Why Responsible Data Destruction is Essential for All Businesses

By John Shegerian

Without exception, data destruction should be at the top of every business’ “things to plan” list. If a business has papers, storage devices, or electronic items that are no longer needed, they can’t just throw them away. You can’t ignore the importance of having professional data destruction steps in place. If you haven’t thought about how you handle end-of-life devices, you need to.

Go back a little more than 10 years to 2010. At that point, data and information creation was at around 2 zettabytes. A zettabyte is a trillion gigabytes. Two trillion gigabytes is a lot of information. Now, skip forward to the end of 2020. In just 10 years, the creation of data and information has increased to an estimated 59 zettabytes. This information is stored in clouds, hard drives, USB sticks, and countless other devices.

People often think that restoring an item to factory settings deletes data. Some think that erasing files is enough. That simply removes paths to the information, but it’s not destroying the data. Some companies take shortcuts when it comes to keeping records and lists of electronic items being recycled. If your business is deleting data in that manner before giving away or selling old electronics, you are potentially exposing your data to a dangerous breach.

What data does your business store? Any data containing your proprietary company information, your customers’ data or employees’ personal information must be secured. Before you dispose of old, unused electronics, professional data destruction is essential.

Don’t take the chance and destroy the data on your own. Chances are you’re not going to do it correctly. If someone steals information that wasn’t properly destroyed, not only do you face huge fines, but you also face damage to your company’s reputation.

Damage to a reputation is especially important to consider. It’s estimated that about 60% of small and medium-sized companies that are impacted by a data breach end up going out of business within six months. Partner with a professional data destruction firm and lower the risk of fines and lost business.

How Much Could You Pay?

How much can companies pay in fines? It varies. If you manage medical records, improperly destroyed data can violate HIPAA. Fines for HIPAA violations can be as high as $1.5 million.

Financial institutions are bound by the rules of the Fair Credit Reporting Act (FCRA) and the Gramm-Leach-Bliley Act. While FCRA fines can be as high as $3,756 per violation, Gramm-Leach-Bliley Act violations come with penalties of up to $1.1 million. Here are some of the fines levied on companies that violated data destruction and e-recycling regulations.

One health plan was ordered to pay fines of $1.2 million back for a 2010 case where the information of more than 344,000 people was found on copier hard drives that the managed care plan provider had leased. When they returned the leased copiers, the information had never been destroyed as per HIPAA rules.

From 2013 to 2015, hundreds of stores (part of a national hardware chain) were caught throwing away batteries, fluorescent light bulbs, paints, and unused electronics. These items were not only going illegally to area landfills, but it’s believed that some of the electronic devices may have contained customer information. The company was fined $18.5 million and also had to pay close to $10 million more to help with environmental projects and complying with other measures ordered by the courts.

A major financial services company recently learned the importance of proper data destruction. The company was fined $60 million for failing to have electronic data disposed of correctly during the decommissioning of two data centers. While they’d had a company helping with the decommissioning, they didn’t keep track of the data stored on the hardware or oversee where the hardware went. After one warning, the same incident happened several years later, so fines were issued.

Sometimes, fines aren’t immediately proposed, but court-ordered actions are imposed. One Australian bank was found to have lost magnetic storage tapes containing records for upwards of 20 million bank customers. While it believes the tapes were destroyed, the bank didn’t get proof of the destruction. As a result, the bank was ordered to improve its security practices and warned that fines would be next if full compliance was not met.

Perhaps most impactful are regulations like Europe’s GDPR. Under these rules, multinational corporations are being scrutinized more than ever before for their management of digital data. Inspired by GDPR, many similar new regulations are being put into place here in the US.

If you’re not up-to-date on the changing laws, you could make a costly mistake. ITAD providers know the laws and make sure they’re always in compliance. It’s less hassle for you and makes sure your data destruction project is done correctly.

Make sure you partner with a responsible and certified ITAD provider. Look for certifications from NAID AAA, R2, e-Stewards, and ISO 9001. These four are only given to e-recyclers who pass surprise audits to guarantee they follow laws, use environmentally-responsible practices, and maintain security at all stages of data destruction.

About the Author

John Shegerian is the co-founder and executive chairman of ERI, the largest fully integrated IT and electronics asset disposition provider and cybersecurity-focused hardware destruction company in the United States. Learn more at eridirect.com.