10 Steps For Preventing A Data Breach

 by David Pumphrey

by David Pumphrey

Its simple enough: A data breach causes huge injury to your company and the individuals whose information you are required to protect. Not implementing data security processes and safeguards can not only allow a costly data breach, but can have a direct impact on your bottom line. Costs can range from the direct costs of notifications and business loss to intangible cost to your companies brand and customer loyalty.

A data breach can cost US organizations an average of $5.9 million and for HIPAA violations up to a maximum of 10 years in prison. Earlier this year, the Supreme Court denied certiorari in CareFirst data breach case. This means that identity theft does not have to be proven for an injury to occur, and substantial risk of harm exists simply by virtue of the data beach. Your company can face costly putative class action lawsuits by the unauthorized exposure of data alone

The following steps are a guideline of measures you should take in order to mitigate the risk of a data breach. Keep in mind that the cost to prevent a data breach is far less than the fines and reputation damage from an actual data breach. With these steps you will be able to:

  • See gaps in your policies and procedures for final disposition of non-paper electronic media, if any.
  • Properly evaluate a vendor for removal of your end-of-life electronics.
  • Learn more about government regulations for handling data. 
  • Know the do's and don'ts of electronics disposition.

Are you ready to be complaint to regulations, properly destroy data and prevent a data breach from occurring on your unused electronics? 

Let's get started.

1. Develop a data security process and put it in place before a breach occurs.

DATA SECURITY PROCESS.png

Every major data protection regulation in the US includes a requirement that organizations have written data protection policies and procedures. In other words, they require that the data protection "process" is identified. 

2. Find out what government regulations pertain to your business and how they require you to handle data.

Most corporate officers and business owners are not aware that there are numerous federal regulations requiring them to protect sensitive information relating to their customers, employees, patients, and business clients — not to mention your company’s or agency’s confidential information. Failure to do so could make you subject to large fines and/or imprisonment if this information is disclosed. 

Government Regulations and how to handle data.png

Our team of Data Security Specialists help a wide variety of public, government and private organizations to keep them in compliance with the myriad of federal regulations regarding proper data security, including:

3. Be skeptical of those that "recycle" end-of-life electronics for free.

Taking electronics to any e-waste recycler seems like a good idea, but by doing so you take a big gamble. Many “electronics recyclers” will take your equipment and simply externalize what should be their costs for proper electronic recycling to the local or global environment.

IT asset ewaste responsibilty.png

E-waste could likely go to companies that don’t take the time to completely remove your personal data. Worse, it could also go the route of what industry experts believe happens more than 50% of the time—if you take your equipment to just any electronics recyclers—your old electronics could end up in a village in China or or a slum in Ghana, Nigeria, or India.

There is no assurance that e-waste will be recycled safely, ethically, and responsibly, unless you use a certified electronics recycler. There are two industry-recognized standards. e-End holds a Responsible Recycling (R2) certification under the standard set forth by Sustainable Electronics Recycling International (SERI).

4. Deal with decommissioned equipment quickly

This decommissioned equipment is the most susceptible to physical theft. The chain of custody can be lost during the transfer of server racks other equipment once marked for decommission. It is best to handle the destruction of media on this equipment with onsite hard drive degausser and shredding. Promptly removing and destroying the media on end-of-life equipment ensures a data breach is prevented.

5. Teach all employees how your decommissioned process works

In order to educate your employees on your electronics decommissioning process, your organization must first have a plan in place. The plan should at least include the following steps:

  • Step One: Identify and record equipment to be decommissioned. Locate it in the facility. Schedule it for decommissioning.
  • Step Two: Identify and retain all software licenses associated with the equipment.
  • Step Three: Schedule the cancellation of any vendor maintenance contracts associated with the equipment or software.
  • Step Four: Backup and save any necessary data.
  • Step Five: Disconnect equipment from network. Remove from ACLs, subnets, and firewalls.
  • Step Six: Turn the equipment off that’s being decommissioned.
  • Step Seven: Remove the equipment for physical destruction or data erasure sanitization with secure, certified, overwrite of all data.
  • Step Eight: Erase the hard drive disks in the equipment using an approved data sanitization method (physical destruction or software based data erasure).

This process can be long, arduous and require man-hours that your IT department can not afford. The best way to ensure your decommissioned equipment is proper handled, sanitized and maximizes its value, is to use e-End, a company certified in non-paper media data destruction and electronics recycling. View our electronics recycling process

6. Don't depend on software to "wipe" a disk - these are unreliable.

From a data security standpoint, destroying hard drives is preferable to wiping them. The fastest way to destroy a hard drive is to utilize a hard drive degausser. e-End uses a degausser that is on the NSA/CSS Equipment Products List.   A degausser encases very strong rare earth magnets that pull 100% of the data from the platters in a hard drive disk, rendering the disk unusable. Some clients require hard drive shredding to be conducted after they are degaussed.

7. Never throw any electronic or computer equipment in the trash.

There is plenty of liability and risk that you undertake if you decide to just "chuck it" into the dump. The environmental cost of dumping old electronics is very high. Chemicals like arsenic, lead, and cadmium leaking into our ecosystem is bad news. Depending upon your state, there may be fines associated with illegally discarding old electronics. Aside from environmental damage, personal injury of your customers may occur if the equipment you dump into the trash still contains data. Hackers do dumpster dive and can get your company on the front page of the news for all the wrong reasons. Fines for a data breach can bankrupt a company. An electronics decommissioning procedure can help prevent this when it is coupled with the service of a certified company like e-En.d.

8. Vendors should securely destroy data before any IT equipment leaves your facility.

At minimum, onsite hard drive degaussing should be conducted by the vendor utilized for your decommissioning. The vendor should have mobile equipment to ensure 100% of data is destroyed before the material has left the facility. This maintains a tight chain-of-custody.  

e-End's process of onsite data destruction service: (These steps are after proposal, statement of work and job tracker are created and accepted)

  1. Team arrives onsite. Lead meets with customer to introduce team and outline sequence of job execution.
  2. Team stages equipment and supporting elements to perform work
  3. All material is staged to be processed
    • Stack: Hard disk drives and electronic media are laid out for scanning
    • Scan: Serial number of each drive is scanned
    • Spreadsheet: A printout is populated with final count and serial number of drives
  4. Data sanitization and destruction is performed
  5. Remaining material (shredded or ash) is packed in gaylords, loaded in secure trucks and moved to final recycling disposition
  6. Certificate of Witnessed Data Sanitization and Destruction is provided for reporting and auditing purposes, includes serial numbers and description of processed media.

9. Choose a vendor that is certified in data destruction and ensures compliance with federal recycling regulations.

You cannot self-certify your data destruction and attempting to self-certify may not be enough to prove 100% of data was destroyed. Just as a comptroller of a business cannot certify financial books and records and must use a certified public accountant (CPA); an IT department should use a certified 3rd party that can provide a recognized and universally accepted certification that guarantees 100% of the data was removed and cannot be recovered by any means.

e-End is certified for non-paper media destruction in our secure facility or onsite at our customer's facility by the National Association for Information Destruction (NAID). NAID registers, audits and certifies data security vendors to perform data sanitization.

For electronics recycling, e-End strictly adheres to internationally recognized Responsible Recycling (R2) standard to reduce electronics waste and preserve natural resources. e-End maintains a zero-landfill policy for e-waste.

Most corporate officers and business owners are not aware that there are numerous federal regulations requiring them to protect sensitive information relating to their customers, employees, patients, and business clients — not to mention your company’s or agency’s confidential information. Failure to do so could make you subject to large fines and/or imprisonment if this information is disclosed. 

10. Get proof in the form of a Certificate of Destruction and/or Certificate of Recycling.

Unlike your IT Department (which can’t self-certify their own data destruction work), e-End can issue you an independent and defensive third-party Certificate of Recycling and Certificate of Data Destruction. This means you’ll have all the paperwork necessary to prove compliance during an audit. The certificate provided for reporting and auditing purposes should include:

  • serial numbers
  • description of processed media
  • count of equipment received

If you are still thinking about where to recycle your servers, computers, laptops or equipment, drop them off at our secure Frederick facility, give us a call at 240-529-1010 or send us an email at info@eendusa.com.