In the fourth of five in our series marking Data Privacy Week, Eric Dorn of Sipi Asset Recovery shares the single most common data security disconnect he witnesses almost daily. And it’s keeping him up at night. After you read his (scary) narrative, perhaps you should see if your own organization is making the same, short-sighted error and risking everything you believe you are protecting.
Where is the chain of custody for in-transit data-bearing equipment and devices?
“Data in transit risk is a critical problem that needs to be addressed! Specifically, equipment and devices moving from one customer’s facility to another facility or to disposition. For National Data Privacy Week, I recommend a thorough review of your end-to-end transit chain of custody process.
Oftentimes we (Sipi Asset Recovery) receive gaylords, pallets, or a truckload of devices and equipment that were accumulated and packed over several weeks or months. This equipment and/or devices arrive without a scanned serial number list and rarely an itemized quantity which makes it virtually impossible to verify. Ironically, the shipper includes very specific disposition instruction to prevent a data breach, once the equipment and/or devices have reached their designated location but has not addressed the significant risk arising from a lack of oversight of secure tracking and handover of valuable, possibly data-laden IT equipment.
The terrifying and real problem is this: if the shipper does not know exactly what they have shipped, there’s no way that their job can be verified before processing. This gives ample and widespread opportunities for a data breach to occur due to lack of accountability at every step: storage, packing, loading dock, warehouse staff and logistics (to name a few). Additionally, the lack of verified data destruction (shred, wipe, degauss) or encryption before loading amplifies the data security challenge. If a single device, or worse, a pallet or a box of multiple devices, goes missing, how do you know what is missing and the liability involved?
That RISK, the uncounted, untracked, unverifiable disconnect between the shipping and receiving, is what keeps me up at night.
A comprehensive chain of custody control process resolves this significant vulnerability in data custody. Detailed serial # scanning, packing, and shipping on the front end and signatures as shipments change hands will completely remove ambiguity and close that very real gap in IT asset tracking and data risk. At Sipi Asset Recovery, because we scan and verify upon receipt, we know immediately if something is missing and exactly what that missing device is.
For Data Privacy Week, protect the privacy of all your customer and company data with the winning combination of secure onsite data destruction and/or encryption for all devices and a secure chain of custody process. No matter how large or small the shipment, the process should include barcode scanning and inventory as you pack and ship and signature verification at every handoff to the carrier. With a strict chain of custody process that is adhered to, you’ll significantly reduce the opportunity for an accidental or nefarious data breach and keep your brand reputation intact.
I welcome anyone to reach out to me for guidance on a chain of custody process that includes all their vendors, partners, and staff. We can work together to stop data from getting into the wrong hands and I’ll be able to sleep at night.”
Eric Dorn
Senior VP and GM
SIPI Asset Recovery
Chain of Custody is king
We couldn’t say it any better: maintaining an auditable record of IT asset custody is a necessity for regulatory compliance, data privacy management and brand stewardship. At its most basic level, chain of custody is the best protection against regulatory fines that could be incurred from improper IT asset disposition as dictated by state and federal privacy laws such as HIPAA, PCI, FACTA, Gramm-Leach-Bliley, and Sarbanes-Oxley.
Chain of custody is a legal obligation
To ensure compliance and verification of compliance is a part of your ITAD (IT Asset Disposition) program, ask your VAR, ITAD, trusted service provider or contact Guardian Data Destruction for advice. No one needs the embarrassment, financial and legal consequences of a data breach that could have been easily avoided.
Close the gaps in data privacy
These industry leaders have offered their thoughtful advice and topical concerns as part of our Data Privacy weeklong series. Use their expert advice to think about (deeply), tackle and close any gaps in your own data privacy policy and process. And, get set to celebrate the end of of with Data Privacy Day (tomorrow!) and John Shegerian of ERI.
| Mon Jan 24 | What is Data Privacy Day and why should you care? | Melissa Graham – Senior Vice President, Global Sales SHI International Corp. |
| Tues Jan 25 | Data Privacy Day expands to Data Privacy Week. Here’s what the experts want you to know. | Eric Ingebretsen – Chief Commercial Officer TES-Sustainable Technology Solutions |
| Wed Jan 26 | Data Privacy Week: Renew and Trust your supporting vendors and industry organizations | Joe Marion President – The Association of Service, Communications, Data and ITAD providers (ASCDI) & Christian Foster – SVP, CircleIT |
| Today | Data Privacy: What Keeps Me Up At Night | Eric Dorn – Senior Vice President & General Manager Sipi Asset Recovery |
| Fri Jan 28 | Celebrate Data Privacy Day with a Data Privacy Week Wrap-up | John Shegerian – Chairman/CEO ERI Direct |
