Data erasure is time-consuming, cumbersome and complicated by the need to adhere to numerous regulations, including: HIPAA/HITECH, FACTA, SOX, GLB and FERPA.  The complexities and in-depth knowledge required to achieve responsible data erasure are the reasons many businesses choose to partner with an expert data erasure vendor to handle compliance, audit, and environmental processes on their behalf—also freeing up scarce internal resources.  Here is a 5 point checklist to help your company reduce corporate liability.

1.  Risk Assessment

Assessing corporate risk is very important.  What type of data does your company’s technology store?  How valuable is it to others?  What would really happen if some of that data got out?  If it happens to be data on America’s next top secret weapon, there are numerous countries out there that would pay millions or even billions to obtain your data.  That data is high-risk, and sanitization process must be treated accordingly.   On the other hand, if you manufacture candy or stuffed animals, and the data is regarding your supply chain delivery and inventory, your data risk may not be as high. If your data contains personal customer/client/patient information, your risk maybe higher.

2. Compliance

Corporate responsibility and compliance should be of the utmost priority.  Which compliance and regulatory standards do you need to meet: HIPAA/HITECH, FACTA, SOX, GLB and FERPA?   You may need to demonstrate—to auditors internally or externally—how your retirement process protects data, including chain of custody and data erasure documentation.  What do you need to show to the auditors?  An ideal report lists all assets by date of disposition, make, model and serial number with the hard drive sanitization method documented.

3.  DIY or Not

Do you have the people, space and time to do the data wipes internally?  Do you have proven processes documented as well as quality assurance and oversight?  Do you have a qualified software tool, which is being utilized properly?  Our company has found that in-house data wipes result in as many as 10% of drives discovered not fully sanitized when they reach our facility.

4.  Quality Assurance

Quality assurance must be in place.  Does your company have a process and the technology to ensure and verify that all drives are wiped in an effective manner?  Your vendor should have a quality-check process documented.  If you do the data wipe yourself, have your vendor do it on all drives again as a 3^rd party audit and quality check.

5.  The Value 

Is data erasure worth the cost?  If you are retiring electronic equipment, consider the cost of erasure versus the resale value of the asset.  If there is little or no resale value, do not go ahead with data erasure.  Instead, drives can be physically destroyed—in your facility or at your vendor’s—for lower cost. On the other hand, consider the resale value of the asset with a sanitized hard drive vs. without, and measure that against your risk factors.  Maximize investment recovery with working hard drives in your resale assets.

Choosing the right vendor is essential.  Work with a NAID AAA certified partner to assess your risks, compliance needs, resources and potential ROI.  The right partner will help you develop processes and policies that balance risk and cost.  Ensure that your vendor has data breach liability insurance as well as regular liability insurance.  For more information on data erasure and data destruction, contact Lifespan.