Some people simply cannot throw anything away. They hoard things … rubber bands, paper bags, broken appliances, data.
Yes, there are data hoarders out there; you know who you are. “I may need it someday,” is often the lame excuse.
If you’re a data hoarder, it’s costing you, both in terms of money and heightened risk. It costs money, potentially lots of money, to protect and keep data that has outlived its value, usefulness or retention requirements. Holding onto data in perpetuity also gives breach bandits more attack targets, which may come back to bite you in the end, so to speak. For example, the TJX Companies Inc. (the parent company of T.J. Maxx, Marshalls and Bob’s Stores) data breach in 2007 included customer files that no longer served any useful purpose for the retailer but did for the criminals.
There are two ways to deal with old data: archive it or destroy it. Archiving is inexpensive and safe, but it’s like an attic. Stuff just keeps piling up. Destroying unneeded and unnecessary data isn’t expensive and eliminates risk exposure. Besides, how many opportunities do you get to spindle and mutilate?
Data protection and handling is serious business. It behooves individuals with data asset management responsibility to know the landscape, which is getting increasingly complicated. Not only are there industry security measures, like PCI-DSS, and federal laws, like HIPAA/HITECH, Gramm Leach Bailey and a dozen others that change frequently. Many states also have laws regulating how a possessor of data must dispose of personal information. Such laws protect a data holder if it decides it no longer wants to maintain that data. Data destruction laws typically come in two flavors: those that spell out how the data must be destroyed and those that mandate the use of a disposal system that meets a reasonableness standard. Some states have both types.
HIPAA rules for destruction of protected healthcare information (PHI) leave little to chance, even for paper files. HIPAA-compliant paper shredders must be designated “high security”, which means they are NSA and DoD approved to produce “unreconstructible” paper segments. For digital media, all hard drives and media disks to be taken out of use must first be degaussed (magnetically mangled) and then “destroyed” as per NSA and DoD certification. Hard drive destruction involves physical bending and breaking of the drive units so that the disks inside cannot possibly be spun up or read.
When taking data and devices out of service, it’s a good idea – as well as the law in some cases – to maintain a sort of chain of custody, the same way evidence is handled during criminal arrests and court proceedings.
Isolate and secure
Immediately remove and secure data devices to prevent unauthorized access during the disposal process. Equally important, minimize the window of time for transferring data storage devices out of the automated data security process and into your physical security process.
Validate the Media Inventory
Establishing an audit trail of the collected media may a regulatory and legal requirement. Individual media devices should be matched to your asset management records if possible, identifying where the data on the media came from. This data media inventory validation represents the termination of your active data asset records and the beginning of your data destruction records. Consider giving the media new inventory labels such as preprinted bar code labels or RFID tags, for two reasons. First, only you have control of the matching inventory records. Second, the new identifiers allow the disposal inventory audit trail to be automated to remove human transcription errors from the process.
Destroy Data According to NIST Guidelines
The National Institute of Standards & Technologies (NIST) “Guidelines for Media Sanitization” provides guidelines for destroying recorded data on all known data media. Federal data privacy regulations often require adherence to these guidelines and removes any possible question as to the adequacy of your sanitization methods. The NIST identifies the physical destruction of media by shredding as the best possible method of data sanitization.
Establish a Sanitation Schedule
Data privacy regulations and laws require that organizations have and follow a written policy for data destruction in a timely manner. Having a predetermined destruction schedule provides a disciplined framework.
Maintain Detailed Auditable Records
Regulatory compliance requires auditable records. The disposal process records should represent a legally valid “chain of possession” for each data storage device from its original inventory validation at your facility to its eventual data sanitization and disposal.