Data decommissioning is a process where electronics and other assets that hold important data are removed from a company’s possession in a responsible manner. It could be the result of a company shutting down, expanding, or simply needing to get rid of outdated equipment. Done correctly, sensitive information isn’t exposed or at risk of being stolen. Done improperly, your company faces hefty fines and damage to your reputation.
How big are those fines? In 2016, Morgan Stanley didn’t keep an updated inventory of information on hardware that was part of a data center decommissioning. The company also failed to look at the possibility of a data breach during the decommissioning and by the third-party subcontractors hired as part of the decommissioning project. The same errors were made in 2019 when devices were decommissioned at another data center.
The 2016 lapse led to the Office of the Comptroller of the Currency (OCC) ordering Morgan Stanley to notify customers. The second lapse found the company voluntarily notifying affected customers. A class-action lawsuit was filed. The OCC also fined Morgan Stanley $60 million. Morgan Stanley hasn’t admitted any fault but that was just one fine. The company was also fined $5 million by the SEC and $5 by the Commodity Futures Trading Commission for other violations.
Morgan Stanley released a statement saying, “We have continuously monitored the situation and we do not believe that any of our clients’ information has been accessed or misused.” The company does plan to further protect clients through fraud monitoring and heightened security measures. Unfortunately, this is just one example of just one company. There are countless other examples, some of which are well publicized and others which fly under the radar.
Steps Involved in Data Decommissioning
Data decommissioning starts long before the day you decide to relocate an office or buy a new computer. It’s something your company should be thinking of the minute you purchase electronics and storage devices for your company.
#1 – How Long Will the Device Last?
Companies should take time to establish the lifespan for their hardware and storage devices. An old laptop may be fine, but if the operating system is no longer getting firmware updates, that device is open to security breaches and other threats. How do you know how long an item is viable? Look at the warranty. You should also consider how much data is being processed by that device. A hard drive that’s processing a lot of information for a full-time employee may not last as long as the one a part-time employee uses.
#2 – Have a Plan in Mind
Before you need it, have a plan in mind that addresses what you’ll do when it’s time to dispose of electronics and storage devices. That plan should address your budget, what regulations apply to your company, and who you’d want to be involved in the final process. People who are involved in the process should keep up-to-date with the latest laws and requirements as they can change as new laws are added federally and on a state or local level.
When it comes time, hire experts in data decommissioning. Yes, there is a cost involved. It’s better than having to pay millions of dollars in fines because your team didn’t have the same level of experience as an ITAD expert. While a fine of $60 million may not seem a lot to a billion-dollar company, a million-dollar fine could bankrupt you. Work with them to make sure your business’s operations are not affected during the decommissioning. When you do that, you avoid the costly mistakes that lead to government fines.
#3 – Take Protective Measures
Before the decommissioning starts, make sure that backups are made. Test the backups to make sure they were completed correctly. Create an inventory of the information that was on a drive or device and store it in a secure place. If something does go wrong, this backup and inventory help prove what was lost.
For a company that’s moving to a new building, city, or state, teams need to be on both ends to ensure that new equipment is ready to go to avoid any work delays. Any network traffic will need to be redirected. If your company has an IT department, you want to work with them and involve them in plans created with an ITAD company.
#4 – Decommissioning Day
The day of the data decommissioning must have everyone knowing their role. You’ll go over items that still have value and can be refurbished or sold for parts.
Items will be disconnected from the network and unplugged. Data may be destroyed on-site or at a secure facility. If data is destroyed at your site, that’s done before items are packaged. Otherwise, they’re safely packaged and transferred to an e-recycling facility where data is destroyed. If items are transported, tracking information is stored so that the company knows exactly where items are the minute they’ve left the building.
Those items with value are fixed and restored to factory settings. They’ll be sold to someone new and given a chance to be useful for several more years. Items that have no value are sent to giant shredders that break up the item and sort it into components like metal and plastic that are recycled.
The Keys Requirements of a Data Decommission Partner
Experience is important, but there are four requirements you should demand of the ITAD company you partner with. They are protecting the environment, maximizing the resale value of remarketed items, keeping information private, and securing data from start to finish. These four items are all critically important to the success of your decommissioning project.
Find a company that will get you the most money for the items you’re remarketing. If there is any life left in the electronics you’re disposing of, you want to get the highest possible value. Refurbishing and reselling these items can help cover the cost of a data center decommissioning.
Remarketing is good, but you also need a company that follows current regulations and even goes above and beyond to remove all traces of data from the recycled items. You want to make sure environmental protections are adhered to. You want to know that any subcontractors that are hired are carefully vetted and maintain the same level of security your ITAD provider guarantees.
Use care when choosing a company for your data decommissioning needs. You don’t want to make a costly mistake and end up paying millions in fines. How do you avoid these mistakes? Look for a data decommissioning team that follows e-Stewards, ISO 9001, NAID, and R2 standards and has certifications in these areas.
ERI holds those certifications and several others. We work with you to make sure your company’s data decommissioning process goes smoothly. We incorporate other services like remarketing to help cover the cost. Most importantly, we make it our goal to handle every minute of the decommissioning with as little disruption to your business operations as possible.