destruction process in-house helps eliminate the said shortcomings, as then: you can verify proper deletion every step of the way.
Keeping end-of-life budget under control
Subscribing to services, as opposed to; spending money on hardware, has revolutionized the IT world. However, the long-term costs of such subscription services can add up to more than the cost of buying a hardware solution.
Take degassers, for example; such a durable machine can help you recoup the purchase price in no time: by saving on data disposition service subscriptions.
Find a Reputable Company Equipped to Handle Your Data Destruction Needs
Protecting your organization from corporate data breaches and insider threats is relatively easy with the right policy and tools in your arsenal.
At Phiston Technologies, we believe in proactive product development, agile innovation, and secure data destruction – as evidenced in our no-hassle yet effective hardware crushing machines.
We take pride in being the leading data destruction company in the US: Serving Facebook, LinkedIn, IBM, Amazon, Verizon, and more. Contact us today to learn how we can help you with in-house data destruction: to prevent all the pitfalls of using third-party disposition companies.
