Author: Heidi White

Heidi is Director of Marketing at SEM and is passionate about data security, health and fitness, and her family.

Avoiding Chain of Custody Gaps: Why CIOs Are Moving to In-House Data Destruction

April 30, 2026 at 3:25 pm by Heidi White

For today’s CIOs, data security doesn’t end at decommissioning; conversely, it often becomes more complex, which is why CIOs are moving to in-house data destruction.

As organizations refresh infrastructure and retire growing volumes of data-bearing devices such as hard drives, SSDs, and backup media, the focus is shifting beyond storage and protection. Increasingly, scrutiny is landing on how data is destroyed, and whether that process can withstand audit and compliance review.

Because in modern IT environments, the integrity of the chain of custody is just as critical as the destruction method itself.

The Hidden Risk in Traditional Disposal Models

Data destruction has long been treated as a downstream task — outsourced, scheduled, and verified after completion. But that model introduces risk at every transition point. Once assets leave your facility, visibility and control decline.

Third-party destruction workflows often involve multiple handoffs from internal teams to transport vendors, processing facilities, and recyclers. Each stage increases the potential for missteps, delays, or unauthorized access. Even with documentation in place, organizations are often relying on assurances rather than direct control.

With data breaches carrying regulatory, financial, and reputational consequences, this level of exposure is becoming harder to justify.

Why Chain of Custody Is Under the Microscope

Regulatory expectations are evolving. Auditors are no longer satisfied with confirmation that data was destroyed. Instead, they want to understand how it was handled at every step.

Standards such as NSA/CSS Policy Manual 9-12, NIST 800-88, HIPAA, and DoD guidelines emphasize consistent, verifiable processes for media sanitization. A certificate of destruction alone may not be sufficient if the chain of custody cannot be fully demonstrated.

This puts CIOs in a difficult position: ensuring every device is tracked and securely handled from retirement through final destruction, without introducing inefficiencies or new vulnerabilities.

in-house-data-destruction

Gaining Control Through In-House Destruction

To reduce risk and improve accountability, many organizations are bringing data destruction in-house. The advantage is simple: maintaining control from start to finish.

By deploying high security destruction equipment on-site, organizations eliminate external transfers and destroy media immediately upon decommissioning within a controlled environment.

This approach supports:

  • End-to-end visibility of the destruction process
  • Immediate, verifiable destruction at point of retirement
  • Real-time tracking and audit-ready reporting
  • Consistent workflows aligned with internal policies

Rather than relying on third-party schedules and reporting, CIOs gain direct oversight of a critical control point in the data lifecycle.

From Compliance Requirement to Strategic Control

In-house destruction isn’t just a defensive move. It strengthens overall data governance.

Organizations with a closed-loop chain of custody are better positioned to:

  • Confidently demonstrate compliance during audits
  • Minimize risk tied to retired assets
  • Reinforce trust with regulators and stakeholders
  • Integrate destruction into broader cybersecurity strategies

In this context, data destruction becomes a controlled, measurable component of enterprise risk management, not just a checkbox.

in-house-media-sanitization

The CIO Perspective

Data doesn’t lose sensitivity at end-of-life; in many cases, exposure risk increases. As data volumes grow and compliance expectations tighten, CIOs are reassessing how destruction is managed. Traditional outsourced approaches can introduce gaps that are difficult to defend under scrutiny.

Maintaining a secure, documented chain of custody is no longer optional. For many organizations, the most reliable way to achieve it is to keep the entire process in-house.

Take the Next Step

Strengthen your data destruction strategy with a controlled, audit-ready approach. Contact us today to discover how SEM helps organizations with secure in-house data destruction.

Building a Risk-Based Data Sanitization Strategy

March 10, 2026 at 6:21 pm by Heidi White

What is a Risk-Based Data Sanitization Strategy?

A risk-based data sanitization strategy is a structured approach to securely removing data from storage devices based on the sensitivity of the information, regulatory requirements, and whether the device will be reused or retired. Organizations typically choose between methods such as cryptographic erasure, degaussing, or physical destruction to ensure data cannot be recovered after equipment reaches end-of-life.

Implementing a risk-based approach helps organizations protect sensitive information, maintain regulatory compliance, and reduce the risk of data breaches when retiring IT assets.

Risk-Based-Data-Sanitization-Strategy

When to Use Cryptographic Erase, Degaussing, or Physical Destruction

As organizations store more sensitive data across an ever-growing range of devices, properly sanitizing storage media has become a critical part of cybersecurity and compliance. From enterprise servers and laptops to mobile devices and removable media, every storage asset eventually reaches the end of its useful life. When it does, the data it once held must be reliably and permanently removed.

However, not every data sanitization method is appropriate for every situation. The most effective approach is a risk-based data sanitization strategy — one that evaluates the sensitivity of the information, regulatory obligations, and the intended fate of the storage device before determining the proper method of sanitization.

Understanding Risk-Based Data Sanitization

A risk-based strategy begins with a simple principle: the more sensitive the data, the stronger the sanitization method required. Organizations should assess several factors when determining how to sanitize storage media:

  • Data classification – Is the data public, proprietary, confidential, or classified?
  • Regulatory requirements – Are there standards such as NIST, HIPAA, or government security mandates that apply?
  • Device reuse vs. retirement – Will the storage device be redeployed, resold, or permanently removed from service?
  • Threat environment – What level of risk exists if data recovery were attempted?

By considering these variables, organizations can select the sanitization technique that provides the appropriate level of protection without unnecessarily destroying usable equipment.

cryptographic-erasure

When Cryptographic Erasure Is Appropriate

Cryptographic erase is commonly used for self-encrypting drives (SEDs) and other encrypted storage systems. In these devices, data is automatically encrypted when written to the drive. Sanitization is achieved by deleting or replacing the encryption key that unlocks the data.

Because the encrypted data cannot be accessed without the key, destroying the key effectively renders the stored information unreadable.

Cryptographic erasure is often used when:

  • Storage devices will be redeployed within the organization
  • Hardware needs to remain intact for continued operational use
  • Devices are part of a managed lifecycle program

While cryptographic erase can be efficient, it relies on the assumption that encryption was implemented properly and that the key is fully eliminated. For higher-risk environments, organizations may require additional verification or alternative sanitization methods.

When Stronger Sanitization Methods Are Needed

In many cases — particularly when dealing with highly sensitive or regulated data — organizations choose methods that physically alter or destroy the storage media itself.

Degaussing

Degaussing uses a powerful magnetic field to disrupt the magnetic domains on a hard disk drive, permanently erasing the stored data. This method is commonly used for classified or highly sensitive information and is often required under strict security protocols.

Once a hard drive is properly degaussed, the data is unrecoverable and the drive electronics are typically rendered unusable.

Physical Destruction

Physical destruction provides the highest level of assurance when data must be eliminated completely. Media shredders, disintegrators, and crushers physically break storage devices into small fragments, ensuring that data cannot be reconstructed.

This method is often required when:

  • Devices are being retired permanently
  • Data classification is highly sensitive or regulated
  • Organizational policy requires complete media destruction

Physical destruction is widely used for solid state drives, hard drives, optical media, and mobile devices.

Creating a Layered Sanitization Strategy

Rather than relying on a single technique, many organizations implement layered sanitization practices. For example:

  • Cryptographic erase for equipment that will remain in controlled environments
  • Degaussing for magnetic media containing sensitive data
  • Physical destruction for retired or highly regulated devices

This layered approach ensures that each asset receives the appropriate level of protection based on risk, compliance requirements, and operational needs.

Integrating-Sanitization-IT-Lifecycle

Making Data Sanitization Part of the IT Lifecycle

One of the most common mistakes organizations make is treating data destruction as an afterthought. Instead, sanitization policies should be incorporated into every stage of the IT asset lifecycle, including procurement, deployment, redeployment, and retirement.

Clear procedures, documented chain-of-custody practices, and validated sanitization technologies help organizations maintain compliance while protecting sensitive information from unintended exposure.

Secure Data Destruction with SEM

SEM provides organizations with the tools needed to securely sanitize and destroy data-bearing media. From NSA-listed degaussers to high security shredders and enterprise media destruction systems, SEM solutions help government and commercial organizations confidently eliminate sensitive data at end-of-life.

Implementing a risk-based sanitization strategy ensures that data protection continues even after devices leave active service — closing a critical gap in modern cybersecurity.

eBook: Media Sanitization — Best Practices for Organizations

Stay informed on today’s data destruction standards across government and commercial sectors. Our Media Sanitization — Best Practices for Organizations e-book delivers clear, practical guidance to help you strengthen your compliance strategy.

Get the e-Book

A Country in Crisis: Data Privacy in the US

March 4, 2020 at 4:17 pm by Heidi White

In 2019, the United States held the world record of having the highest average cost per data breach at $8.19 million (IBM Security and Ponemon Institute, 2019), and healthcare data breaches affected 80% more people than just two years prior in 2017. (Statista, 2020). In today’s data-driven environment, it seems not a day goes by without hearing of a data breach or leak. Data privacy in the US is a growing problem caused primarily by the exponential increase of digital data, the trend of moving data storage to the cloud, and lack of a federal data privacy regulation.

Over the past several years, digital data has been increasing at an unprecedented rate. To put it into perspective, in 2019 the overall global population increased at just over 1% to 7.7 billion, while the number of unique mobile phone users increased by 2% to 5.8 billion. In addition, the number of internet users increased 9% to 4.4 billion, which is 57% of the global population. (Hootsuite & We Are Social 2019). As global urbanization continues, the sheer number of people utilizing data in their day-to-day lives will continue to grow. Combining personal use with the fact that nearly all businesses have a website and run their organizations using computers, it becomes clear that the use of data will only continue to increase in the coming years. All of this data, which moves across continents in seconds, needs to be stored and managed somewhere. This exponential increase in the use of digital data has required an equally aggressive increase in data storage capabilities.

data centerAs digital data increases, so does the trend of moving data storage to the cloud. Often misunderstood, the cloud is not some mystical Cumulus floating in the sky with ones and zeros suspended in it. Rather, the cloud is nothing more than large data centers that house racks and racks of servers and drives that run 24/7. These constantly moving parts create an immense amount of heat, so data centers utilize massive cooling mechanisms to keep temperature down. Understandably, data centers therefore use an excessive amount of energy, making operation fairly expensive. While larger businesses previously owned their own data centers or used in-house data storage, there has been a rapid shift to cloud service providers over the past five years. From 2017 to 2019, the number of cloud service data centers rose from 7,500 to 9,100, with 2020 expecting to see that number top 10,000. On the flip side, there were 35,900 data centers owned by non-technology firms in 2018, and that number is expected to significantly decline to 28,500 by the end of 2020. In fact, it is expected that the number of large companies in North America shifting away from using their own data centers to cloud service providers will increase from 10% in 2017 to 80% by 2022. (Loten, A. 2019). The move to cloud service providers is further evidenced by the increasing number of mergers and acquisitions in the cloud service sector. But how does this affect data privacy? It puts the onus of maintaining data privacy into the hands of technology giants rather than individual organizations who know that a breach could literally destroy their businesses. As data increases exponentially and its storage shifts inexorably to the cloud, concerns over data security and privacy escalate in parallel, leading to much-needed data privacy legislation.

data breach costsIn 2018, the European Union (EU) implemented the General Data Protection Regulation (GDPR) in an effort to protect the privacy of European consumers. And while Canada had implemented the similar Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, GDPR proved to be far more aggressive legislation both in terms of reach and monetary penalty. GDPR requires that all organizations that do business with EU citizens adhere to the legislation, meaning that global organizations such as Apple, Facebook, and Google, as well as smaller US companies that sell to Europeans, are required to follow GDPR. Since its inception in May of 2018, GDPR has leveraged hundreds of millions of Euros in fines and is only getting more aggressive with enforcement; however, GDPR only affects organizations that have dealings with EU citizens. Conversely, the United States has fallen behind in data privacy legislation, leaving the onus of maintaining data privacy to individual states. As of February 2020, only California, Nevada, and Maine have implemented data privacy legislation, with only the California Consumer Privacy Act (CCPA) requiring deletion of personal data if requested, similar to GDPR. (Noordyke, M. 2020). Considering that well over half of all global data breaches occur in the United States and, as previously discussed, those breaches are increasing due to the exponential increase in global data, the lack of a federal data privacy law is concerning. Unlike their European counterparts, Americans are largely left to their own devices when it comes to data privacy and have little recourse when a breach occurs. In fact, one of the largest breaches of 2012 occurred with major online retailer Zappos, affecting 24 million customers. In 2019, the agreed upon settlement to a class action lawsuit provided reparation to the affected individuals in the form of a 10% Zappos discount code that was only good through 31 December 2019. Needless to say, a 10% discount code (which actually helps Zappos rather than punishes them) in exchange for breached personal data hardly seems equitable. (Doe, D. 2019). Until the United States takes federal data privacy as seriously as their European and Canadian counterparts, the privacy and security of American citizens will continue to erode.

Data privacy and security is a serious and growing global issue, even more so in the United States where the bulk of data breaches occur. As more and more people embrace technology, the need for data storage increases, increasing the need for larger and faster data centers. Additionally, the dramatic shift from on-premise to cloud storage only exacerbates the problem of data privacy by relying on technology giants to protect organizations’ consumer data. Breaches will only escalate in line with our digital footprint, of that there is no question. Without a federal data privacy law, the privacy of American citizens’ data will continue to be at serious risk. And 10% off a pair of shoes simply isn’t the answer.

 

Heidi White is Director of Marketing at SEM and is a self-proclaimed data security fanatic. Contact Heidi at h.white@semshred.com.

 

References

IBM Security and Ponemon Institute (2019). Cost of a Data Breach Report. Retrieved from  https://www.ibm.com/security/data-breach

Statista (2020). Number of U.S. residents affected by health data breaches from 2014 to 2019.  Retrieved from https://www.statista.com/statistics/798564/number-of-us-residents-affected-by-data-breaches/

Hootsuite & We Are Social (2019), Digital 2019 Global Digital Overview. Retrieved from https://datareportal.com/reports/digital-2019-global-digital-overview

Loten, A. (2019, August 19). Data-Center Market Is Booming Amid Shift to Cloud. Wall Street Journal. Retrieved from https://www.wsj.com/articles/data-center-market-is-booming-amid-shift-to-cloud-11566252481

Noordyke, M. (2020). US State Comprehensive Privacy Law Comparison. Retrieved from https://iapp.org/resources/article/state-comparison-table/

Doe, D. (2019, October 18). Zappos data breach settlement: users get 10% store discount, lawyers get $1.6m. Retrieved from https://www.databreaches.net/zappos-data-breach-settlement-users-get-10-store-discount-lawyers-get-1-6m/

Best Practices in Drafting a Data Decommissioning Policy

February 21, 2020 at 4:39 pm by Heidi White

The amount of data that a company, agency, or individual possesses will continue to exponentially grow as time marches forward. When drives reach their end-of-life through failure, technological obsolescence, or routine upgrade, organizations are faced with several choices on how to dispose of that data securely.

Fill out the form below for an instant download.

In-Depth Guide to Federal Data Destruction Regulatory Requirements

at 4:36 pm by Heidi White

Data security encompasses all aspects of information protection and has been an integral part of federal policy since the Social Security Act of 1934 made it illegal to disclose an individual’s social security number and personally identifiable information (PII). Since then, numerous federal programs and processes specific to the privacy and security of personal, financial, health, and intelligence information have been instituted.

Fill out the form below for an instant download.

Security Engineered Machinery Announces Two Key Hires

January 8, 2020 at 7:33 pm by Heidi White
david_wesolowski_david_ditullio
David DiTullio, VP of Finance, and David Wesolowski, Director of Operations

Security Engineered Machinery is pleased to announce that David DiTullio and David Wesolowski have joined the team as Vice President of Finance and Director of Operations, respectively. The announcement was made by Andrew Kelleher, President and CEO of SEM.

David DiTullio joins SEM with over two decades of manufacturing finance experience, most recently as Director of Financial Planning and Analysis at Oxford Instruments. He has held similar roles at NEC Energy Solutions, UTC Fire and Security, and Nypro, Inc. In his role as VP of Finance at SEM, Mr. DiTullio will be responsible for all financial aspects of the company including financial management, cost accounting, information technology, and cash management. Mr. DiTullio received both a BS in Economics-Finance and an MBA in Corporate Finance from Bentley College.

David Wesolowski has 20 years of experience as an operations leader focused on increasing efficiency and productivity while improving company culture. Prior to joining SEM, Mr. Wesolowski worked for Thermo Fisher Scientific, most recently as Director of Operations and Site Leader. With proven experience in business acumen, improving the customer experience, employee engagement and development, and project management, Mr. Wesolowski will be primarily responsible for engineering, procurement, service, manufacturing, and warehouse operations. Mr. Wesolowski received a BS in Business Administration from Roger Williams University and an MBA from Bryant University.

“David DiTullio brings 23 years of finance experience to the team with targeted expertise in leadership, analysis and forecasting, cost accounting, and financial reporting in the manufacturing sector,” said Mr. Kelleher. “Just as impressive, David Wesolowski has over 20 years of multi-faceted operations experience with targeted expertise in operational efficiency, lean manufacturing, client relations, teambuilding, and metric management and reporting. Both Davids’ impressive experience is complimented by their exemplary personal attributes including integrity, dedication, and positivity, making them a perfect fit for SEM.”

Mr. DiTullio and Mr. Wesolowski will be working out of the company’s corporate headquarters in Westborough, MA.

Gingerbread Smackdown!

December 23, 2019 at 8:26 pm by Heidi White

Here at SEM, we not only enjoy providing superior service and products to our clients, but also love having fun. This holiday season, we decided to have a gingerbread house competition and to allow our social media friends to vote on the winner. All seemed to be moving smoothly and easily at first: we asked for signups, made our teams, and scheduled the event for 20 December. Employees signed up to bring snacks and cider, the Culture Committee purchased gingerbread house kits for participants, and gingerbread builders were asked to bring in decorations for their houses.

That’s when things got a little heated.

Next thing we knew, employees were rushing into work with bags of candy  clandestinely tucked beneath their winter coats, water cooler conversations abruptly ended if a rival team member approached, and whispers about stained glass made out of Jolly Ranchers (!) could be heard.


On the day of the event, spirits were high and everyone was excited to get to work. Team #1 made a classic gingerbread house with marshmallow snow, a candy cane sign, and even a brick walkway. Rival team members cried foul when they saw the brick walkway, crying out, “Paper isn’t edible! Disqualified!” However, after an intensive internal review, the Culture Committee clarified the rules stating that there were no rules, and the competition continued.

Team #2 decided to create a non-traditional gingerbread house, and we will just leave that one right there.
Team #3 went all out with a complete gingerbread train, gingerbread tree, and gingerbread man. They made train tracks out of black licorice and brought glittery snow to put under it all. Rival teams (of course) called foul on the gingerbread train since it wasn’t “regulation” size, but the Culture Committee reiterated the rules – there are no rules – and the competition continued.


Throughout all of the bantering about regulation gingerbread trees and unfair paper walkways, and while Team #2 made their… well, let’s call it a modern art creation, Team #4 quietly and diligently worked to create their masterpiece, a traditional candy house complete with stained glass windows (yes, they went there), custom frosted trees, a pretzel fence, and Santa on the roof.


At the completion of the competition, we turned to social media for votes, and did our clients, friends, and family ever show up! After a weekend of voting, Team #4 was crowned the winner of the gingerbread house competition. And while the prize is lunch out for the winning team, the real prize is bragging rights.

And there has been plenty of bragging, to which the rest of say, “Until next year…”

Happy Holidays!

Security Engineered Machinery Introduces Dual Shredder for Classified and CUI Paper and Optical Media Destruction

August 12, 2019 at 10:15 am by Heidi White

OfficeShredHS satisfies industry need for an all-in-one NSA listed paper and optical media shredder that meets the NSA’s new DVD and Blu-ray Disc destruction requirement

officeshredhsSecurity Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to introduce the OfficeShredHS dual paper and optical media shredder. This sleek, user-friendly device is specifically designed for the destruction of classified and controlled unclassified information (CUI) on paper, CDs, DVDs, or Blu-ray Discs (BDs) in office environments.

“Since the NSA released the new DVD and BD specification in late 2018, the market has lacked an NSA listed combination machine that destroys both paper and optical media in office environments,” said Bryan Cunic, SEM Director of Customer Care. “Being an industry innovator for over 50 years, it is no surprise that SEM engineered the OfficeShredHS to fill that gap.”

Sporting an attractive cabinet that houses SEM’s NSA listed 1324C/3 paper shredder and SEM’s NSA listed 0200-OMD/SSD optical media shredder, the OfficeShredHS quickly and efficiently destroys paper to a 1mmx5mm particle and optical media to a 2mm particle, both NSA requirements for classified data destruction. In addition, the OfficeShredHS meets the Information Security Oversight Office (ISOO) 32 CFR Part 2002 “Controlled Unclassified Information” directive requiring that all Executive Branch agencies destroy CUI paper to a 1mmx5mm particle.

SEM’s 1324C/3 NSA listed paper shredder accepts up to four sheets of paper per pass, with a 1-hour durability rating of five reams. Constructed with rugged steel cutting heads, safety and convenience features, and whisper quiet functionality, the 1324C/3 is a time-tested, low volume, high security paper shredder. SEM’s 0200-OMD/SSD NSA listed optical media shredder provides efficient destruction of low volumes of classified CDs, DVDs, BDs, and solid state devices such as EMV credit cards, magnetic stripe cards, Common Access Cards (CAC) IDs, and SIM cards. These two devices come together in the OfficeShredHS to provide the first NSA listed combination destruction device to meet the NSA’s new DVD/BD requirement. It also uses standard 120V electrical outlets and is TAA compliant.

“SEM’s OfficeShredHS fills the very real need for an NSA listed combination office shredder that destroys classified and CUI paper and optical media,” added Heidi White, SEM Director of Marketing. “This revolutionary device is attractive, compact, clean, portable, and quiet, making it the ideal solution for safeguarding sensitive information in government office environments.”

The OfficeShredHS has a list price of $7,499. For more information, visit www.semshred.com/product/OfficeShredHS.

Security Engineered Machinery Introduces Manual Crusher for Both HDDs and SSDs

July 30, 2019 at 12:22 pm by Heidi White

Model 0100 SSD/HDD quickly and easily destroys both rotational hard drives and solid state boards without electricity

SSD-crusher

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the Model 0100 SSD/HDD manual solid state and rotational hard drive crusher. This new product provides an affordable, efficient solution for organizations with low volumes of hard disk drives (HDDs) and solid state drives (SSDs) requiring physical destruction.

“The 0100 SSD/HDD was designed to be a portable, cost-effective, and eco-friendly option for the efficient destruction of IT media,” said Andrew Kelleher, SEM President and CEO. “This unique device has a low profile, is quiet and clean, and operates by using a simple lever, making it a convenient, safe solution for smaller office environments.”

SEM’s Model 0100 SSD/HDD manual crusher easily destroys both rotational hard drives and solid state boards. The unit includes an SSD kit consisting of a wear plate and press plate for holding solid state boards during the crushing cycle. Manual operation makes crushing drives efficient and versatile, providing ultimate portability and ease of operation. SEM’s Model 0100 SSD/HDD exerts up to three tons of crushing force, and destruction time is five seconds or less. The heavy-duty steel anvil punctures and destroys the drive chassis and platters of HDDs as well as chips found on solid state boards. Quality, solid steel parts ensure smooth and consistent operation.

The 0100 SSD/HDD has a list price of $1,299 and is TAA compliant. An optional stand is available. For more information, click here.

Why Data Centers Need to Know About GLBA Compliance

May 14, 2019 at 1:10 pm by Heidi White

Data privacy and data protection rules are hot topics, having prompted us to consider exactly how we share, store, and dispose of our personal information from the individual level to the corporate level. Indeed, most (if not all) businesses must now adhere to some sort of data protection and privacy policy as set forth by industry standards. But what happens if your business interacts with other businesses that have their own policies and regulations to follow? Do you have to adopt those rulings for your business in order to continue working together? In most cases, the answer is yes.

Take data centers. If you operate such a business, you likely have stringent rules in place for securing the data you house on behalf of your clients. But, do you also follow the data regulations and privacy policies set forth by your clients? If your answer is no and your clientele is covered under the GLBA, you’ll need to revisit your information security plan immediately to incorporate GLBA compliance.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. The reason is that these organizations are significantly involved in providing financial products and services and therefore have access to personally identifiable information (PII) and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

shred-laptop

GLBA Compliance: Applicable to More than Just GLBA-Covered Businesses

In accordance with GLBA, organizations covered under this Rule must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

At this point, you may be asking yourself, “How does this affect my business as a data center?”

The data safeguard rules also apply to any third-party affiliates and service providers employed by the companies covered under GLBA. As such, it is the responsibility of the GLBA-covered company to ensure the same steps are taken by the affiliate third-party to protect the data they interact with or store on behalf of the company. This means companies under GLBA are going to select third-party service providers like yours based on those companies that are also set up operationally with the same steps and policies in place to safeguard sensitive data. Furthermore, organizations under GLBA have the authority to manage the way in which their service provider handles their customer information to ensure compliance with GLBA.

Cloud-based data centers therefore must comply with GLBA rules for security policies and enforcement or risk losing business from those organizations and other potential clients that are covered under GLBA. As the data center operator, you could go about this in one of three ways: 1) Create separate GLBA-compliant policies for each client organization based on their needs, 2) Allow each client organization to delineate the GLBA-compliant policies they’d like your business to follow and adopt those accordingly, or 3) Establish one set of GLBA-compliant policies that cover all aspects of data protection and privacy that can work for all client organizations and potential new business.

shred-ssd
An SSD before and after going through a SEM Model 2SSD solid state disintegrator

GLBA and Data Destruction

Just as there are plans and personnel in place to oversee the safeguarding of data while it’s in use, under the GLBA there must be a plan and personnel in place to oversee data destruction when the data has reached its end-of-life. These policies and plans for the proper disposal of secured data should be incorporated into the organization’s information security plan and should be regularly evaluated for risk as well. While this is a straightforward task for the GLBA-covered company, developing and enforcing GLBA-compliant data destruction policies for a third-party affiliate or service provider like a data center is a different story entirely.

Not only do you need to create a set of protocols around data and drive destruction for your data center, you need to be able to prove to your client organization that you can properly dispose of the drives the data is housed on as well as the data itself. This is because both data and drive disposal must be achieved so that neither the data nor the drive can be recovered or otherwise reconstructed after destruction. Since your data center already provides remote access to the information you store, it’s recommended that you purchase and maintain data destruction machinery at your center. This way, you also control where that sensitive information is handled during the data destruction event.

One of the simplest ways to ensure compliance during data destruction events is to work with the GLBA-covered organization to assign certain personnel to that task within your data center. For instance, assigned personnel within your company as well as the client company’s GLBA task force would be required to be on-site during data destruction events. Both parties would be responsible for enforcing data destruction at the data center, including the documentation of every data destruction event, to ensure compliance and alleviate liability in the event of a breach.

Security Engineered Machinery is the global leader in high security information end-of-life solutions including paper and IT shredders, crushers, disintegrators, and degaussers.