It just might be one of the most exciting occurrences in the work place, the IT upgrade. Keeping up with technology is difficult, and the promise of enhanced productivity and ease of use is alluring. A rush to upgrade, however, could deliver a devastating blow to your company’s data security.
Protecting sensitive and confidential data is a monumental task for any business. Data security laws in the U.S. mandate that organizations implement ‘adequate safeguards’ to ensure privacy protection of individuals and require those organizations to have written policies and procedures regarding final disposal of such information containing media. It comes as no surprise that both the government and courts are willing to fine and penalize those organizations that violate these laws and put privacy of individuals at risk. To name just a few:
- In 2011, TRICARE, a U.S. healthcare benefits provider was involved in a lawsuit claiming willful negligence in dealing with private information. The lawsuit sought $4.9 billion in damages
- Also in 2011, Sutter Health was hit with a $1 billion dollar lawsuit and
- Emory Healthcare faced a $200 million suit for a data breach
Considering fines, punitive damages, litigation costs, and the damage to an organizations reputation, a data breach can be extremely devastating, if not fatal to a business. So why then, do some organizations put themselves at such risks?
Where the Breakdown Occurs
According to a recent study, many organizations spend billions of dollars a year on data security from encryption to monitoring, but overlook one major aspect, IT asset disposition. Accounting for retired assets can be tedious, but considering the data storage capacity of a single cell phone, laptop, or computer hard drive, it is well worth the effort.
An organization must track assets from entry into the organization to transfers of use to final disposition. According to a study by the Harvard Business Review, 1 in 5 organizations were unable to account for at least one asset upon disposition, and 15% of those lost assets were potentially data containing devices such as laptops, servers, or cell phones.
Chain-of-Custody is not the newest buzzword, it is not a fad, and it is not a sales tactic. It is a necessity for an organization that wishes to indemnify itself and transfer liability of its retired assets. An organization is responsible for tracking its assets throughout its useful life, whether done internally or by a 3rd party organization, however, that is not where asset tracking should end. When it comes time to upgrade those servers and computers, it is extremely important to continue the chain-of-custody for your electronics on the way to final destruction.
With a 3rd party data destruction firm with a AAA Certification from the National Association for Information Destruction (NAID) you can rest assured that your valuable information is in the right hands. From the moment your electronics are received, they are kept under lock and key as if that material is worth millions of dollars. A detailed form indicating material type, quantity, services to be provided, and acknowledgment of transfer of assets is filled out and signed.
Once at the destruction facility, serial numbers are recorded and memory containing devices are accounted for and physically destroyed. Assets received are verified against assets accepted and point of transfer to ensure all material is present and accounted for. A detailed report indicating asset type, serial number, and final disposition (physical destruction) can be issued to the organization with a certificate of destruction certifying all memory containing devices were destroyed in a manner compliant with all local, state, and federal laws completing the chain-of-custody.
The threat of a data breach is very real. Taking every necessary precaution is both responsible and required by law. A complete chain-of-custody is the first step in ensuring an organizations data security.
When it comes time to upgrade your technology, do not forget about the old electronics and the information they hold. It is valuable and needs to be treated as such.
For more information on IT asset disposition, electronic recycling, and data destruction, please give DataShield Corporation a call at 402.898.500.