Old Data. New Liability.
What do Morgan Stanley, hospitals, and healthcare organizations across the U.S. and the Kanagawa Prefectural Government of Japan have in common? They all recently faced the same IT Asset Disposition (ITAD) nightmare: data breaches caused by their outsourced data disposition service provider. High-ranking executives from these organizations have endured the public humiliation of having to tell thousands of their patients and customers that their private data is in the hands of thieves, leaving their patient/customers open to financial loss and identity theft; and the executives and their companies open to liability, class-action lawsuits and even criminal charges.
Many executives and IT professionals mistakenly believe that using an outsourced data disposition vendor protects them from risk and liability. But there is no statute of limitations or safe harbor for improperly decommissioned IT assets. Partially destroyed data is a ticking timebomb. Improper #ITAD is a risk carried forward indefinitely.
Increasingly, CEOs and executives are caught in the crosshairs. Since 2014, top leaders at Equifax, Target, and Sony, have either resigned or been fired in the wake of prominent cyber incidents according to a recent Wall Street Journal article. Congress is considering legislation that would impose heavy fines and even prison time on high-level executives who fail to protect corporate data.
Look what happened to Morgan Stanley. When Morgan Stanley closed two data centers in 2016, the company decommissioned computer equipment through an outsourced data wiping (overwriting) vendor. Morgan Stanley expected a complete overwriting of customers' private data. This year, they learned they didn't get what they paid for. Instead, data remained on the "wiped" drives, which violated customers' privacy.
Today, the company is facing lawsuits from employees and customers, because personal information Morgan Stanley thought was destroyed came back to haunt them.
Hard Knock Lessons
Morgan Stanley’s experience is a hard knock lesson for any company that is handling personal information of any type. Partially destroyed data is a ticking time bomb. It is important to understand that the organization that hired the service provider is still liable for data records discovered years later.
Knowledge is Power
Data is magnetically stored on hard drives and tape. the most secure way of completely eliminating all data on magnetic media is to demagnetize the media with a degausser. Degaussing can easily be performed inside a company's secure facility using company personnel thus ensuring the media is completely sanitized of any and all data before the media leaves the company's secure environment.
A company's risk of a data breach from decommissioned hard drives and backup tapes can be reduced to 0% with a simple three-step media decommissioning process:
- Degauss all hard drives in-house while the media in your company's controlled, secure facility
- Physically destroy each hard drive in-house immediately after it is degaussed
- Maintain verified proof of data erasure and destruction