Published: May 31, 2021 on our newsletter Security Fraud News & Alerts Newsletter.
For businesses needing to destroy data and outdated devices, permanently wiping data from existence can be a security challenge. It often involves removing confidential company information and the private PII (personally identifiable information) belonging to its customers. Permanently wiping data stored on an outdated hard drive is yet another challenge. A study commissioned by Comparitech found that out of 200 used hard drives purchased online, 59% still held data from previous owners. Added to that, there are data protection laws in the U.S. that are intended to regulate how data is disposed. A closer look at the study’s findings helps us understand how simply hitting “delete” is no longer an option.
Hard Drive Data Deletion
The study provides a breakdown of those 59% of used hard drives with lingering data as follows: 26% had been formatted, but still held easily found data; 17% had deleted data that was easily recovered; 16% looked as though there was no attempt to delete the data; 16% had data available but it could not be read; only 26% had been properly wiped.
Aside from company information, the types of PII found on these second-hand hard drives can be dangerous in the wrong hands. The study found the PII varied greatly, including employment and payroll data; photos of family and friends and those meant to be private; visa applications; business documents; scans of passports and driver’s licenses; password lists; bank statements; tax documents and more.
Data Protection Laws a Factor
Absent any official, sweeping data protection laws in the U.S., three states – California, Nevada, and Virginia currently have Comprehensive Consumer Data Privacy Laws (CCPA). However, other states do have a loose patchwork of data laws surrounding businesses and data destruction, depending on what state a business is located.
The Federal Communications Commission (FCC) and 35 other states have rules about what types of data must be permanently destroyed. For a business residing in any state, it’s important to know exactly where company and customer data is stored, including details about the type of data it is. Third-party providers may have it, as well as any paper files and data stored on individual employee devices and drives. Also, different industries may also have their own data destruction compliance regulations. Yep. We agree that it’s rather confusing.
The Good News
Viewing data destruction as part of the data protection process can help keep it secure throughout its existence. The tips listed below can help get an organization’s data where it should be, including providing the proper destruction of it. Remember, if data isn’t removed entirely a data breach could result.
Have a budget for permanently destroying data and replacing outdated hardware.
A data audit will show where your data is and how it’s being used, including any third-party involvement.
Data compliance rules can help determine what data needs eliminating and if the hardware storing the data needs replacing.
Equipment that destroys hardware is available for purchase and there are companies that offer both data and hardware destruction. Know that using outside services can add to the risk of a data breach.
Educate employees about permanent data deletion, especially those using personal devices for work. Let them know that simply hitting “delete” won’t work and that doing so provides opportunities for data theft.
Keep up to date: Sign up for our Fraud alerts and Updates newsletter
Want to schedule a conversation? Please email us at firstname.lastname@example.org