Electronic Data Destruction 101: Chain of Custody

Posted in Blog

Glenn Laga

If it’s time to replace your IT equipment, then it’s time to double check that your data security policy contains a secure chain of custody and an electronic data destruction process. This will ensure that your computer hardware with sensitive data makes it safely from your facility through data destruction to a certified asset disposition company that has been properly vetted. To significantly reduce the risk of legal, financial and PR disasters, be sure that a certified and bonded service provider properly handles the onsite data destruction or secure transport of the assets to help prevent a data security breach.

What is a Chain of Custody?

Chain of custody is a fully auditable paper trail providing end to end visibility documentation of what was done, when, and by whom in the process of electronic data destruction. This should include:

• An assigned project manager
• Identification and scanning all serial numbers for tracking purposes
• Optional: Scanned and matching computer and hard drive serial numbers
• A recording of the time of disposition, and the method of disposition
• Identification of the individual executing the procedure
• A video recording of the process
• A signed Certificate of Destruction proving compliance with relevant privacy legislation.

Why do you need a Chain of Custody?

Maintaining an auditable record of chain of custody is necessary for regulatory compliance and data management.  It will help to protect your business against any potential regulatory fines that could be incurred for a data breach that may result from IT assets being improperly disposed of.  And a secure chain of custody includes a Certificate of Destruction, a nationally-recognized record to keep on file helping you document compliance with state and federal privacy laws such as HIPAA, PCI, FACTA, Gramm-Leach-Bliley, and Sarbanes-Oxley.

NAID AAA Certification and Chain of Custody

Using a NAID AAA certified data destruction vendor ensures the highest standard of information destruction. NAID-certified companies undergo announced and surprise audits that include careful scrutiny of the chain of custody audit trail and procedures. Selecting onsite electronic data destruction services further reduces the opportunity for chain of custody gaps resulting from packing and shipping. Additionally, with onsite data destruction, you’ll be able to have your own staff witness the process to further strengthen your chain of custody process and verification.

Chain of custody is a legal obligation for anyone disposing of sensitive data. To ensure compliance and verification of compliance is a part of your ITAD (IT Asset Disposition) program, ask your VAR or contact Guardian Data Destruction for advice. No one needs the embarrassment, financial and legal consequences of an end of life data breach that could have been easily avoided.