Every company stores personal information about their employees, and if they sell to consumers, their customers. Even if you are not in healthcare or you don’t take credit cards, you still probably have Personally Identifiable Information (PII) on your systems. And you probably also have information you would not want to have available to your competitors.
That means every company and every department has to be concerned about data breach. Unfortunately, many organizations don’t fully understand the risks and ramifications of a data breach. They often haven’t taken a good look at basic processes and technology to ensure they are protected. There are many simple steps a company of any size can and should take to prevent data breaches.
An interesting example: Last week, as reported by a local TV news station, employees of Lancaster County (SC) became aware of missing hard drives that contained patient information collected by ambulances between 2004 and 2014. The drives were saved as “back up.” That equals ten years of names, addresses, Social Security numbers, and medical details collected from as many as 100,000 people. The drives were not encrypted,
The county had stored the hard drives in a small, locked (we presume it was locked) safe, so there was an assumption of security. The safe ended up “going missing,” taking all of that patient information with it. The county is not sure what happened to that safe — if it was stolen, or just discarded for some reason.
As it turns out, the process of data destruction and/or storage of these HDDs had not been reviewed in the past ten years. The employees were simply following an outdated process that no one questioned.
What are the simple things you should be doing to avoid a breach like this one?
A good data retention, storage and tracking system is important. If you don’t need the data for compliance or current business reasons, have a certified vendor destroy it.
If laptops, PCs or tablets have any protected or valuable information, they should be encrypted.
If you are planning to get rid of the devices, don’t remove the HDD — it’s more secure inside the device until you can arrange destruction with a certified vendor.
On the other hand, if you are keeping the devices but need to remove the HDD, don’t let the hard drive sit around for a long time, because this increases the likelihood of a breach.
If you do have loose hard drives to store, have a good process in place for tracking how many HDDs you have and storing them securely. Your ITAD vendor can provide locking bins for further protection. Rather than letting the devices sit in a bin for an extended amount of time, however, have them removed and destroyed, or wiped, at least a few times a year, regardless of the quantity.
One of the easiest things you can do is to choose a certified, professional ITAD partner that can help you develop the best process based on your data and the risks associated with it, your compliance requirements, your internal processes and resources, and the equipment type and age. As we have mentioned before, it is imperative to have a strong process from the moment you decide to decommission your devices all the way until your ITAD vendor takes the devices away and has processed them.
