Waiting for the Right Time

Old records. Outdated hard drives. Scratched optical media discs. What happens when there’s data that is no longer needed or is on failed media? Simple.

Destroy it.

But often times destruction doesn’t happen at the same time storage devices are discarded or replaced. For example, when working on upgrading all the computers at a base or business, sometimes those old hard drives are kept aside because just throwing them out is not an option, and the location does not have access to data destruction equipment or the budget to hire a third-party company to do it securely at the time. Depending on the information on those drives, precautions and policy should be in place that dictate how physical media with information should be stored and protected when it reaches its end-of-life.

Depending on the organization or business, a data destruction policy may be in place that details all of these steps on a data storage device’s path to its end-of-life. This can range from a small business locking up old data in a cabinet to top secret government agencies requiring information be kept in a SCIF location. But if there’s no data policy in place, here are a few tips to help with storing old and obsolete data until it’s time for it to be destroyed.

Storing Old Data

All old data, especially sensitive data such as Personally Identifiable Information (PII), Controlled Unclassified Information (CUI), Personal Health Information (PHI) or classified information should be kept in a location that is locked and secure. Leaving drives on desks, in drawers, or in boxes accessible to anyone can result in data leaking out from internal personnel. Leaving data out in the open can also result in it being mistakenly thrown out with regular trash, which can then be recovered outside of the building or facility from which it originated. Once the data is out, it can be found by anyone, and it could eventually find itself in the wrong hands.

So, where do you keep it? The best option will be to have a secure, dedicated area for old data storage, which will always be better than randomly deciding when the time comes. Having a dedicated area helps establish consistency as data continues to be turned over and updated, which assures that the data will not become lost. To ensure the information is secure, a security storage container or safe would be beneficial for the dedicated area.

Data policy should also be in place so that physical media waiting to be destroyed can only be accessed by a select few preapproved employees to mitigate the number of people that come into contact with the data. The selected employees in charge of handling the data should be educated on the risks of data leaks and know the severity of the mishandling of PII and a company’s or organizations data. This education and personnel limits can help with not only keeping track of where the data is, but also with reducing the risk of an uneducated or unaware employee mistaking the data for something else.

Documentation of who accesses or moves the old data is also critical for transparency and responsibility. By keeping a document that lists the date, time, and reason for accessing the data, an organization can be sure that the data is secure and being kept track of. This can serve as a way to notice red flags if names appear that shouldn’t be on the list, or if someone is around the data who did not follow proper protocol.

Following all of these tips can help protect physical media while it’s waiting to reach its end-of-life. By establishing a secure area, limiting personnel, and documenting the process, a company or organization can rest easy that old data won’t fall into the wrong hands while waiting to be properly disposed of and destroyed.