Bach Seat

Humans have now created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view regarding data destruction. Attorney’s Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group provide some insight into provide some pointers for creating an effective data destruction policy.

Highlights of a data destruction policy according to the attorneys include:

• Data destruction is intended to be permanent
• Policies must be consistently enforced
• The goal is to identify and classify what data the firm has and create effective policies for disposing of it
• Legal and proper data destruction may prevent extensive fishing expeditions by your opponents
• A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence
• Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help determine where data is stored and make it easier to delete old data
• The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough
  • When reusing media, wipe the old data, validate that the data is gone and then document the process then the media can be reused
  • Media that leaves the control of the firm by destroying old media or reselling it to another party require additional processes up to the physical destruction of media
• Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
  • Sarbanes-Oxley
  • Graham-Leach-Bliley
  • the Fair and Accurate Credit Transactions Act
  • HIPAA
  • Check with your tech attorney who can provide guidance on what laws, rules, and regulations apply to your company’s situation
• Not heavily regulated firms can look to other destruction standards
  • U.S. Department of  Defense standards and methods (DoD 5220.22-M)
  • National Institute of Standards and Technology’s Guidelines for Media Sanitization (NIST SP 80-88)
  • International, national, state, and local laws, rules and regulations
• Should address how to classify and handle each type of data residing on the media
• Needs a process for the review and categorization of the types of data your company has and what kinds can be removed
• Classifications and contents of data will play a role
• Data and media containing confidential information, trade secrets, and the private information of customers requires the strictest controls and destruction methods
• Data and media containing little to no risk to the firm may have relaxed levels of control and destruction
• Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms which must be complied with
• When reselling or recycling media, take samplings as appropriate to ensure that the proper levels of data destruction are maintained
• In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately
• Document the entire  policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions
• The last step of an effective policy is to have a process in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy