Should Your Company Audit Its Data Destruction Process?

Besides taxes, most businesses share one other similarity: handling highly sensitive user information that should only be accessed by authorized people. Although some private and confidential documents can be destroyed right after sending or printing, some laws and regulations require that they archive some documents for a specified period or forever. But in between these two ends of the scale, many organizations store large volumes of data in both soft and hard copy.

On the other hand, businesses are constantly upgrading their resources, whether it’s training their workforce or getting newer technologies, as a way to ensure top-tier speed, security, and reliability and, ultimately, maintain their competitiveness. In many cases, the older IT infrastructure, including computers, printers, and other equipment, is moved to another area of the business for restructuring to perform less critical functions.

Reasons for Data Destruction

When organizations no longer have a need for their obsolete equipment, it may be offered to employees, donated to charity, or auctioned or sold on the secondary market to generate some working capital. Alternatively, the hard discs can be physically destroyed so they’re completely inoperable. Whichever option a company chooses, it’s critical that they successfully perform complete data erasure, disc sanitation, or physical destruction to prevent sensitive information from being accessed by unauthorized persons.

Unfortunately, many organizations leave the task of destroying sensitive information to low-level IT employees, who lack the tools or budget needed to perform such a critical task. Often, in an attempt to keep operational costs low, organizations simply choose to delete the data or format the hard drives to destroy sensitive data. Unfortunately, tech-savvy criminals can reverse this process and, therefore, target the secondary PC market to collect any sensitive information they can use to their benefit.

Considering that IT hardware obsolescence is inevitable in today’s technology-driven industry, if the data is not completely erased before the equipment is released for its secondary purpose, the organization can be exposed to a range of adverse effects, including:

• Disclosure of sensitive business strategies
• Negative publicity
• Privacy or identity litigation
• Environmental damage
• Infringement of intellectual property
• Violations of federal regulations
• Breach of software licensing agreements

As such, it is very important that IT managers institute a formal process to ensure that all sensitive data stored in hard drives is completely erased and/or destroyed prior to reuse or disposal of the equipment.

The Role of Auditing in the Data Destruction Process

It is paramount to have complete data destruction on all equipment holding sensitive data, not only to protect sensitive consumer information from cyber criminals, but also to be in compliance with the law. Auditing helps to pinpoint areas for improvements in data destruction while preparing the organization for an impromptu external audit.

Your organization may need to undergo an audit if:

• It has been a long time since the last audit of the data destruction process.
• There are no standardized practises within your IT department.
• You can’t produce records of the last time you conducted a data wipe.
• You cannot ascertain that your last data destruction process was successful.

In any of the above situations, a data destruction audit would help to:

• Rework outdated policies and practises and tie up loose ends in an uncertain data destruction process. Considering that laws are constantly changing with technological advances, an audit is necessary to help you stay in compliance with current legislation. Generally, scheduling an audit at least once a year with a certified service provider should be enough to eliminate the threat of internal or external data theft. For instance, they could use locking bins for hard drives to prevent access except from the certified provider during pickup, and also audit internal policies and procedures to ensure employees are keeping their devices secure and properly disposing them when they have to.
• Ensure that laws are met. Data destruction is not only an ethical concern, but also a legal matter that is strictly regulated by national and local laws, and even by industry-specific standards in some cases. Companies must ensure that their data destruction policies and procedures are in compliance with all applicable laws to protect both your customers and company, and avoid hefty penalties.
• Develop a streamlined process to prevent security breaches and data theft. Regular audits can help to iron out any loop holes in your data and IT-related policies, procedures, and practises that could compromise security.
• Reduce waste. Needlessly complex practises could result in confusion, inefficiency, and time and money wastage. Audits help to identify redundant practises and reduce waste.

Whether the audit is internal or external, it will reveal exactly what needs to be improved and/or tracked, while reporting will show that the criteria was met. Ultimately, organizations will be able to identify areas where data handling and destruction procedures and practises should be secured, standardized, and documented in preparation for accountability and compliance.

For more information about data destruction and our decommissioning services, contact eCycle Solutions toll free at (888) 945-2611 or contact us here.