It just might be one of the most exciting occurrences in the work place, the IT upgrade. Keeping up with technology is difficult, and the promise of enhanced productivity and ease of use is alluring. A rush to upgrade, however, could deliver a devastating blow to your company’s data security based on how you’re approaching data destruction and document disposal.
Protecting sensitive and confidential data is a monumental task for any business. Data security laws in the U.S. mandate that organizations implement ‘adequate safeguards’ to ensure privacy protection of individuals. It also requires those organizations to have written policies and procedures in place regarding final data destruction and document disposal of such information containing media. It comes as no surprise that both the government and courts are willing to fine and penalize those organizations that violate these laws and put privacy of individuals at risk. To name just a few:
- In 2011, TRICARE, a U.S. healthcare benefits provider, was involved in a lawsuit claiming willful negligence in dealing with private information. The lawsuit sought $4.9 billion in damages.
- Also in 2011, Sutter Health was hit with a $1 billion lawsuit.
- Emory Healthcare faced a $200 million suit for a data breach.
Considering fines, punitive damages, litigation costs, and the damage to an organization’s reputation, a data breach can range from extremely devastating to fatal for a business. So why then, do some organizations put themselves at such risks?
Where the Breakdown Occurs
According to a recent study, many organizations spend billions yearly on data security from encryption to monitoring, but overlook one major aspect—IT asset disposition. Accounting for retired assets can be tedious, but considering the data storage capacity of a single cell phone, laptop, or computer hard drive, it is well worth the effort.
An organization must track assets from entry into the organization to transfers of use to final disposition. According to a study by the Harvard Business Review, 1 in 5 organizations were unable to account for at least one asset upon disposition, and 15% of those lost assets were potentially data containing devices such as laptops, servers, or cell phones.
Chain-of-custody is not the newest buzzword, it is not a fad, and it is not a sales tactic. It is a necessity for an organization that wishes to indemnify itself and transfer liability of its retired assets. An organization is responsible for tracking its assets throughout its useful life, whether done internally or by a third-party organization; however, that is not where asset tracking should end. When it comes time to upgrade those servers and computers, it is extremely important to continue the chain-of-custody for your electronics on the way to final destruction.
With a third-party data destruction firm with a AAA Certification from the National Association for Information Destruction (NAID), you can rest assured your valuable information is in the right hands. From the moment your electronics are received, they are kept under lock and key as if that material is worth millions of dollars. A detailed form indicating material type, quantity, services to be provided, and acknowledgment of transfer of assets is filled out and signed.
Once at the data destruction facility, serial numbers are recorded and memory containing devices are accounted for and physically destroyed. Assets received are verified against assets accepted and point of transfer to ensure all material is present and accounted for. A detailed report indicating asset type, serial number, and final disposition (physical destruction) can be issued to the organization with a certificate of data destruction confirming all memory containing devices were destroyed in a manner compliant with all local, state, and federal laws to complete the chain-of-custody.
The threat of a data breach is very real. Taking every necessary precaution is both responsible and required by law. A complete chain-of-custody is the first step in ensuring an organization’s data security.
When it comes time to upgrade your technology, do not forget about the old electronics and the information they hold. It is valuable and needs to be treated as such.
For more information on IT asset disposition, electronic recycling, and data destruction, please give DataShield Corporation a call at (402) 204-0054.