Written by Insecurity of Everything: A Cybersecurity & Business Column, Kate Fazzini and John Shegerian
Data decommissioning is a process where electronics and other assets that hold important data are removed from a company’s possession in a responsible manner. It could be the result of a company shutting down, expanding, or simply needing to get rid of outdated equipment. Done correctly, sensitive information isn’t exposed or at risk of being stolen. Done improperly, your company faces hefty fines and damage to your reputation.
How big are those fines? In 2016, Morgan Stanley didn’t keep an updated inventory of information on hardware that was part of a data center decommissioning. The company also failed to look at the possibility of a data breach during the decommissioning and by the third-party subcontractors hired as part of the decommissioning project. The same errors were made in 2019 when devices were decommissioned at another data center.
The 2016 lapse led to the Office of the Comptroller of the Currency (OCC) ordering Morgan Stanley to notify customers. The second lapse found the company voluntarily notifying affected customers. A class-action lawsuit was filed. The OCC also fined Morgan Stanley $60 million. Morgan Stanley hasn’t admitted any fault but that was just one fine. The company was also fined $5 million by the SEC and $5 by the Commodity Futures Trading Commission for other violations.
Unfortunately, this is just one example of just one company. There are countless other examples, some of which are well publicized and others which fly under the radar.
Steps Involved in Data Decommissioning
Data decommissioning starts long before the day you decide to relocate an office or buy a new computer. It’s something your company should be thinking of the minute you purchase electronics and storage devices for your company.
#1 – How Long Will the Device Last?
Companies should take time to establish the lifespan for their hardware and storage devices. An old laptop may be fine, but if the operating system is no longer getting firmware updates, that device is open to security breaches and other threats. How do you know how long an item is viable? Look at the warranty. You should also consider how much data is being processed by that device. A hard drive that’s processing a lot of information for a full-time employee may not last as long as the one a part-time employee uses.
#2 – Have a Plan in Mind
Before you need it, have a plan in mind that addresses what you’ll do when it’s time to dispose of electronics and storage devices. That plan should address your budget, what regulations apply to your company, and who you’d want to be involved in the final process. People who are involved in the process should keep up-to-date with the latest laws and requirements as they can change as new laws are added federally and on a state or local level. When it comes time, hire experts in data decommissioning.
#3 – Take Protective Measures
Before the decommissioning starts, make sure that backups are made. Test the backups to make sure they were completed correctly. Create an inventory of the information that was on a drive or device and store it in a secure place. If something does go wrong, this backup and inventory help prove what was lost.
#4 – Decommissioning Day
The day of the data decommissioning must have everyone knowing their role. You’ll go over items that still have value and can be refurbished or sold for parts. Items will be disconnected from the network and unplugged. Data may be destroyed on-site or at a secure, NAID AAA-certified facility.
Experience is important, but there are four requirements you should demand of the ITAD company you partner with. They are protecting the environment, maximizing the resale value of remarketed items, keeping information private, and securing data from start to finish. These four items are all critically important to the success of your decommissioning project. Look for a data decommissioning team that follows e-Stewards, ISO 9001, NAID, R2 and SOC 2 standards and has certifications in these areas.
Kate Fazzini is Director of Security Operations and Engineering at Ziff Davis; an adjunct professor of cybersecurity at Georgetown University, author of Kingdom of Lies: Unnerving Adventures in the World of Cybercrime and has served as a cybersecurity reporter for The Wall Street Journal and CNBC.
John Shegerian is co-founder and Chairman/CEO of ERI, the nation’s leading fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company. Business Journal readers can visit eridirect.com/insecurity-of-everything-book/ to receive a free copy of John’s book, The Insecurity of Everything.