By Steve Chafitz The next time your company donates an old PC to your favorite charity, the deduction you take may be worthless, compared to the potential fine you could be subjected to.
Not only is a financial loss from a fine unhealthy for your business, the bad PR would be disastrous. A recent study by the Ponemon Institute determined the average cost of a data breach in the US has now risen to $5.9 million, or $201 per file breached. Breaches are widespread and include every industry from small IT companies, auto dealers, manufacturers, R&D firms. If you own a business, you're at risk.
Today, businesses are collecting large amounts of Personally Identifying Information (PII) such as account numbers, credit card numbers, social security numbers, and other information, related to their customers, employees and business partners. Most corporate officers and business owners are not aware that there are numerous federal regulations requiring them to protect this information, and are subject to large fines and/or imprisonment if the information is disclosed. These regulations apply to the single person office as well as major corporations. Every business owner must protect themselves from the consequences of a data breach.
If you are like most companies and agencies, you have stacks of old hard drives and obsolete electronic equipment that have been sitting for months. Chances are good this equipment contains confidential data you are required to protect. Many companies donate old equipment, give it to their employees, or even sell it online. Unless you are absolutely certain there is no data remaining on the equipment, such methods of disposal are extremely risky.
Be aware -- PC's aren't the only equipment that contains data. Printers, fax machines, copy machines, medical equipment, telephone equipment, cell phones, PDA's and other electronic items retain data that should not be disclosed. The longer the equipment sits unused the greater risk of theft, along with the data.
Data breaches are serious and can lead to serious fines and even jail time (A California man served jail time for disclosing personal information.) Also, a recent law allows the Attorney General (AG) of each state to sue health care providers on behalf of residents if the AG feels personal data was compromised. The AGs of Connecticut and Minnesota were successful in fining state businesses to the tune of $375,000 and $2,500,000 respectively. There's great incentive for the state to sue, because the state gets to keep the money!
What can your company do to prevent data breaches? Most important is to establish policies and procedures to safeguard data. Each of the privacy laws has verbiage requiring you establishing policies and procedures to properly protect data. Next, seek an outside vendor whose primary business is the proper and secure sanitization of data and the proper recycling of the equipment the data resided on. Check their references, visit their facility and verify they have the specific certifications in data sanitization and electronic recycling to assure they meet the specific standards to perform the services they offer. Make sure to get proper documentation that will provide an independent verifiable, defendable and auditable trail you can use to demonstrate that you properly destroyed the data.
Destroying data is not an arbitrary task and destroying data beyond forensic reconstruction is not easy to accomplish. Can your IT department guarantee absolute data sanitization, considering they cannot provide independent certification to confirm the data was destroyed? Is it really worth the risk?
It's not just electronic media you need to worry about. Microfilm, x-rays, magnetic tapes, CD's, plus other media all fall under a federal regulation for proper destruction. There are specific federal guidelines for data sanitization requiring specialized equipment. Deleting your files or reformatting the drive does not destroy the data. That's why companies are beginning to rely on professional data sanitization companies for reliable and secure service that is often less expensive than in-house facilities.
Don't become complacent and think it can't happen to you. Are you ready to gamble your company's future? Get started today, empty those rooms of equipment, and establish the required policies and procedures and get educated on the laws. Those simple tasks beat the alternatives, fines or jail time.
Steve is the President of e-End and is an expert on the secure sanitization of electronic media. He has briefed many federal agencies, including Pentagon officials, plus corporations, healthcare providers and others on secure data destruction and recycling techniques. Steve has also been a keynote speaker at several cyber security events. To contact him, call (240) 529-1010 or send an email to firstname.lastname@example.org.