The Risks of Not Having a Business Data Destruction Policy

Highlights from the September 23, 2021 webinar in the HBK Risk Advisory series, “Assessing Cybersecurity Risks,” hosted by William J. Heaven, CPA/CITP, CISA, CSCP, Senior Manager, HBK Risk Advisory Services, and featuring Jennifer Lamar, CEO, and Kevin Lamar, VP of Business Development, Northern Shore Services.

Businesses need to develop and maintain a policy for disposing of and destroying obsolete data, and often, the devices used to create and store that data. The webinar focused on data disposal and destruction techniques.

• Northern Shores Services provides third-party data disposal and destruction services including polices and procedures for identifying and destroying obsolete data, and where necessary, data devices. Services are provided onsite or off-site, and include auditable reporting, compliance, and secure data destruction.

• Data destruction/media sanitization defined: the process of eradicating data found on storage media, either by destroying the media itself or by rendering the data inaccessible.

• Case study: Morgan Stanley’s $60 million Office of the Comptroller of the Currency (OCC) civil penalty for failure to exercise proper oversight of the 2016 decommissioning of two wealth management data centers:

- The bank failed to effectively evaluate or address risks associate with its hardware

- It neglected to adequately assess the risk of subcontracting the decommissioning work.

- It lacked adequate due diligence in selecting a vendor and monitoring its performance.

- There were deficiencies in maintaining appropriate inventory of customer data stored on the decommissioned hardware.

- The OCC found the deficiencies constituted unsafe or unsound practices and resulted in noncompliance with “Interagency Guidelines Establishing Information Security Standards.”

- Downstream vendors included three players, one of which provided a certificate of indemnification falsely described as certificate of destruction. The data mismanagement came to light when a buyer of the old devices found Morgan Stanley data on the storage devices he purchased. Businesses must be sure their providers are doing what they say they are doing.

• Exposure to data issues are often related to:

- The introduction of new technology

- Required upgrades to existing equipment

- Changes in staffing levels and office locations

- Compliance with corporate IT policy revisions

- Revisions to business models based on industry regulations

• Benefits of data destruction and asset recycling:

- Freeing up digital space

- Removing outdated IT assets

- Eliminating environmental and safety concerns associated with storage of old IT assets

- Security: prevent a potential data breach by destroying old information

- Reducing the time spent securing old data and maintaining obsolete inventory

- Convenience: can choose destruction onsite or offsite at vendor’s location

• According to the National Institute of Standards and Technology’s “Guidelines for Media Sanitization” in publication 800-88 revision 1, it’s the responsibility of the information owners to identify data categories and confidentiality levels, and determine the level of media sanitization required for their organization.

• To determine the appropriate method for sanitization, the organization should:

- Categorize the security level of the information

- Assess the media on which it’s stored

- Evaluate the risk to confidentiality

- Determine the future of the media

• Do a cost-benefit analysis before determining your method of sanitization

• Assume that if you don’t know what type of data you have or where it’s stored, you’re exposed.

• Optical CDs, magnetic hard drives, flash-memory SSDs require different methods of physical destruction. More time is required to erase or overwrite a drive with more information. You must have access to the equipment and software needed to erase or destroy.

• An important factor in an organization’s sanitization decision is its responsibility for control over and access to its media.

• One organization can have several different data protection policies.

• Managers involved in developing a policy to accomplish information security include the CIO, the information system owner, an information steward, and a senior agency information security officer.

- A computer/information system security manager performs daily security implementation and administrative duties and coordinates security efforts.

- A property management officer ensures accountability for sanitizing media and devices to be redistributed internally, donated, or destroyed.

- A records management officer advises data owners of retention requirements.

- A privacy office provides guidance regarding privacy issues associated with the disposition of sensitive information. - Users must know and understand the confidentiality of the information associated with their assignments.

• Actions taken to sanitize media include clear, purge, and destroy.

- Clear: apply logical techniques to sanitize data in all user-addressable storage locations for protection against non-invasive date recovery.

- Purge: applies physical or logical techniques that render targeted data recovery infeasible using state-of-the-art techniques.

- Destroy: renders targeted data recovery infeasible using state-of -the -art lab techniques and results in the inability to use the media for data storage.

- Choose the action based on what eventually, ultimately preserves the confidentiality of the data.

• Documentation: Once sanitization is completed, a certificate of media disposition should be created—a hard copy or an electronic record. It should include:

- Media information: manufacturer, model, type, serial numbers etc.

- System information, such as property tag or ID numbers

- Sanitization description (clear, purge, or destroy)

- Sanitization method (degauss, erasure, crushing, etc.)

- Verification method (full, spot check, et.); if you use an erasure method, it must be verified in some way

- Date, time, and location

- Name, title, and signature of person performing the sanitization

• The format of the documentation is not as important as the content.

• Disposal/destruction techniques:

- Data wiping or overwriting: replacing data stored by writing meaningless data across the storage area

- Physical destruction: degaussing subjects media to an intense magnetic field with the intent of eradicating the data

- Shredding – using a strip-cut or cross-cut shredder to a specified particle size

- IT asset recycling – domestic recycling includes sorting, dismantling, mechanical separation and recovery of valuable materials

• Consumer data-bearing devices – if you dispose of, say, your smart TV, ensure your data is not still stored in it.

• A major hurdle to getting started on the project is identifying the information on the drive. Look at the age of the information and determine the type of information stored as a first step.

About the Author(s)
Hill, Barth & King LLC has prepared this material for informational purposes only. Any tax advice contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding penalties under the Internal Revenue Code or under any state or local tax law or (ii) promoting, marketing or recommending to another party any transaction or matter addressed herein. Please do not hesitate to contact us if you have any questions regarding the matter.

RECOMMENDED ARTICLES