Skip Navigation
 
 

NAIDnotes

Bookmark and ShareThursday January 8, 2015

Why a 'destroy all' data disposal strategy is the only reasonable option

A "destroy all" data disposal strategy is the only safe and reasonable option. For instance, at our organization, I have no control over our firewall. Emails are scanned to remove harmful links. It would be very difficult for any employee to circumvent these data protection measures. I think most people would agree the more automatic or foolproof we can make data protection and, take out the human element, the better. 

I am always surprised by the number of organizations that leave it up to the frontline employees to decide what discarded media should or should not be destroyed securely when it is discarded. Information disposal is an area of data protection where every employee has the capability of inadvertently putting an organization at tremendous risk. It’s borderline negligence to have a policy that allows every employee to determine what needs to get shredded or what computers need to destroyed. And yet, as secure destruction professionals, we see this all the time. Employees are told where the shredder is located and advised to use it when necessary. Or employees are given a waste basket, a recycle bin, or confidential shredding console and instructed to make sure the right stuff goes in the appropriate bin. 

Under this scenario, the organization is literally putting its regulatory compliance, client privacy, and intellectual property rights in the hands of employees, who are usually not held accountable for their decisions, who have no stake in their choices, who have little understanding of the risks, and who are pressured to be as productive as possible. 

In this day and age, that is not even borderline negligence; it is pure negligence. Imagine being audited or deposed after an incident and having to admit that every employee has the discretion to make such an important decision with no way to hold them accountable. This response would be devastating to the organization. 

Given the risks, given the regulatory consequences, given the loss of reputation and intellectual property rights, the only reasonable course of action is to destroy all discarded media. The cost is so low, especially when compared to the consequences, any other choice would be deemed reckless at minimum and almost certainly legally negligent.

Comments: 2 | Reply

   Dave Candelario    January 9, 2015 5:43 pm | Reply | 0 Agree | Flag Abusive

I agree wholeheartedly except for one caveat. . . Physically destroying usable hard drives and other electronic media is not supportive of the "reuse" ethos for recycling. I say this with mixed feelings because my company often recommends physical destruction of hard drives as the most effective method of data destruction. Sanitizing usable hard drives can be very effective, BUT the effectiveness is totally dependent on an airtight process. We actually give our data destruction customers a "sanitize" option that's cheaper than physical destruction. So far, 100% of our data destruction customers opt for physical destruction. The other factor is the visual impact of a shredded hard drive or back up tape is very appealing to customers. It's very easy to accept that the data is destroyed on a shredded hard drive versus a sanitized hard drive. Our focus as an electronics recycling company is reuse/refurbish, but we definitely understand and appreciate the popularity of our hard drive shredder.

   Phil Markert    January 20, 2015 4:47 pm | Reply | 0 Agree | Flag Abusive

I would be interested in hearing your results in obtaining agreement to sanitize (vs destroy) from federal government customers.

Return to Current Blog