The Most Overlooked Part of Your Data Security
One of the most critical areas of data security that often gets overlooked during this month of attention, is when your devices come off-line.
Having a plan in place for securely getting rid of used equipment can instantly protect a company against the catastrophic risk of a data breach. Along with having a clearly defined IT Asset Disposition (ITAD) program, you must make sure that it is adequate and that it is actually being followed.
The Big Oops.
A recent headline example of a failing corporate ITAD program involves a large, well-known financial institution; Morgan Stanley has felt the repercussions of its ITAD failure over the past several years, now resulting in over $163 million USD in fines and penalties.
Although they had an ITAD program in place, there was no oversight, and the plan failed to ensure that a qualified vendor was used for data decommissioning. They hired a moving company, with no experience in data destruction, to decommission thousands of servers and hard drives. Instead of destroying the data, the vendor sold the devices through various subcontractors, which led to them eventually being sold online filled with the personal identifying information (PII) of millions of customers.
We entrust our personal information to organizations like this with the understanding and expectation that it will be protected. Morgan Stanley may have saved money upfront by using a moving company for their IT disposal, but in the end, the cleanup costs far outweigh what it would have cost to do it right in the first place.
Morgan Stanley: The Takeaway
The takeaway from this debacle is for organizations of all sizes to carefully consider the necessary security measures at every step of the data lifecycle, from collection to disposal. Organizations must ensure that what they think is going to happen in the disposal of their IT equipment, does happen. When using any third-party contractor, it’s important to make sure they have verifiable credentials and can guarantee a secure chain of custody with proven data destruction.
Industry certifications like e-Stewards, R2 and NAID AAA can assist in this vetting process. These voluntary standards require companies to go above and beyond. Whether equipment is being recycled or resold, certified companies must prove their processes and procedures meet the stringent standards set forth by the certifications, which are audited and verified on an annual basis.
As the only certified ITAD vendor in the Dakotas, SEAM can help guide you in setting up a sufficient program and make sure it’s followed. Contact us to learn more.