Clear, Purge & Destroy: When Data Must be Eliminated
Part 1 of a 2-part series on information disposal requirements
Even at their most basic, information security programs are complex and include a seemingly endless combination of controls to detect, prevent and respond to data loss. The overlay of privacy mandates – some imposed by law, others by contract or internal data retention policies – further complicates the role of information security personnel. An organization’s sensitive data, for example, must be protected against all enemies. That is until it is no longer needed or no longer lawful to retain. Then, that very same data must be eliminated effectively.
Although most companies are mindful of the need to sanitize data when repurposing or disposing of technology (a situation familiar to all technology refresh programs), many fail to recognize where all of their sensitive data resides. Consider for example that the Federal Trade Commission (FTC) felt the need to release guidance in 2017 solely dedicated to digital copier data security. As the FTC pointed out, “Digital copiers often are leased, returned and then leased again or sold. It’s important to know how to secure data that may be retained on a digital copier hard drive, and what to do with a hard drive when you return a leased copier or dispose of one you own.” Now consider how the FTC’s caution about copiers might apply to entirely outsourced infrastructures where sensitive data routinely rests on leased and often re-assigned third-party systems.
Finally, let us consider that data sanitization issues extend well beyond system lifecycles. Organizations also must be prepared to search for and eliminate specific data while leaving the rest intact. Non-disclosure agreements, for example, typically have provisions that require “the return or destruction” of confidential information upon request or when the contract ends. European and Canadian privacy laws, with which many U.S. businesses comply as well, generally require companies to destroy, erase or anonymize personal data as soon as it is no longer needed to fulfill its original business purpose (or, depending on the legal basis for having collected the data, when an individual withdraws their consent). Similarly, the FTC issued a Disposal Rule over a decade ago requiring businesses to securely dispose of consumer reports (and information gathered from those reports) after the company finishes using them.
Whether your organization is cleaning house by force or by choice, federal regulators and the vast majority of States stand at the ready to fine businesses that fail adequately to dispose of personally identifying information, whether in digital or physical form. Although what amounts to adequate disposal is not uniform, there is a growing consensus that sensitive information must be rendered unreadable and, what’s more, not practicably subject to reconstruction. There also is a growing consensus that the adequacy of information disposition varies, depending on data sensitivity, the types of media at issue, compliance requirements and cost-effectiveness.
Ideally, your organization’s Information Lifecycle Management program already takes these factors into account. If not, stay tuned for Part II of this series, when we explore NIST’s extensive guidelines for media sanitization.