Humans have created more digital information than we have the ability to store according to EMC‘s digital universe survey. ComputerWorld recently published an excellent article with a lawyer’s point of view about data destruction. Attorney Mark Grossman is a tech lawyer and the founder of the Grossman Law Group and Tate Stickles a partner in the Grossman Law Group offers some insight for creating an effective data destruction policy.
Highlights of a data destruction policy
Data destruction is intended to be permanent.- Policies must be consistently enforced.
- The goal is to identify and classify what data the firm has and create effective policies for disposing of it.
- Legal and proper data destruction may prevent extensive fishing expeditions by your opponents.
- A regular business process addressing data destruction should provide some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence.
- Have a data retention policy – A data destruction policy is the second part of your data retention policy which will help decide where data is stored and make it easier to delete old data.
General rules
- The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough.
- When reusing media, wipe the old data, confirm that the data is gone, and then document the process then the media can be reused.
- Media that leaves the control of the firm by destroying old media or reselling it to another party need more processes up to the physical destruction of media.
- Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:
- Sarbanes-Oxley,
- Gramm-Leach-Bliley,
- The Fair and Accurate Credit Transactions Act,
- HIPAA,
- Check with your tech attorney who can provide guidance on what laws, rules, and regulations may apply to your company’s situation.
- Not heavily regulated firms can look to other destruction standards:
- U.S. Department of Defense standards and methods (DoD 5220.22-M,
- National Institute of Standards and Technology’s Guidelines for Media Sanitation (NIST SP 80-88),
- International, national, state, and local laws, rules, and regulations.
- Should address how to classify and handle each type of data residing on the media.
- Needs a process for the review and categorization of the types of data your company has and what kinds can be removed.
- Classifications and contents of data will play a role.
- Data and media containing confidential information, trade secrets, and the private information of customers require the strictest controls and destruction methods.
- Data and media containing little to no risk to the firm may have relaxed levels of control and destruction.
- Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms that must be complied with.
- When reselling or recycling media, take samples to make sure that the proper levels of data destruction are maintained.
- In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
- Document the entire policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions.
The last step of an effective policy is to have a process. in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy.
Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.