The European Union (EU) has introduced the General Data Protection Regulation (GDPR) set to be enforced on May 25, 2018. This regulation replaces the Data Protection Directive 95/46/EC. How will GDPR directly impact the United States? In the past, U.S.-based regulations were a primary driver of compliance requirements. This is changing with the introduction of the GDPR. The GDPR requires organizations to understand what information they have, who has access to it and where it resides. The GDPR applies to anyone that is doing business in the EU. This means anyone selling into the EU or who has employees there must comply. Failure to do so will result in fines that are 4% of global revenue.
Whether you are relocating, refreshing your IT estate or heading to the cloud, you will undoubtedly generate redundant IT hardware and as a result, will need to ensure any remaining data on that equipment is adequately erased.
When choosing to trust a new partner to manage your IT assets and confidential data, you can often face a dilemma. How do you know you are making the right choice? What criteria, industry guidance or performance measures do you work from to ensure your decision is solid?
Disposing of devices properly with an IT Asset Disposal Provider
When choosing an ITAD (IT Asset Disposal) partner, make sure that they provide you with comprehensive audit trails so you know where your hardware is at all times and its final destination, i.e., whether equipment is resold, reused or recycled. Regardless of the route your hardware takes, you must consider your options and make sure that data stored on the hardware has been securely erased.
There are four methods that can be considered and in some cases, a combination of these methods may be necessary to achieve the result you require. This is dependent on your own internal policies as well as the type of media you have to dispose of.
Options for secure data removal include:
Data wiping/overwriting – This is the most popular method of data erasure, as it allows for the resale/reuse of devices while ensuring that the data has been safely removed. There are many software data erasure solutions on the market that allow for complete data removal and a report to prove that it has been erased properly. You should be sure that any process for wiping or overwriting data is completed in line with the National Cybersecurity Center (NCSC) standards. You should also ask your provider what will happen to any drives that cannot be wiped using software – will these be physically destroyed? What about solid state or hybrid drives? How does your chosen provider handle these technologies?
Degaussing – A process that uses a strong electromagnetic field to destroy all magnetically recorded data, leaving the domains on hard drives and floppy discs in random patterns with no preference in orientation, thereby rendering previous data unrecoverable. When choosing a Degausser, keep in mind that it must be independently tested and verified and approved by NCSC.
Shredding – The mechanical process to crush chop and shred devices into smaller pieces is a standard process. The size of the shredded material is usually 25mm down to 6mm. This fragmented material is then sent to refining partners who will continue the refining process. Certain things to consider: What record of items shredded will you receive? What destruction certificates are included for your own internal auditing records?
Granulation – This is the action of extracting and destroying data from an information system in the form of drives and other media by cutting (or shredding) it down to granules 6mm or smaller.
Other considerations will focus on whether you require your data to be disposed of on premise or off site at your provider’s facility. What capabilities does your ITAD provider have to offer?
Implications of improper sanitization
The business implications of a data breach are very significant. Not only would it damage your company’s reputation if customer information is released via a breach, but if your company’s Intellectual Property is accessed, stolen or shared with the public, your company may lose its competitive edge.
From a legal perspective, if data bearing media containing confidential customer or employee information is accessed, the company could also breach the Data Protection Act (DPA), leading to a substantial fine from the ICO – currently up to about $560,000. Looking ahead, when the EU’s new General Data Protection Regulation (GDPR) comes into force next year, companies must inform affected parties and the ICO within 72 hours of a breach and will face fines of up to about $22 million or 4% of global revenue.
The value of data is making every business and individual a potential target of cybercrime. Therefore, organizations need to take every possible step to minimize their risk of compromise and understand the legislative requirements. For example, an organization that handles personal information about individuals has obligations to protect that information under the DPA and public authorities have a legal obligation to make official information available under the Freedom of Information Act. Under the forthcoming GDPR legislation, organizations must also seek permission from individuals to collect information, inform them how that information will be used and ensure it is erased securely after a set time frame.
Matthew Prince, a data erasure specialist at Kroll Ontrack advises:
“Organizations should take the same level of care with disposing of data and devices as they do protecting it in an active IT environment. It is imperative to understand the entire lifecycle of your data and IT assets, ensuring that any gaps in the process are addressed. Organizations should also be sure that third party providers confirm that they remain compliant.”
Audit trails and accreditation
When you look to secure a provider to deal with data, ask them to provide you with a full audit trail so you know where your equipment (and data) is at all times. What proof of data erasure or destruction will they provide? It’s worth finding out if they utilize NCSC approved software for data erasure and if you have requested physical destruction via shredding, will they issue you certificates of destruction?
Confirming that your provider has a proven track record within the industry is also vital. Find out what accreditations they hold and what standards and regulations they adhere to. As a general rule, any ITAD partner you choose should be compliant with the EU Regulation on Waste for Electrical and Electronic Equipment (WEEE) and should hold a waste carriers licence. They may also be an Approved Authorized Treatment Facility (AATF).
Key questions surrounding their environmental policy and downstream processes should be considered. For example, do they adhere to any environmental standards – i.e., ISO 14001? What percentage of equipment they collect is re-used, re-sold or refined and what is their landfill policy?
Another ISO standard that serves as a solid indicator of a reputable provider is ISO 27001, which demonstrates, amongst other areas, that they have systems in place for the secure disposal of IT equipment and secure destruction of all confidential data.
Adhering to specific industry standards, such as being a member of ADISA is also important. ADISA (The Asset Disposal and Information Security Alliance) is an organization that recommends standards for safely disposing of IT equipment, while minimizing the risk of exposure and misuse of any sensitive data stored on that equipment. The ADISA audit process is multi-layered and includes full audits, unannounced operational audits and forensic audits. This ensures that ADISA certified companies are constantly checked against this industry specific standard.
Know where your data is, and who has it
What guarantees does your chosen provider give when equipment containing data is in transit? If they utilize any third party suppliers in their supply chain, what assurances do you have regarding a solid chain of custody route for your equipment? For example, you should be sure that any vehicle used in the process has GPS tracking enabled.
You should also be asking questions about their staff, especially if they utilize any third party or temporary staff members. Find out if their employees have been vetted with the relevant background and security checks and take note of how recently these checks were completed.
By asking these questions, you should be prepared to choose an ITAD that can provide the highest level of security and compliance. If your data ends up in the wrong hands, it could spell disaster for your organization. Therefore, make sure that any provider you choose has been thoroughly assessed beforehand.
This was a guest article by Laura Cooper at EOL IT Services.
How do you dispose of your IT assets? How do you guarantee that your data is completely destroyed? Let us know by commenting below.