Without an umbrella federal guideline governing data privacy, it’s up to each company, every enterprise, to determine their own, defensible data destruction policy and secure IT asset management process. If your goal is to ensure that data doesn’t show up where it shouldn’t, this checklist will help you create a comprehensive IT asset management plan.
1. Are you in an industry that has specific federal data privacy laws?
- Banking & Finance. Gramm-Leach-Bliley (GLBA), the Federal Trade Commission’s Fair and Accurate Credit Transactions Act (FACTA) and the Sarbanes-Oxley Act (SOX)
- Education. Family Educational Rights and Privacy Act (FERPA) and the Individuals with Disabilities Education Act (IDEA)
- Healthcare, Pharmaceutical and Insurance. Protected health information (PHI) is protected by the Health Insurance Portability and Accountability Act (HIPAA)
- Government, Nonprofit. Publishing, Research & Development and Retail and eCommerce. The Children Online Privacy Protection Act (COPPA).
2. Do you do any business in any of these states and have consumer data (everything from financial information to identity, health or behavior)? The New York Times published The State of Consumer Data Privacy Laws in the US — a national and state-by-state guide to personal, business and legal gaps and responsibilities.
3. Do you do business in the EU? Get familiar with the General Data Protection Regulation (GDPR) — a comprehensive European Union data privacy law with heavy handed enforcement. Most countries have some type of data privacy protection that needs to be considered.
4. Does your business use credit cards for transactions? If so, you’ll have to abide by the Payment Card Industry Data Security Standards (PCI DSS).
5. Do you know where your data is? Use this checklist to see if your IT data management plan is covering everything (you may be quite surprised with where your confidential information is stored and used).
6. Do you understand how accidental data breaches occur? Recognizing and keeping tabs on the ever-growing types of memory-holding devices for every employee type is essential. In each of these seemingly innocuous situations, data that is not managed and destroyed is a possibility for a damaging data breach:
- What happens if a sensitive, legal contract is still on your end-of-lease copier’s hard drive as it rolls out the door?
- Your remote employee’s child connects a work-issued computer to a school network?
- HR and personnel files are sitting on a decommissioned server that is remarketed?
- A salesperson’s old field tablet has access to your customer information and CRM?
- Discarded engineering workstations with confidential customer and project files?
- The kiosk in the lobby holds credit card numbers?
- A cabinet full of older laptops left behind when a regional office’s lease is up?
7. Do you have employees who work from home? Or remote employees leaving the company? How are you securely tracking and wiping their returned devices? Do you have a remote erasure or box program in place?
8. Are employees allowed to “bring their own device”? What data confidentiality and destruction controls do you have in place?
9. Do you know the true cost of a data breach? “After analysing data breaches that happened across the world between April 2018 and April 2019, researchers at IBM reported that the average, total cost of a data breach to a business is a phenomenal $3.92 million. They also found that companies in the US had the highest average cost of all countries, at around $8.19 million.” (What Is the Real Cost of a Data Breach? CPO Magazine)
Costs include:
- Detection, escalation auditing and investigation.
- Notification of all stakeholders including customers and investors
- Trust-building response including legal, PR, reputation management, publicity focusing on brand credibility to retain customers, employees and investor interest, maintain new business pipelines, recruiting and vendor trust
- Revenue loss – sales, credibility, new business, brand reputation
10. Do you sit down with your ITAD, MSP or reseller as you create a comprehensive data destruction plan? They will recommendations for secure transport, packing, chain of custody and compliance for every location, every employee type and every device (see #3 above).
11. Are IT assets that are waiting for redeployment, refurbishment, valuation or recycling securely inventoried and warehoused? Data destruction before any of these next steps ensures that no data is lost if a device is stolen, misplaced, donated or remarketed.
12. Who is responsible for the tracking of your IT assets? A dedicated department or person, whether it’s IT, inventory, warehouse or IT asset management, is your best accountability for tracking, deployment, maintenance, upgrades and disposition of anything that holds customer or company data.
13. Are you familiar with industry organizations that certify data destruction services, secure logistics and more? Ask your VAR, ITAD, MSP or reseller for vendors who meet the highest standards of data security for secure data destruction (NAID) or records and information management (PRISM). Industry organizations such as IATAM, CompTia and ASCDI support best-in-class services and providers to ensure that secure services are delivered.
14. Avoid the “one and done” approach. To ensure that you don’t have a data breach, schedule an annual review of your asset management plan, devices and process to keep up with IT technology, data structure, architecture and laws to ensure that your data is only where it should be and secure.
15. Agree upon which is more important: the data or the hardware.
The right partner is best for IT asset data destruction
Every company, depending on their industry and brand reputation, approaches risk and compliance with a different goal. With 15 years in the business, Guardian Data Destruction is a trusted partner in data destruction, IT assets logistics and data center decommissioning. We work with our nationwide ITAD and VAR partners to help their clients make informed, secure data destruction and IT asset disposition decisions.
Guardian’s integrated offerings mean that you can confidently offer hard drive shredding or erasure and securely pack and transport IT equipment of any kind for maximum value retention.
