ITAD & Data Security: The Truths and Myths Behind Protecting Your Data

December 16th, 2013

Myth #1: I know my company data is secure because we handle the data destruction ourselves.

Truth: Not necessarily, as with anything, there’s always potential for human error. Using internal staff to handle data destruction may seem like a sound policy. But it’s not. Internal data destruction usually stems from the idea of cost savings, which are misperceived and could cost you dearly in the long run should your data be breached. What recourse do you have if you have an internal failure? There’s also the problem of accountability. Would you represent yourself in a court of law because you read a law book? Or would you trust your case to an experienced lawyer specializing in cases like yours? Same concept goes for data management and destruction, and you should use a vetted certified data disposition company that executes to standards with quality controls, processes and financial instruments that provides additional protection when destroying your data.

Myth #2: The ITAD company we work with says it uses DoD wipe/destroy in our private data, so we are covered and protected.

Truth: You must vet and verify the company you contract with for data destruction in the process and systems they use to destroy data. Are they certified? How often are they audited and by whom? Do they have quality controls in place to measure effectiveness of their data destruction program/process? If the company is not affiliated, certified and vetted against standards set forth in management systems, such as NAID (National Association of Information Destruction) guided by NIST 800-88 (National Institute of Standards and Technologies, Publication 800-88) and R2/RIOS (Responsible Recycling and Recycling Industry Operating Systems) with documented verification of data destruction for each media, then your data is at risk. Verify the liability protections the company provides, such as  Professional Liability coverage in “Electronic Media”, “Network Security”, and “Privacy” wrongful acts. Many companies assume you won’t double check these certifications and they won’t go out of their way to ensure you’re aware of them.

Myth #3: There’s nothing special or private about our data, so we just hand our IT assets of to a local firm for no charge.

Truth: Any and all data is a big deal, even if it seems like there isn’t anything private or identifying about it. With regulations in healthcare, finance, technology, etc., all data is relevant. HIPAA, HITECH, Sarbanes-Oxley, PCI, PII, GLBA, FACTA, FISMA and FDA (21 CFR Part 11) are changing how data must be handled. You must be prepared for a breach of any size, large or small. This is why many private and public organizations trust IT asset and e-waste recycling to certified IT disposition firms that have data destruction expertise and understands these regulations and associated risks.

Myth #4: We don’t have the budget for certified data destruction or an IT asset disposition program.

Truth: You do. It’s all about where the funds come from to support a secure data destruction contract. Many companies are not aware of how to leverage their viable decommissioned assets to offset a customized program that protects them holistically. The right ITAD firm can provide a customized analysis to help corporations implement the right program to protect themselves, customers, & employees against a data breach as well as the environment from toxic materials.

Myth #5: The company handling our ITAD has an EPA ID number, which meets our IT disposition and data destruction needs.

Truth: Anyone can apply for and receive an EPA ID number. All it takes is an application with a description of services provided and a fee. The only way to ensure a company has systems in place for environment, health, and safety protection is to look at its certifications. Certifications mean a third party accreditation firm verifies compliance to EHS&Q management system such as R2/RIOS, ISO® 14001:2004 and/or OSHAS 18001 audits systems.