How to vet your third-party data destroyer

Sometimes the best IT tool is a good, old-fashioned hammer. Pros in charge of trashing old hard drives have been known to smash, throw, or drill them.

Anna Vladimirova-Kryukova, a data-privacy consultant and member of the ISACA Emerging Trends Working Group, tried the hammer method once. “It was not an easy task,” she told IT Brew.

One reason that an IT professional might swing a hammer or drill a drive? “You can be really sure that you did it with your own hands,”  Vladimirova-Kryukova said.

Rather than taking the neighbor’s toolbox into the data center, some organizations choose an option that requires less arm strength: hiring a third-party, like Iron Mountain or Carbonite, to do the destruction. When sending data tapes and drives to their death, however, it is essential to make risk considerations and vet the contractor, according to a number of IT pros who spoke with IT Brew.

Morgan Stanley learned this idea the hard way, recently having to pay $35 million in claims after thousands of its drives and servers meant for decommissioning were instead auctioned off, unencrypted. The contractor, a moving and storage company, had no experience or expertise in data-destruction services, according to the US Securities and Exchange Commission.

Here are tips from some pros who can help IT teams bang out a data-destruction strategy.

Do due diligence, dude.

Visit the service provider beforehand, and look around for important security features, especially access controls, said Lisa McKee, director of governance, risk, compliance and privacy at the performance-analysis company Hudl: “Do you see any doors that are propped open? Do you see locks and cameras and the physical security controls that we would expect of a reputable, high-end organization?”

Can’t make it onsite? Find details on location, reputation, security posture, and compliance with standards like NIST 800-88 Rev. 1. “How long has that company been around? Look at their website…Do they have solid financials? Have they been breached before?” McKee told IT Brew.

Depending on the sensitivity of the data, having the “right to audit” may be an important part of any contract, according to Saz Kanthasamy, principal researcher of- privacy management at the International Association of Privacy Professionals (IAPP).

Encrypt it.

Make sure any sensitive, personal data given to a third party—hard drives, laptops, cell phones—is encrypted, said McKee.

Prove it.

Outsourcing orgs should also receive a badass-sounding “Certificate of Destruction,” an acknowledgement that the data was properly decommissioned according to contract, said Kanthasamy.

Some organizations may not need a third-party data hammer. Data sensitivity drives decisions about when to go in-house and when to outsource. Drives and tapes containing medical records or bank information, for example, may be better kept and destroyed on-site, said Kanthasamy.

“If we’re talking about a big global telecoms organization, that risk is obviously higher than if it’s  me with a couple of photos of my garden,” said Mark Thompson, chief strategy officer for IAPP.—BH

Related Posts

Dr. Lisa McKee headshot

The Challenges and Rewards of Zero Trust Privacy

The foundation of zero trust privacy must be data, and for good reason. An organization with visibility to data and related activities is better prepared to implement a successful privacy program using zero trust privacy principles. Personal data are the heart of privacy. Most privacy obligations require knowledge of what

Read More »