Is the IT department responsible for end-of-life data destruction? The short answer is no. End-of-life data destruction should not be an additional responsibility heaped on an IT team that, more than likely, does not have the proper training.
Let’s start with some quick background. By 2020, it is estimated that there will be approximately 40 zettabytes (40 trillion gigabytes) of electronic data and that every user will create 1.7 megabytes per second. To put that into perspective, even with the technological advancements we’re continually making in data transfer, it would take a single user with an average download speed of 44 megabits per second three million years to download and compile all that data!
Given the amount of data being generated and the dissemination of data being increasingly regulated to safeguard individual privacy, expecting an IT team already tasked with maintaining a technological infrastructure to handle data destruction is not only unreasonable and impractical but virtually impossible. Furthermore, proper destruction of private information is so critical (and, quite often, so complex), that in-house protocols need to be rigidly defined and precisely followed to avoid the potentially catastrophic risks of noncompliance.
Particularly for organizations and businesses that deal with personally identifiable information (PII), classified data, controlled unclassified information (CUI), or other sensitive information, it is crucial to have dedicated and trained technology-security professionals in charge of end-of-life data destruction. Ideally, a team of security experts should formulate, implement, and manage a comprehensive end-of-life data destruction process that ensures all data is destroyed at the proper time and in accordance with the proper security specifications.
Physical destruction is just a portion of the end-of-life data destruction process, and overlooking the rest of it can have extremely severe ramifications. When you’re dealing with personal, sensitive, or classified data, you’re likely under the jurisdiction of laws such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), or either the National Security Agency’s (NSA) regulations regarding classified and sensitive materials or the Payment Card Industry Data Security Standard (PCI DSS) in the United States, to name just a few.
Depending on which regulations apply to your organization, there are different sets of standards regarding how thoroughly data must be destroyed and how long data may be held before being destroyed. There are also varying financial penalties for not adhering to those standards, many of which can be quite steep.
The bottom line is: if you work with personal, sensitive or classified data, the onus is on you to be aware of all applicable end-of-life data destruction and privacy-protection regulations. In today’s digital age, this issue is such an urgent one that data privacy policies exist in over 80 countries. It is imperative that all sensitive data residing at a company, whether pertaining to the company or to an external partner/third party, be assigned a proper timeline for destruction at end-of-life, and that the data be thoroughly obliterated to the point that it is irreversibly destroyed. The only way to guarantee that this will happen is to designate the responsibility, oversight and ongoing supervision to an in-house professional security team headed by a chief security officer that is well-versed in data privacy laws and maintains an organized end-of-life data destruction plan and process.
Third Party Data Destruction
Using third-party destruction companies is a risky proposition. Even in instances when you’re issued a certificate of destruction, you can’t be certain data is irreversibly destroyed unless you have actually witnessed the destruction process and unerringly monitored all facets of data transfer. In fact, the internet is rife with studies documenting how often discarded – and supposedly destroyed – hard drives are found containing PII, sensitive or classified data.
How to Stay Compliant
Designating professional, in-house security personnel to curate and monitor end-of-life data destruction plans is the strongest defense against data breaches. Furthermore, be sure this security team has the proper equipment to thoroughly destroy data across various media in compliance with all regulations. If you are unsure of whether your equipment suffices, you can check the NSA’s evaluated products list.