Data destruction should be on the top of your business’s “Things to Plan” list. If you have papers, storage devices, or electronic items that are no longer needed, you can’t just throw them away. You can’t ignore the importance of having professional data destruction steps in place. If you haven’t thought about how you handle end-of-life devices, you need to.
Go back 10 years to 2010. At that point, data and information creation was at around 2 zettabytes. What’s a zettabyte? It’s a trillion gigabytes. Two trillion gigabytes is a lot of information. Now, skip forward to 2020. In just 10 years, the creation of data and information has increased to an estimated 59 zettabytes. This information is stored in clouds, hard drives, USB sticks, and so many other devices.
People often think that restoring an item to factory settings deletes data. Some think that erasing files is enough. That simply removes paths to the information, but it’s not destroying the data. Some companies take shortcuts when it comes to keeping records and lists of electronic items being recycled. If your business is deleting data in that manner before giving away or selling old electronics, you’re making a mistake.
What data does your business store? Any data containing your clientele’s or employees’ personal information must be secured. Before you dispose of old, unused electronics, professional data destruction is essential.
Don’t take the chance and destroy the data on your own. Chances are you’re not going to do it correctly. If someone steals information that wasn’t properly destroyed, not only do you face huge fines, but you also face damage to your company’s reputation.
Damage to a reputation is especially important to consider. It’s estimated that about 60% of small and medium-sized companies that are impacted by a data breach end up going out of business within six months. Partner with a professional data destruction firm and lower the risk of fines and lost business.
How Much Could You Pay?
How much can companies pay in fines? It varies. If you manage medical records, improperly destroyed data can violate HIPAA. Fines for HIPAA violations can be as high as $1.5 million.
Financial institutions are bound by the rules of the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act. While FCRA fines can be as high as $3,756 per violation, Gramm-Leach-Bliley Act violations come with penalties of up to $1.1 million. Here are some of the fines levied on companies that violated data destruction and e-recycling regulations.
Affinity Health Plan was ordered to pay fines of $1.2 million back for a 2010 case where the information of more than 344,000 people was found on copier hard drives that the managed care plan provider had leased. When they returned the leased copiers, the information had never been destroyed as per HIPAA rules.
From 2013 to 2015, hundreds of Home Depot stores were caught throwing away batteries, fluorescent light bulbs, paints, and unused electronics. These items were not only going illegally to area landfills, but it’s believed that some of the electronic devices may have contained customer information. The company was fined $18.5 million and also had to pay close to $10 million more to help with environmental projects and complying with other measures ordered by the courts.
Morgan Stanley learned the importance of proper data destruction. The company was fined $60 million for failing to have electronic data disposed of correctly during the decommissioning of two data centers. While they’d had a company helping with the decommissioning, they didn’t keep track of the data stored on the hardware or oversee where the hardware went. After one warning, the same incident happened several years later, so fines were issued.
Sometimes, fines aren’t immediately proposed, but court-ordered actions are imposed. Australia’s Commonwealth Bank was found to have lost magnetic storage tapes containing records for upwards of 20 million bank customers. While it believes the tapes were destroyed, the bank didn’t get proof of the destruction. As a result, the bank was ordered to improve its security practices and warned that fines would be next if full compliance was not met.
What Professional Data Destruction Entails
What data destruction methods are used to make sure data is wiped and impossible to retrieve? There are three main methods.
- Data Destruction Software: Computer programs overwrite the information on drives with strings of numbers that don’t mean anything. Once the overwriting is repeated as many times as the software requires, the drive can be used again.
- Degaussing: Uses high-strength magnetic fields to scramble and erase data from the surfaces of drives. It’s a permanent measure that renders the drive useless. This makes it more secure than software that destroys the data.
- Shredding: The drives are placed into giant shredders that chop the item into small fragments. The drive can never be used again, and the metal, plastic, and glass fragments go into the recycling stream for reuse.
Before any of this is done, data destruction companies start the paper trail. An inventory of all devices being destroyed or refurbished is developed. It includes the item and serial number.
If hard drives, storage, and electronic items are sent to an e-waste facility for processing, real-time tracking is important. Tracking numbers with the shippers ensure the items’ locations are always known. Tracking continues when it reaches the facility and is moving from one processing area to the next.
After the data is destroyed, items may be refurbished for resale. If there is still life in an electronic item, repairing it and selling it as a refurbished item makes sense. It puts money back in your hands, which helps recoup some of the cost of hiring professional data destruction services. Repairing and refurbishing also keep an item from entering the waste stream.
Once the item is fully processed, a certificate is issued. Keep this certificate as it’s proof that you took all the right steps to be fully compliant with the current regulations. Companies like Commonwealth Bank that don’t have proof have a harder time proving they were compliant and may end up losing money and facing lawsuits.
Professional Data Destruction Keeps Up With Regulatory Changes
The final reason to partner with a professional ITAD provider is because regulations change. If you’re not up-to-date on these changing laws, you could make a costly mistake. ITAD providers know the laws and make sure they’re always in compliance. It’s less hassle for you and makes sure your data destruction project is done correctly.
Make sure you partner with the best ITAD provider. How do you ensure you’ve chosen correctly? Look for certifications from NAID AAA, R2, e-Stewards, and ISO 9001. These four are only given to e-recyclers who pass surprise audits to guarantee they follow laws, use environmentally-responsible practices, and maintain security at all stages of data destruction.
ERI is a NAID-certified data destruction expert. Our goal is to make sure data is destroyed following one of four levels of data destruction starting with Standard Compliance, which meets NIST 800-88 Rev 1 rules. This eliminates all risk of having data fall into the wrong hands.
Certifications are great, but they’re not the only factor to consider. Reputation is everything. Find out who has partnered with the company in the past. ERI has helped companies like Best Buy, Motorola, Pitney Bowes, Samsung, and the USPS with their data destruction and/or e-recycling needs. Call us to discuss data destruction in your place of business or one of our secure facilities.