IT Asset Disposition (ITAD). New Liability

There is no statute of limitations or safe harbor for improper IT asset disposition. If it can happen to Morgan Stanley, it can happen to you. When Morgan Stanley closed two data centers in 2016, they hired an outsourced data wiping (overwriting) vendor. Morgan Stanley expected total security of their customers’ private data. However, this year, they learned they didn’t get what they expected. Instead, data remained on the “wiped” drives, which violated customer privacy and has left Morgan Stanley with a huge cost risk. Today, the company is facing lawsuits from employees and customers, because the personal information they thought was destroyed came back to haunt them. 

Ticking Time Bomb

Partially destroyed data is a ticking time bomb. There is no statute of limitations or safe harbor for improperly discarded IT assets. Improper IT Asset Disposal (ITAD) is a risk carried forward indefinitely. Consequently, the organization that hired the service provider is still liable for data records discovered, even years later. This is true for all data carrying assets, not just electronic equipment.

cost risk chart preventing a land mine data breach

Data breaches happen when best practices for data sanitization are ignored or not fully followed. That includes failure to maintain a proper chain of custody for all data from acquisition to the end of life, not verifying nor documenting the data erasure and destruction for audit purposes. 

Best practices recommend:

  • Secure, dedicated areas for data destruction
  • Limited access
  • Procedures for each type of data storage device
  • A timeline to sanitize data that reflects the entire life cycle of the media

“Organizations need to do better (about ITAD),” 

says Bob Johnson, CEO of the International Secure Information Governance & Management Association (i-SIGMA), Phoenix.

 “They need to be sure 1) they are accounting for IT equipment from the moment it is acquired to the point it is finally disposed of, and, 2) elevate the selection criteria, operating criteria, monitoring procedures, and contracts of IT asset disposal services they use.”

New Realities of IT Asset Disposition

IT Asset Disposition (ITAD) is the process of disposing of unwanted electronic equipment responsibly. Proper ITAD programs ensure organizations mitigate risk, minimize cost, and maximize value recovery. 

We are seeing a major shift in ITAD policies and practices moving away from concern about the residual value of the equipment to securing data across its lifecycle. Companies used to look for ways to sell old equipment, now they focus on data erasure and destruction because of the risk of a data breach.  

IT Asset Disposition (ITAD) Best Practices

You can mitigate your risk and avoid data breaches like that experienced by Morgan Stanley in 2016, with a simple three-step hard drive decommissioning process: 

  1. Degauss
  2. Destroy
  3. Verify

Degaussing is the only data erasure method that guarantees that no data is left behind on the hard drive because it eliminates the magnetic field patterns on the drive in a matter of seconds. Degaussing is the primary method of data sanitation approved by the NSA for Top Secret hard drive data erasure

For optimum security, follow degaussing with physical destruction of the hard drive using a hard drive destroyer, such as Garner’s PD-5 or PD-4 destroyers. Physically damaging the hard drive casing and bending the disk platters provides visual confirmation that the hard drive has been securely processed. It also discourages attempts to retrieve data from the drive and visually indicates the drive is ready to leave the controlled environment for recycling or disposal.

Finally, verify your data sanitization process with a system that captures and keeps a record of the destruction process. IRONCLAD Erasure Verification System captures JPG images of degaussed and destroyed media automatically generating a report log, and certificate of erasure and destruction.

Garner Products is the internationally recognized leading manufacturer of NSA/CSS EPL-Listed data erasure and destruction equipment. Garner offers a full line of hard drive degaussers and destroyers, from office-quiet desktop units to equipment for Top Secret data elimination. Learn more about Garner Products at GarnerProducts.com.

1.    link to Morgan Stanley article from recycling.com

Published by

Michael Harstrick
Chief Global Development Officer at Garner Products, Inc