{"id":807,"date":"2009-07-04T13:33:27","date_gmt":"2009-07-04T17:33:27","guid":{"rendered":"http:\/\/rbach.net\/blog\/?p=807"},"modified":"2022-12-30T12:13:34","modified_gmt":"2022-12-30T17:13:34","slug":"data-destruction-policy-suggestions","status":"publish","type":"post","link":"https:\/\/rbach.net\/index.php\/data-destruction-policy-suggestions\/","title":{"rendered":"Data Destruction Policy Suggestions"},"content":{"rendered":"<p><a href=\"https:\/\/web.archive.org\/web\/20201021204351\/https:\/\/www.dreamstime.com\/royalty-free-stock-photos-hard-drive-crash-image18488\" target=\"_blank\" rel=\"noopener noreferrer\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignleft wp-image-111153 size-full\" title=\"Data Destruction Policy Suggestions\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_destruction.jpg?resize=68%2C101&#038;ssl=1\" alt=\"Data Destruction Policy Suggestions\" width=\"68\" height=\"101\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_destruction.jpg?w=68&amp;ssl=1 68w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/data_destruction.jpg?resize=50%2C75&amp;ssl=1 50w\" sizes=\"auto, (max-width: 68px) 100vw, 68px\" \/><\/a>Humans have created more digital information than we have the ability to store according to <a href=\"http:\/\/www.emc.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">EMC<\/a>&#8216;s <a href=\"http:\/\/web.archive.org\/web\/20100425225950\/http:\/\/www.emc.com:80\/digital_universe\" target=\"_blank\" rel=\"noopener noreferrer\">digital universe<\/a> survey. <em><a href=\"http:\/\/www.computerworld.com\" target=\"_blank\" rel=\"noopener noreferrer\">ComputerWorld<\/a><\/em> recently published an excellent article with a lawyer&#8217;s point of view about data destruction. Attorney Mark Grossman is a tech lawyer and the founder of the <a href=\"https:\/\/web.archive.org\/web\/20140210200102\/http:\/\/www.ecomputerlaw.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">Grossman Law Group<\/a> and Tate Stickles a partner in the Grossman Law Group offers some insight for creating an effective data destruction policy.<\/p>\n<h3>Highlights of a data destruction policy<\/h3>\n<ol>\n<li><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" class=\"alignright wp-image-111155 size-medium\" src=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/woman_hammer_pc-2-e1572192293222-141x150.jpg?resize=141%2C150&#038;ssl=1\" alt=\"\" width=\"141\" height=\"150\" srcset=\"https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/woman_hammer_pc-2-e1572192293222.jpg?resize=141%2C150&amp;ssl=1 141w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/woman_hammer_pc-2-e1572192293222.jpg?resize=71%2C75&amp;ssl=1 71w, https:\/\/i0.wp.com\/rbach.net\/wp-content\/uploads\/woman_hammer_pc-2-e1572192293222.jpg?w=274&amp;ssl=1 274w\" sizes=\"auto, (max-width: 141px) 100vw, 141px\" \/>Data destruction is intended to be permanent.<\/li>\n<li>Policies must be consistently enforced.<\/li>\n<li>The goal is to identify and classify what data the firm has and create effective policies for disposing of it.<\/li>\n<li>Legal and proper data destruction may prevent extensive fishing expeditions by your opponents.<\/li>\n<li>A regular business process addressing data destruction should provide some &#8220;safe harbor&#8221; protections under the Federal Rules of Evidence relating to electronic evidence.<\/li>\n<li>Have a data retention policy &#8211; A data destruction policy is the second part of your data retention policy which will help decide where data is stored and make it easier to delete old data.<\/li>\n<\/ol>\n<h3>General rules<\/h3>\n<ol>\n<li>The general rule for the disposal of any data is that simple deletion and overwriting of data is not enough.\n<ul>\n<li>When reusing media, wipe the old data, confirm that the data is gone, and then document the process then the media can be reused.<\/li>\n<li>Media that leaves the control of the firm by destroying old media or reselling it to another party need more processes up to the physical destruction of media.<\/li>\n<\/ul>\n<\/li>\n<li>Obligations to take certain data destruction steps depend on the laws, rules, or regulations that regulate the firm:\n<ul>\n<li>Sarbanes-Oxley,<\/li>\n<li>Gramm-Leach-Bliley,<\/li>\n<li>The Fair and Accurate Credit Transactions Act,<\/li>\n<li>HIPAA,<\/li>\n<li>Check with your tech attorney who can provide guidance on what laws, rules, and regulations may apply to your company&#8217;s situation.<\/li>\n<\/ul>\n<\/li>\n<li>Not heavily regulated firms can look to other destruction standards:\n<ul>\n<li>U.S. Department of\u00a0 Defense standards and methods (DoD 5220.22-M,<\/li>\n<li>National Institute of Standards and Technology&#8217;s Guidelines for Media Sanitation (NIST SP 80-88),<\/li>\n<li>International, national, state, and local laws, rules, and regulations.<\/li>\n<\/ul>\n<\/li>\n<li>Should address how to classify and handle each type of data residing on the media.<\/li>\n<li>Needs a process for the review and categorization of the types of data your company has and what kinds can be removed.<\/li>\n<li>Classifications and contents of data will play a role.<\/li>\n<li>Data and media containing confidential information, trade secrets, and the private information of customers require the strictest controls and destruction methods.<\/li>\n<li>Data and media containing little to no risk to the firm may have relaxed levels of control and destruction.<\/li>\n<li>Review contracts with other companies to ensure proper handling of data destruction within the terms of those contacts. I.e., non-disclosure agreements can contain data destruction terms that must be complied with.<\/li>\n<li>When reselling or recycling media, take samples to make sure that the proper levels of data destruction are maintained.<\/li>\n<li>In-house data destruction requires verification that the data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.<\/li>\n<li>Document the entire policy so the firm will know what media is sanitized and destroyed. The documentation should allow easy answers to who, what, where, when, why, and how questions.<\/li>\n<\/ol>\n<p>The last step of an effective policy is to have a process. in place so the firm can follow up with regularly scheduled testing of the process and media to ensure the effectiveness of the policy.<\/p>\n<p>&nbsp;<\/p>\n<p><em><a title=\"Ralph Bach\" href=\"https:\/\/rbach.net\/index.php\/new-resume\/\" target=\"_blank\" rel=\"noopener noreferrer\">Ralph Bach<\/a>\u00a0has been in IT long enough to know better and has blogged from his\u00a0<a title=\"Bach Seat\" href=\"https:\/\/rbach.net\/\" target=\"_blank\" rel=\"noopener noreferrer\">Bach Seat<\/a> about IT, careers, and anything else that catches his attention since 2005. You can follow him on <a class=\"broken_link\" href=\"http:\/\/www.linkedin.com\/in\/rb48334\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">LinkedIn<\/a>,\u00a0<a href=\"https:\/\/www.facebook.com\/ralph.bach.14\" target=\"_blank\" rel=\"noopener noreferrer\">Facebook<\/a>,\u00a0and\u00a0<a href=\"https:\/\/twitter.com\/rbach48334\" target=\"_blank\" rel=\"noopener noreferrer\">Twitter<\/a>. Email the Bach Seat\u00a0<a href=\"mailto:\/\/bach.seat@gmail.com\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/em><\/p>\n<p><noscript><span class=\"mceItemHidden\" data-mce-bogus=\"1\"><span><\/span><span class=\"mceItemHidden\" data-mce-bogus=\"1\"><span><\/span>&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;lt;<span class=\"mceItemHidden\" data-mce-bogus=\"1\"><span class=\"hiddenSpellError\" pre=\"\" data-mce-bogus=\"1\">img<\/span><\/span> <span class=\"hiddenSpellError\" pre=\"<span class=\"mceItemHidden\" data-mce-bogus=\"1\"><span class=\"hiddenSpellError\" pre=\"\" data-mce-bogus=\"1\">img<\/span><\/span> &#8221; data-mce-bogus=&#8221;1&#8243;>src<\/span>=&#8221;http:\/\/visit.webhosting.yahoo.com\/visit.gif?us1246724945&#8243; mce_src=&#8221;http:\/\/visit.webhosting.yahoo.com\/visit.gif?us1246724945&#8243; alt=&#8221;setstats&#8221; border=&#8221;0&#8243; width=&#8221;1&#8243; height=&#8221;1&#8243;&amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;amp;gt;<\/span><\/noscript><\/p>\n","protected":false},"excerpt":{"rendered":"<p>We have created more digital information than we have the ability to store so firms should develop effective data destruction policies<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[3216,849,2976,3232,124,951,116,4],"class_list":["post-807","post","type-post","status-publish","format-standard","hentry","category-security","tag-3216","tag-data","tag-dumpster-diving","tag-glb","tag-paper","tag-pii","tag-policy","tag-security"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/807","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/comments?post=807"}],"version-history":[{"count":6,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/807\/revisions"}],"predecessor-version":[{"id":132762,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/posts\/807\/revisions\/132762"}],"wp:attachment":[{"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/media?parent=807"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/categories?post=807"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rbach.net\/index.php\/wp-json\/wp\/v2\/tags?post=807"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}