What is your IT asset disposal obligation? Properly Sanitize End-0f-Life Media. There is no statute of limitations or safe harbor for improper IT asset disposition. If it can happen to Morgan Stanley, it can happen to you. When Morgan Stanley closed two data centers in 2016, they hired an outsourced data wiping (overwriting) vendor. Morgan Stanley expected total security of their customers’ private data. However, this year, they learned they didn’t get what they expected. Instead, data remained on the “wiped” drives, which violated customer privacy and has left Morgan Stanley with a huge cost risk. Today, the company is facing lawsuits from employees and customers, because the personal information they thought was destroyed came back to haunt them.
The Hidden Landmine – Discarded Media
Partially destroyed data is a ticking time bomb. There is no statute of limitations or safe harbor for improperly discarded IT assets. Improper IT Asset Disposal (ITAD) is a risk carried forward indefinitely. Consequently, the organization that hired the service provider is still liable for data records discovered, even years later. This is true for all data carrying assets, not just electronic equipment.
Best practices for IT asset disposal recommend:
- Secure, dedicated areas for data destruction
- Limited access
- Procedures for each type of data storage device
- A timeline to sanitize data that reflects the entire life cycle of the media
“Organizations need to do better (about ITAD),”says Bob Johnson, CEO of the International Secure Information Governance & Management Association (i-SIGMA), Phoenix.
“They need to be sure 1) they are accounting for IT equipment from the moment it is acquired to the point it is finally disposed of, and, 2) elevate the selection criteria, operating criteria, monitoring procedures, and contracts of IT asset disposal services they use.”
New Realities of IT Asset DisposalIT Asset Disposition (ITAD) is the process of disposing of unwanted electronic equipment responsibly. Proper ITAD programs ensure organizations mitigate risk, minimize cost, and maximize value recovery. We are seeing a major shift in ITAD policies and practices moving away from concern about the residual value of the equipment to securing data across its lifecycle. Companies used to look for ways to sell old equipment, now they focus on data erasure and destruction because of the risk of a data breach.
Best PracticesYou can mitigate your risk and avoid data breaches like that experienced by Morgan Stanley in 2016, with a simple three-step hard drive decommissioning process: