Best Practices for Electronic Data Destruction
ONE THIRD OF U.S. COMPANIES HAVE NO POLICY for the secure destruction of confidential documents, according to a recent study conducted by document management company Cintas and the Ponemon Institute. The survey also found that among those organizations that do have a policy, more than half—51 percent—reported that those guidelines do not include the destruction of hard drives.
However, having a policy is only the first step. Even companies that have written policies and procedures on the destruction of electronically- stored information must ensure their employees are well-trained, points out Bob Johnson, president of the National Association for Information Destruction (NAID) – an international trade association for companies that provide information destruction services, Johnson points out. Organizations that don’t could be held responsible in court if sensitive information falls into the wrong hands.
Whether a company has one hard drive or 500 to dispose of, Johnson encourages it to turn to professionals to destroy electronic storage devices, rather than erasing or overwriting information, which can still leave sensitive data behind. “When you are getting rid of electronic equipment you should rely on a professional who is specifically trained and also has a legal responsibility to destroy that information,” he says.
“It’s tempting, obviously, to go online and download some cheap software, maybe even free, that says it will wipe your hard drive. That’s usually where people get into trouble,” says Johnson.
NAID conducts an audit, unannounced, of the document destruction companies seeking membership, and exclusively uses auditors holding the Certified Protection Professional (CPP) certification offered by ASIS International. NAID also offers a certification for document destruction companies, which lets customers know that a vendor will securely destroy the devices and properly dispose of any materials. Johnson says that about half of the organization’s members who are involved in destruction of documentation or electronic storage devices have the AAA NAID Certification.
Cintas only performs the destruction of hard drives and other electronic-storage devices onsite. Todd Wolfe, regional business manager at Cintas, says a Cintas truck arrives at the customer’s facility, scans and records the serial number for every hard drive, shreds the material with its specialized equipment, and presents a manifest to the customer that shows that the device was destroyed. Cintas then follows EPA guidelines to properly dispose of the shredded materials. “Ultimately, however, you choose to destroy [information], you need to make sure that the physical device is then disposed of in an environmentally responsible way,” Wolfe notes.