When hardware or equipment becomes obsolete or simply no longer meets the needs of your company, where does it go? Too often, retired equipment sits in a closet somewhere waiting to be destroyed. The longer unused equipment waits to be dealt with, the more risk is incurred that a machine will be lost or stolen potentially containing sensitive business or client information.
However, for companies subject to federal regulations such as HIPAA and PCI DSS, how you handle equipment that is no longer in use is a matter of compliance as well as security. For example, the HIPAA Privacy Rule requires that covered entities apply appropriate administrative, technical, and physical safeguards to protect the privacy of protected health information (PHI), in any form. This includes the data held on retired equipment and even data that may be obsolete to the company. Data contained on equipment that is resold or that is mismanaged by someone you trust to destroy it can come back to haunt you down the road. Wherever that data may end up, however it may get there, your company is ultimately liable.
How to Destroy Data on Retired Equipment
There are many ways people suggest for destroying a hard drive or other equipment that could contain data that you do not want landing in the wrong hands. Less sensitive information doesn’t necessarily require the most extreme or expensive treatment but every precaution must be taken to destroy credit card or PCI data on old equipment – even to the point of overkill.
Searching online you will see suggestions such as burning, shooting, or melting the hard drive. These may work for one old hard drive you have at home. It might even be fun. But these are not necessarily reasonable methods when you have a whole company’s retired equipment to deal with. And they are not really workers’ comp approved, office appropriate methods.
You can destroy the hard drive or you can destroy the data contained on the hard drive. To be safe, especially regarding sensitive data, you should do both. To ensure that old data cannot be resurrected on equipment you are no longer using, we recommend a three step process.
Step 1: Prepare
If the data on the drive is not already encrypted, encrypt it. This is just a precaution. Every place that your employees may store sensitive data should use encryption. When a machine is retired, especially if it is going to await destruction in a closet with other old machines, verify that the data has been encrypted. You may even find holes in your processes if you notice encryption was missed.
Delete Old Files
If the machine has a deleting or shredding function, go ahead and do that as well. These built in features provide an easy way to remove sensitive data. This deletion is not necessarily permanent (complete) and should not be trusted as adequate where your company’s compliance or security may be at risk, however.
Remove Network Settings
Remove configuration settings that could provide someone a roadmap into your network even if they can’t access data. If there is a chance the machine could end up in use somewhere else within your company or even resold outside your company, destroying the data may not be sufficient. Network settings left on the machine could provide a clever (or curious) hacker clues to finding a way into your network.
Step 2: Erase
Simply deleting critical files from the machine is not enough. Destroying the data requires special disk-wiping software to overwrite the data. The process of overwriting old data with meaningless data (ones and zeros) should be done several times. This requires a good software tool appropriate for the type of data and the type of machine you have. It also requires patience.
Another method for destroying data files on old equipment is called degaussing. This involves a process of erasing the data with a magnet. This is usually better than disk-wiping or overwriting the data, but only if it’s done correctly. A degaussed hard drive does not need to be destroyed but it is not a bad idea.
Step 3: Destroy
Once you have prepared the equipment to be retired and taken steps to completely remove the critical data, you still want to destroy the hard drive or physical source of the data to ensure that, even if some data has been missed, it cannot be resurrected in the future.
Depending on your company’s needs, special equipment can crush, shred or disintegrate your old hard drives or equipment. These methods do not destroy the data (that is why you needed to do that first) but they render the data impossible to access.
Think of this last step as the stake through the vampire’s heart. The threat should already be dead but you want to be sure it will stay that way.
Using a Third Party Partner to Destroy Retired Hardware
Depending on your company’s volume and needs for decommissioning old equipment, you may need to hire a third party to destroy, recycle, or resell your used hardware. Regardless, your internal process and record keeping will be key to protecting your company from trouble down the road from resurrected data or regulatory action.
Prepare and store equipment until you can destroy it. Take the steps outline above to encrypt and delete data and to remove configuration settings immediately. Then physically secure the equipment under lock and key to await further action.
Destroy old equipment on a set schedule. Put a process in place and create a trigger to remind your team when the time has come to deal with retired equipment. The intervals between dealing with retired equipment should be short. Even when you have taken steps to secure it, you do not want decommissioned equipment sitting around for very long.
At every step in the process, keep detailed records. This is critical. Track equipment that is released to employees, track updates and downloads made on the equipment while it is in use, and then track equipment that is returned to your IT team when it is no longer (or temporarily) not in use. Maintain serial numbers and a detailed chain of custody for all equipment. When a machine is ultimately retired, keep a record of each step in the process to decommission and destroy the data, the physical data storage, and as appropriate, the machine itself.
If resurrected data someday causes a security incident or data breach, you will need to trace the steps in your process. Your detailed records could also save your company from compliance penalties and fines if there is an incident.
Federal regulations are clear about the destruction or recycling of obsolete technology. Eventually you will need a third party vendor to legally dispose of unwanted equipment. Depending on your company’s capabilities in house, you can also use a third party vendor to destroy data and resell your used equipment.
Choosing a Vendor
Beware of cheap or “free” recyclers or resellers. At one time, these companies could keep costs very low by reselling old equipment. At the rate of technological advance today, the opportunity to resell and profit from doing so is dramatically less than it once was. Beware of deals that sound too good to be true. Check and verify even seemingly reputable vendors before working with them but also throughout the process.
Remember that, regardless of the guarantees or reassurances from a vendor, liability for resurrected data always lies with the entity that first created the data. For this reason, beware of vendors using middlemen to transport and/or destroy equipment. The more hands involved in the process, the more potential for risk and for mistakes.
If you are a regulated company, be sure your vendors understand the requirements for you and for them. These vendors would be subject to HIPAA regulations as Business Associates to work with HIPAA Covered Entities, for example, and this relationship would require a BA Agreement (BAA).
Working with a Vendor
Maintain your own process for handling and recording your company’s equipment. This process and your internal record keeping should extend into the vendor relationship as well. Do not simply rely on the processes or reassurances of your vendor. Do not let their processes override or replace your own.
When working with a recycling or reselling vendor, do not provide your list of serial numbers. It is important that you get the list created by the vendor to verify their possession of the equipment. Use their list to compare against your list of what was handed over to their custody.
Regardless of the vendor’s processes or reassurances, destroy as much as possible before transferring the equipment. Keep in mind, the liability for any data that is not utterly destroyed, should it ever resurface, will remain with your company as the creator of the data.
Keep in mind that if you shred a hard drive, the data is destroyed. If you take a hammer to a hard drive, the data is not destroyed – you may still run the risk that the data can later be recovered.
With policies in place within your company to effectively destroy sensitive data on equipment you are no longer using, you will ensure that data cannot be resurrected in the future and lead to a data breach. It is critical that your employees understand the risks and do their part to ensure retired or unused equipment is handled properly.