The Importance of Destroying Sensitive Data

Data destruction isn’t a sexy topic. But it’s one you need to learn more about if you’re a business manager and you collect sensitive data about your customers or your clients. Why? Because failing to destroy sensitive data before retiring a digital asset is a major security breach—one that could cost you your credibility as a business and thousands of dollars in fines and legal fees if that data is compromised. If the breach is bad enough, it could even cost you your business.

There’s no shortage of horror stories in the business news about hackers compromising an organization’s sensitive data. Take the case of J.P. Morgan Chase. A major cyber attack compromised the personal data of 70 million of the financial firm’s clients. It was the largest data theft ever. When all was said and done, it cost J.P Morgan over $12 billion dollars to address the problem, and the company’s credibility took a huge hit.

J.P. Morgan was lucky. It has deep pockets. So it was able to absorb the costs associated with a major security breach and keep chugging along. It was even able to overcome the loss of credibility that accompanied the breach. But you’re a small business. Could you survive the fallout from a major security breach and still keep going? Probably not.

Thinking Through the Risks

Here’s what one expert had to say about data destruction and small businesses: “Enterprise clients generally have a pretty good idea of how to deal with this problem; their practices have been relatively consistent over a period of  years, and it doesn’t generate a good deal of attention,” says Jay Heiser, an analyst at the research firm Gartner in an article on CSO.com. “But many small and mid-size businesses haven’t thought through the risks of undestroyed data.” If you haven’t thought the risks through, maybe it’s time you did.

Keep in mind that data is storable on any electronic device that has a removable storage device or hard drive. Digital cameras, computers, printers, scanners, and fax machines all contain your customers’ personal data that could get lost or stolen. Mobile devices are especially vulnerable when it comes to lost or stolen data. You’re responsible for anything that happens to that data, no matter how it happens, so it’s imperative you destroy that data before reselling or retiring electronic equipment.

Benefits of Data Destruction

A data breach occurs whenever someone’s personal data is lost or stolen from a business. It doesn’t matter why or how it happens—hacking, malware, spyware, or failure to destroy data on a hard drive before retiring an asset. Below are five benefits of destroying data stored on a hard drive before discarding an electronic device:

1. Save money on fines and legal fees — Companies that fail to protect sensitive data are subject to hefty fines and penalties if sensitive data is lost or stolen. These fees and fines could easily run into the hundreds of thousands of dollars. That doesn’t include what you’ll have to spend on public relations to restore your credibility with your target audience or on legal fees defending yourself against criminal charges.

2. Saves you from legal action—You’re legally responsible for any personal data you collect on your clients or customers—even if the data is lost or stolen through an employee’s mistake or an accident. This security breach can lead to serious legal problems for you and your company if the data is compromised. These legal problems include both civil and criminal actions.

3. Comply with government regulations — The government has passed a raft of legislation the last decade or so covering the protection of data from loss or corruption. The Health Insurance Portability and Accountability Act (HIPAA), which covers patient privacy and record security, is a good example. If patient or client information is lost or stolen or stolen because you didn’t destroy the data on an electronic asset, the consequences are severe.

4. Maintain your credibility — Letting your data fall into the wrong hands can cost you the credibility you have with your clients or customers. This could chase new customers away and cost you any repeat business you might have gotten otherwise. Once your credibility is gone, it’s gone. Few small businesses could withstand a major hit to their credibility and still survive.

5. Avoid a public relations nightmare — Positive publicity about your company is a great thing. Negative publicity—the kind you might get if clients’ or customers’ data were lost or stolen from an electronic device you were retiring—is a bad thing. The cost of combatting the public relations nightmare that comes with lost or stolen data could bankrupt your company.

Three Methods of Data Destruction

One problem for small business owners and managers is awareness. Not only is data destruction new to them, but they’re also unfamiliar with data destruction methods and when to use them. For example, many business managers think that erasing a file from a hard drive permanently deletes that information. It doesn’t. Anyone with even a basic data recovery program can recover the data you’ve just “erased” from a hard drive.

The National Institute of Standards and Technology is a great source of information about data destruction methods. Its NIST Special Publication 800-88 provides in-depth information on the topic. The publication describes three highly effective ways of destroying data:

• Overwriting data on a storage device—This is the most basic of all destruction methods. It requires you to erase the data on a hard drive first, then completely overwrite it with other information. This method works in most cases, but it still allows data to be recovered from a hard drive by a highly trained technician in a lab using special processing equipment.

• Purging data from a storage device — One way to purge data is to use the device’s controller electronics to do it. Another way to purge data is to “degauss” the drive. That involves placing the device’s hard drive in a machine that produces a strong magnetic field. That removes all data on the storage device permanently. This method is highly effective.

• Physically destroying the hard drive — This method is the safest method of destroying data. It requires you to destroy the storage device physically so it can’t be read. You can do this in several ways— disintegration, incineration, pulverizing, shredding, and melting—just so long as the device is rendered unreadable.

Each method has its advantages and disadvantages. Degaussing, for example, permanently erases the data from the hard drive but allows you to resell the electronic device to help cut replacement cost. Physically destroying the data, on the other hand, permanently destroys data but doesn’t allow you to resell the device that contained the hard drive.

Learning more about data destruction will tell you when its safe to use the different methods. That, in turn, can save you from the fallout that comes when sensitive data is lost or stolen from an electronic device you retired. It can also save you thousand in fines, legal fees, and promotional activities designed to restore your credibility.