Data breaches and ITAD

In light of the recent Equifax data breach, many information technology (IT) managers and compliance specialists are putting their data security standards and procedures under the microscope. They are asking:

• Where does the data trail end?
• Am I liable for the equipment housing my data after I’ve retired it?

How important is IT asset disposition (ITAD) in data security?

Data breaches are costly. Preventing data leaks and practicing data destruction best practices are paramount. If IT professionals are not securely and responsibly disposing of assets, they’re ignoring the final stage of the IT asset life cycle and potentially negatively impacting their bottom lines.

An expensive mistake – from both a financial and reputation perspective

A good reputation is hard to establish and can be even harder to protect. If a company’s name is tarnished by a data breach, not only must it go into damage control to rebuild its reputation, there’s also a very real financial cost.

Since the dawn of the new millennium, more than 5 billion users have been affected by data breaches. The average cost of a data breach is now almost $4 million, which represents an average of 25,575 records at an average cost of $150 per record. According to the HIPAA Journal, the health care industry feels the sting of a breach even more, at a cost of $429 per record.

Beyond security patches and shredding: ITAD

When IT gear reaches its end of life or end of service, it needs to be retired or decommissioned responsibly. Servers and hard drives can store bits of data that still contain sensitive information subject to industry-related or general compliance standards. Data security and compliance do not begin and end with real-time security, end-user training, patches, shredding and backups but with the final disposal of assets.

ITAD can be complex. The guidelines for data destruction include NIST 800-88, PCI DSS and ISO 27001, three security standards that dictate how digital media (such as hard drives) are destroyed when no longer in use. IT managers are ultimately responsible for choosing how to dispose of their organization’s data, defining processes and implementing those processes.

Two major decisions for data destruction are:

1. classifying information based on value, legal requirements, sensitivity and organizational need; and

finding the best data destruction process based on the value of the information (and the IT assets in question) to the company and its stakeholders.

Finding peace of mind – and money – in ITAD

ITAD always should be viewed through the lens of data security first. But importantly, it should be recognized as a way to enhance IT budgets. Just as ITAD is a critical prong in a data breach prevention strategy, IT asset value recovery should be an important consideration in the budget management process.

When shopping for an ITAD partner, I suggest looking for:

• Certification – Find a vendor who is certified to destroy data, preferably through the National Association for Information Destruction (NAID), Phoenix.
• Competitive bidding – Seek out organizations that have deep connections within the IT industry so they can offer accurate valuations on your equipment.
• Compliance – Ensure that the vendor understands your industry’s compliance requirements and can provide you the necessary documentation upon job completion.
• Responsible disposal – Any and all waste or scrap should be properly disposed of, not exported or placed in a landfill.