Your Organization is at RISK with Every Uninformed IT Asset Disposal Decision
There are over 500 Federal and State regulations governing IT asset disposal
Back Thru The Future understands these risks and has the proven tools and the experience to guide our clients through this complicated regulatory landscape
Why do you destroy your hard drives? Is it for your internal data security requirements or regulatory data privacy needs or a combination of both? In most cases it’s a combination of both. While how you meet your organization’s internal data security needs is your own decision, complying with highly prescriptive federal, state and industry data privacy regulations is not.
A great example of this difference is utilizing a hard drive punch to destroy your hard drives. This, in most cases, is a perfectly adequate tool for internal data security requirements but it does not meet regulatory data privacy requirements. Data privacy regulations require that data be destroyed according to the methods described in the NIST Special Publication 800-88 “Guidelines for Media Sanitization”. These are our federal government’s minimum data sanitization specifications. Punching a hard drive is not an approved method. You would fail a regulatory audit. Another similar example is using a degausser for devices containing solid state storage circuitry. Degaussing is an approved NIST sanitization method for magnetically recorded data media but not solid state storage. Solid state storage must be destroyed by shredding.
Another example of a common difference is what constitutes “Vendor Due Diligence” for third party secure data destruction services. In many cases the vendor selection has been made by default to an existing vendor such as a paper shredder or an existing computer recycling vendor. Because you have experience with them and they are easy to do business with does not qualify them as an approved vendor under data privacy regulations. The Office of the Controller of the Currency (OCC) is a primary regulator of the banking industry. The OCC has issued a guidance letter to all banks “Third Party Relationships” “Risk Management Guidance” this guidance letter states:
A bank should not rely solely on experience with or prior knowledge of the third party and as a proxy for an objective, in-depth assessment of the third party’s ability to perform the activity in compliance with all applicable laws and regulations and in a safe and sound manner.
Legal and Regulatory Compliance is a key vendor due diligence requirement. Shredding a hard drive is an environmentally regulated activity. Hard drives and solid state storage are electronic devices. 25 states including CT, NJ, NY and PA require that to-be disposed of electronics be “recycled” by qualified recyclers. Paper shredders have no environmental electronic recycling credentials and therefore would fail this requirement. Another little known environmental regulation is that all shredding machines must have Air Quality Licenses. This includes mobile shredding units. Ask you mobile shredding vendor for their air quality license. Many recyclers have no data security certifications such as NAID AAA certification. They would fail this requirement. Back Thru The Future is the only US EPA licensed electronic recycling (universal waste) destination facility and NAID AAA certified secure data destruction facility that provides onsite hard drive shredding in the US. We have extensive reference lists and are one of the largest hard drive shredders in the country. We easily pass “Vendor Due Diligence” audits for secure data destruction services.
Shredding a hard drive is only part of the data privacy compliance requirement. Shredding obsolete data media is the final step in the regulatory required “data asset control system”. You must at all times know where your personally sensitive data resides and be able to prove it is secure from its original introduction into your IT system to the point all data has been destroyed. Once a data asset becomes obsolete and is removed from your active IT asset control system it becomes a manual control process. Manual control systems are notoriously difficult to manage. Not only do you need a secure inventory control system, you must be able to document an up-to-date “chain of possession” of the individual serial numbered devices. You must have documented evidence of employee training and annual risk assessment reviews. Even with all of these required steps in place, employee turnover can quickly create major problems. Back Thru The Future provides a turnkey solution for the entire manual data asset control process. This eliminates the need for the utilization of scarce technical resources and the significant time and management effort to control this process. Shredding is just part of our solution.
Back Thru The Future has specialized in providing regulatory compliant onsite and plant based data media shredding services for over 6 years and is one of the largest hard drive shredders in the country.
We presently have 6 mobile data destruction vehicles and a large volume 4 shaft plant based shredder that gives us the highest media shredding capacity in the country.
100% of our client quality control surveys rate both our pre-project and
post-project communications as “Excellent”
92% of our new client quality control surveys have been returned marked “exceeded expectations”.
Why not get a project price quote and find out how inexpensive great service can be?