Isn’t the IT Department Responsible?
The short answer is no. End-of-life data destruction shouldn’t be an additional responsibility heaped on an IT team that, more than likely, doesn’t have the proper training.
Let’s start with some quick background. By 2020, it is estimated that there will be approximately 40 zettabytes (40 trillion gigabytes) of electronic data and that every user will create 1.7 megabytes per second. To put that into perspective, even with the technological advancements we’re continually making in data transfer, it would take a single user with an average download speed of 44 megabits per second three million years to download and compile all that data!
Given the amount of data being generated and the dissemination of data being increasingly regulated to safeguard individual privacy, expecting an IT team already tasked with maintaining a technological infrastructure to handle data destruction is not only unreasonable and impractical but virtually impossible. Furthermore, proper destruction of private information is so critical (and, quite often, so complex), that in-house protocols need to be rigidly defined and precisely followed to avoid the potentially catastrophic risks of noncompliance.
In short, there’s no place for simply “leaving it up to the IT department” — and certainly no room for relying on misguided assumptions about where data destruction responsibility falls.
Particularly for organizations and businesses that deal with personally identifiable information (PII), classified data, controlled unclassified information (CUI), or other sensitive information, it is crucial to have dedicated and trained technology-security professionals in charge of end-of-life data destruction. Ideally, a team of security experts should formulate, implement, and manage a comprehensive end-of-life data destruction process that ensures all data is destroyed at the proper time and in accordance with the proper security specifications.
But doesn’t data destruction merely involve obliterating hard drives and shredding papers?
Physical destruction is just a portion of the end-of-life data destruction process — and overlooking the rest of it can have extremely severe ramifications. When you’re dealing with personal, sensitive, or classified data, you’re likely under the jurisdiction of laws such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), or either the National Security Agency’s (NSA) regulations regarding classified and sensitive materials or the Payment Card Industry Data Security Standard (PCI DSS) in the United States, to name just a few.
Depending on which regulations apply to your organization, there are different sets of standards regarding how thoroughly data must be destroyed and how long data may be held before being destroyed. There are also varying financial penalties for not adhering to those standards, many of which can be quite steep. For example, Equifax recently had to pay $575 million as part of a settlement related to a data breach in 2017, and British Airways was recently fined the equivalent of $230 million for a breach in 2018.
Bottom line: If you work with personal, sensitive, or classified data, the onus is on you to be aware of all applicable end-of-life data destruction and privacy-protection regulations. In today’s digital age, this issue is such an urgent one that data privacy policies exist in over 80 countries. It is imperative that all sensitive data residing at a company, whether pertaining to the company or to an external partner/third party, be assigned a proper timeline for destruction at end-of-life, and that the data be thoroughly obliterated to the point that it is irreversibly destroyed.
The only way to guarantee that this will happen is to designate the responsibility, oversight, and ongoing supervision to an in-house professional security team (headed by a Chief Security Officer) that is well-versed in data privacy laws and maintains an organized end-of-life data destruction plan and process.
What about assigning responsibility for data destruction to a third party?
Using third-party destruction companies is a risky proposition. Even in instances when you’re issued a certificate of destruction, you can’t be certain data is irreversibly destroyed unless you have actually witnessed the destruction process and unerringly monitored all facets of data transfer. In fact, the internet is rife with studies documenting how often discarded—and supposedly destroyed—hard drives are found containing PII, sensitive, or classified data.
As examples, Blancco Technology Group recently purchased hard drives on eBay from the United States, the United Kingdom, Germany, and Finland. It was discovered that a whopping 42% contained sensitive data and 15% contained PII. In July 2019, the Federal Bureau of Investigation found over one thousand classified Air Force documents in a contractor’s Fairborn, OH, home. (We’ve also touched on similar incidences in previous discussions.)
The lesson is clear: If proper end-of-life data destruction plans and adequately strict supervision protocols were in place, these incidents most likely would have been avoided.
So what do you need to stay compliant?
Simply put, designating professional, in-house security personnel to curate and monitor end-of-life data destruction plans is the strongest defense against data breaches. Furthermore, be sure this security team has the proper equipment to thoroughly destroy data across various media in compliance with all regulations. Companies like SEM sell destruction devices that not only meet but exceed many government standards. If you are unsure of whether your equipment suffices, you can check the NSA’s evaluated products list.