As a business owner, responsible data destruction is critical. Confidential data for your patients, clients, employees, and stakeholders cannot fall into the wrong hands. If it does, the fines you face are costly. Just look at how much Morgan Stanley has paid in fines and class action settlements, and you get an idea of just how important it is to make sure data is destroyed.
Financial losses are one thing, but there’s also the blow to your reputation. You want people to trust you. If you aren’t being extremely proactive in choosing the right methods for data destruction, your reputation is at stake.
We have some food for thought. You might think that you’re safe if several years have passed since you recycled electronic equipment. It’s been seven years, so if anything happens now, it’s not your problem, right? That’s not the case. The International Secure Information Governance & Management Association states, “There is no statute of limitations or safe harbor for improperly discarded IT assets.”
If someone finds a hard drive you left in a box in an abandoned storage unit and pulls private information from it 10 years later, you’re still liable, even if 10 years have passed. Proper ITAD practices are everything to your business, so don’t take shortcuts or use a company without properly vetting them.
How Is Data Destroyed?
Any electronic device used by your business, organization, or medical practice must have data destroyed before you do anything else. A factory restore is not enough. You need an IT team or department that creates a plan for disposing of unneeded electronic equipment like computers, printers, tablets, phones, and external hard drives.
The plan should include how items are collected, how to log everything that is sent for e-recycling or data destruction, and what happens once items need to be recycled or refurbished and sold to regain some of their value. Data destruction is completed using one of these methods:
Cryptographic erasure uses secure encryption algorithms to destroy the pathways to the data unless you hold the encryption key. Once the process is done, the encryption key is also destroyed to make it impossible to ever access the information.
Degaussing is a form of data destruction that’s only applicable to magnetic media, such as a magnetic tape. Strong magnets are used to disrupt the magnetic particles on the media rendering it unreadable. Magnets will not work with non-magnetic hard drives, such as SSDs.
Shredding is the best form of data destruction. Hard drives, thumb drives, CDs, etc. are placed in shredders that chop the item into tiny pieces. The particles can then be sorted and recycled. If you plan to sell items, shredding may not be a viable option. An expert like ERI is able to determine what items have value and refurbish them after wiping data using methods like wiping or degaussing.
Thermal data destruction uses heat to melt down devices or use heat to destroy magnetic storage. It’s not as commonly used as it takes extremely high temperatures and can produce fumes that require special air filters to keep from reaching the environment.
Overwriting is what happens if you do a factory restore. There is a chance that the pathways to the data could be eventually restored by someone with the expertise. Wiping uses data sanitization algorithms over and over to overwrite sensitive data. The patterns are completely random and repeated enough that it’s hard to retrieve the data from the device.
What Are CCPA and GDPR Regulations?
How do you know the right method for data destruction? It comes down to your business or organization. There are government regulations that apply to many businesses. CCPA and GDPR are two you should know.
The California Consumer Privacy Act (CCPA):
The CCPA applies to any business that collects data, does business in California, or meets any of these items:
- Exceeds $25 million in annual gross revenues
- Buys, sells, or receives PII for more than 100,000 people or households
- Earns more than half of its revenue selling personal information from consumers
People have the right to opt out of information being collected using a “Do Not Sell My Personal Information” link you have to put on your business website’s homepage. Once a person has opted out, you cannot ask them again for 12 months. Personal data includes but is not limited to:
- A person’s real name
- Mailing or legal address
- Date of birth
- Physical characteristics
- Driver’s license or passport number
- License plate number
- Email address
- IP address
- Phone number
Penalties for companies that lose private information due to a security breach or theft can be tremendously high. It’s a fine of up to $2,500 for each unintentional ($7,500 for intentional) violation and up to $750 per resident for victims of a data theft or breach.
General Data Protection Regulation (GDPR):
If your company or organization collects and stores any personal data, it’s your responsibility to protect it as stated in the GDPR. The rule is that you will collect data in a lawful, fair, and transparent manner. You have to then keep that data secure and protect it from “unauthorized or unlawful processing” and protect against accidental loss of that private information.
The benefits of responsible data destruction are numerous. Your company’s or organization’s sensitive information is kept out of the wrong hands. There’s no risk of people’s SSNs, bank account information, or birth dates being stolen and used for fraud.
Because there’s no risk of harm to your clients, stakeholders, employees, and customers, your reputation isn’t impacted. You’re not going to upset people, lose business, and potentially end up bankrupt or in dire financial strain.
If you are a medical office, specific criteria apply to the medical industry in terms of protecting patient data. Make sure you’re in compliance with HIPAA regulations, too.
Partner With a Data Destruction Specialist
It’s in your best interest to work with a specialist in data destruction. You want a certificate that proves data was destroyed per the required standards. ERI follows NIST 800-88 Rev1 data sanitization requirements, which is good for most companies and organizations, but we can work on higher levels, such as demilitarization or high-security services.
Responsible data destruction is an essential part of data security and a critical goal for your IT team to manage. Small businesses are less likely to have an entire IT department, but you still need to have someone monitoring risks, making sure software is updated, and choosing the best ITAD partner when it’s time to recycle old office technology.
ERI is a leader in data destruction. We have secure facilities across the nation. Our facilities are secure with guards and 24/7 security monitoring, locked gates, and the capability to shred data at your place of business or ours. Talk to ERI about your data destruction needs and we’ll help you choose the right level of data destruction and e-recycling.