Creating data destruction policies to protect sensitive company data

Sensitive data may be where you least expect it: including in the drawers of old office furniture you've given away. Kevin J. Mock explains how to create a data destruction policy that can prevent sensitive data from being thrown out with the trash.

How well do you know where your sensitive company data is, and how well do you think your employees care for it? Here is a true story that might make you revisit your data destruction policies.

It started out as a simple task: to buy some new file cabinets for my home office. I walked into a used office furniture store and was directed to a back warehouse with at least 200 filing cabinets. I opened a few drawers to test their sturdiness, and, to my surprise, came across microfiche and CDs that obviously contained a company's billing and customer records.

As I am a CISSP and had just gone through a major data cleanup effort at my previous company, I was shocked. How could this happen? Why would a company not make sure that old office furniture was completely empty of company/client data?

Fortunately for the company whose data I found, I knew someone who worked there. As soon as I got home, I got in touch with this person, and, a few days later, was able to point one of the company's employees to the data payload I'd discovered. We filled up two office paper boxes of microfiche and CDs full of their billing and customer records.

What might have happened if the person who discovered the data was malicious? He or she may have tried to blackmail the company or even gone to the local newspaper. In either case, the reputational damage would have been a huge headache and most likely led to loss of customers, whether existing or new. Such a data breach can also result in compliance violations with any or all of the following federal and state regulations:

  • HIPAA (Health Insurance Portability and Accountability Act)
  • GLBA (Gramm-Leach-Bliley Act)
  • FISMA (Federal Information Security Management Act)
  • FACTA (Fair and Accurate Credit Transactions Act)
  • OMB Memo (M06-16)

Do's and don'ts of data destruction

The Don'ts:
  • Don't assume that employees know what to do with old data.
  • Don't use normal trash for old company documents.
  • Don't throw away old office equipment without checking for company data.
    • The Dos:
    • Do have a data destruction policy and awareness program.
    • Do have shredders/locked disposal bins/destruction services for securely eliminating company data.
    • Do check for proper disposal on a regular basis, and make sure to test your breach processes.
    • Needless to say: The reputational damage and potential data breach fines would've cost the company a lot more than the expense of a good data destruction policy and processes. Such a policy should get everyone in the company thinking about his or her role in the security process. Along with employee awareness training concerning the proper destruction of data, processes should include investment in data destruction receptacles or services of this type, and a mandatory final inspection of all outgoing furniture by an office manager to make sure that no data is still residing in old file cabinets.

      To begin creating a data destruction policy and awareness program for your company, first, identify the types of data your company has and where it resides. Your data retention policy should help you with this endeavor by indicating where both physical and electronic data is stored and for how long. The data destruction policy needs to address how to get rid of the data once it has met the expiration criteria in the data retention policy. You may want to investigate the legal aspects of the data as well by engaging your legal team, and this might also be a good time to discuss with them the processes of reporting a breach of data.

      There are many examples of policies on the Internet. NIST Special Publication 800-88 (.pdf) in particular is a good resource for data destruction policies.

      Employee awareness of data destruction policies should be addressed within the context of a security awareness program. Employees should be trained on what to do with old physical data and, if they are unsure, to direct questions to management. It would be a good idea to make sure that employees who handle the physical data on a regular basis be trained first. Provide employees with easy access to company security policies, either on the company intranet or in a quick reference manual. I recommend an annual review and employee sign-off on policy understanding as a good reinforcement tactic. Also consider having security and company policy awareness as part of individual employees' annual goals and objectives.

      Now as for me, I think I will go look for used computers next. What could possibly go wrong with that?

      About the author:
      Kevin J. Mock, CISSP, has over twenty-five years of professional experience in Information Technology and Information Security. Over the last 13 years, he has held various global leadership roles within information security related to the management of technology risk for a large financial services company. Areas of focus include information security practices, vulnerability management, perimeter security, intellectual property protection, and IT infrastructure management. Kevin received his bachelors degree in computer science from Northern Illinois University.

      Dig deeper on Enterprise Data Governance

      Pro+

      Features

      Enjoy the benefits of Pro+ membership, learn more and join.

      0 comments

      Oldest 

      Forgot Password?

      No problem! Submit your e-mail address below. We'll send you an email containing your password.

      Your password has been sent to:

      SearchCloudSecurity

      SearchNetworking

      SearchCIO

      SearchConsumerization

      SearchEnterpriseDesktop

      SearchCloudComputing

      ComputerWeekly

      Close