7 Blind Spots in Offsite Data Destruction Programs
We find that many companies don’t understand the risks of insufficient data destruction programs and the extent of their liability, which we have outlined below:
- You have a fiduciary responsibility to protect sensitive data including client personal information, intellectual property, and employee confidential information.
- Sending sensitive data-bearing equipment off site limits what can be protected and controlled.
- Most executives are uninformed about security blind spots in off-network data bearing devices that contain sensitive information and are generally unaware of what goes on at vendor sites.
- Liability is not severed after equipment leaves your possession and executives may be held personally liable.
Even though network intrusion gets far more attention and security dollars, 70% of data breaches come from off-network devices. Below are the seven main blind spots in offsite data destruction programs that we find working with companies across the U.S.:
1. Products stored in various locations are subject to theft or loss.
You are liable for data contained on decommissioned assets. Insufficient policies or lack of policies that allow collection of decommissioned or off-network data in unsecured locations are an indicator of a lack of due diligence.
2. Vendor provided processing documentation is insufficient for defense when needed to go to court.
Industry standard documentation from asset disposition providers is inadequate. There are countless stories of equipment being illegally shipped overseas and data-bearing devices being discovered on eBay with the original owners of the equipment holding worthless certificates of destruction.
3. Data bearing devices leave the building and are subject to theft, loss, or improper handling.
Allowing data-bearing devices containing sensitive data to leave your facility increases risk dramatically. This is why all secure government operations and businesses mandate on-site data destruction.
4. No way to measure the quality of the service of asset disposition providers.
Certificates claim the contractor provided services as intended but do not prove it. The liability remains with you!
5. Due diligence / Is the internal process documented monitored and QA assured?
Many times companies lack the time or internal discipline to aggressively manage and monitor their internal off-network device management.
6. Insurance – Asset disposition providers are typically underinsured or uninsured for data breaches and their insurance may not cover you, the client.
Data security litigation is one of the fastest growing and costly areas for the legal industry. Have you considered coverage for cyber liability, extortion, customer notification, or legal fees based on an off-network data breach? Most companies do not specialize in risk management in this area and are exposed.
7. Striking a balance.
Asset decommissioning is a data security activity first and a revenue generation activity second. Many times the desire to extract maximum value from decommissioned equipment leads to an increase in the company’s exposure to liability.
If you’re concerned about data security in your decommissioned equipment, please contact us.