Late last year, Morgan Stanley was fined $60 Million by the Office of the Comptroller of the Currency (OCC) when they “failed to effectively assess or address risks associated with decommissioning its hardware.” This included failing to keep appropriate tabs on customer data stored on obsolete devices and to properly oversee the disposal contractor’s handling of the hardware.
Morgan Stanley is not alone in suffering the consequences of data storage devices being mishandled at end of life (EOL). Over the last year, there has been a drastic increase in data breaches occurring in the U.S. due to the improper actions of uncertified recycling/ITAD companies. Unfortunately, widespread availability and utilization of certified recyclers is not the norm in the IT industry. There are many recyclers out there who claim to destroy the data and/or devices, but very few meet the stringent requirements necessary to ensure the job is done properly. Worse yet, when data breaches do occur, they fail to assume any financial or punitive liability for them.
Many organizations rely on their 3rd party IT equipment leasing companies to meet their end-of-life disposal and data destruction requirements. Unbeknownst to the customer, many of these contractors do not work with certified recyclers, thereby putting their data at risk.
Since one of the easiest and most cost-effective ways to prevent this type of data breach is to partner with a certified and reliable recycler, it’s fairly evident that the issue lies with the lack of industry awareness. This topic isn’t top-of-mind for most IT administrators and many are simply unaware of the danger and how easily it can be mitigated. At the very least, those in charge of an organization’s data storage systems need to be aware of who is ultimately handling the disposal of their end-of-life equipment and ask three basic questions:
- Are they R2 or E-Stewards certified?
- Do they carry data security insurance?
- Can they provide a Certificate of Data Destruction that is backed up by data security insurance?
Without answers to these questions, there is no concrete way to judge the security of their data or to receive compensation should a data breach occur.
North-Central Wisconsin recently lost one of only two electronics recyclers in the region when they were sold late last year, leaving Sadoff E-Recycling & Data Destruction the area’s sole provider for the foreseeable future. As Sadoff’s Chief Technology Officer & Director of E-Recycling, I’m genuinely concerned about the lack of IT community awareness that’s suggested by this reduction of competition in our industry. As Morgan Stanley discovered, data breaches can be extremely expensive, but that cost pales in comparison to the catastrophic impact a breach can have on those whose data is released to the public. When weighed against the simplicity and cost-effectiveness of proper data destruction performed by a certified provider and backed by data security insurance, it’s puzzling as to why the industry isn’t growing by leaps and bounds. With the exponential growth of computer technology and its required data storage, as well as the increasing scarcity of the precious metals needed to produce them, it’s safe to assume that trend will change significantly in the coming years.
In the meantime, more and more data storage equipment, containing countless pieces of private information, is reaching the end of its usable lifespan. It presents a real opportunity for unscrupulous individuals to do irreparable damage to people and organizations who’ve done nothing more sinister than trust somebody to manage their data properly. Without proper data destruction, performed by certified vendors, these devices will be a potential financial liability for their users, and a privacy nightmare for those who entrusted them with their data, for years to come.
If you have questions regarding your organization’s end-of-life process and data destruction needs, and how to best mitigate the inherent dangers they present, please email me here. I’d be more than happy to help.
AUTHOR: Chad Hayes