The FTC is Watching Your Hard Drive Destruction and IT Disposal Practices

federal trade commission FTC and the Disposal Rule

When one of your “recycled” computers shows up on eBay – or the remarketing arm of your electronic recycling vendor – you may be the lucky recipient of an FTC audit to discuss your hard drive destruction and IT Asset Disposal practices.  With the outbreak of data leaks in recent years, the eyes of consumers and the government are on every part of a company’s data handling procedures, all the way down to how they dispose of it.

The Federal Trade Commission (FTC) is responsible for enforcing the “Disposal Rule” which requires companies to properly dispose of personally identifiable information (PII) on computer hard drives or other digital media.  The goal is to reduce the risk of data breaches and identity theft by holding companies accountable for their handling of consumer information.  This rule sets the crosshairs of the FTC on the entire computer-recycling and IT Asset Disposal process of an organization, from procurement to disposal.

The price of lazy data handling is about $1,000 for every affected consumer in the event of a breach. This doesn’t sound like much, but consider that a hard drive may contain hundreds of thousands of client records, and suddenly a single infraction has bankrupted your business.

The Fair Credit Reporting Act (FCRA) dictates that credit-reporting companies may not “furnish” consumer data to unauthorized third parties and prescribes penalties of as much as $1,000 for every affected consumer.  A lawsuit under the FCRA does not require proof of identity theft or any out-of-pocket losses.

When your company sells, donates, or has an electronic recycling company take the equipment from your custody prior to the data being destroyed, you have “furnished” consumer information to unauthorized third parties.  It’s only a matter of time before the lawsuits start coming, and when they hit, your company could very well go bankrupt.

A Certificate of Destruction Does Not Transfer Liability to the Vendor

You may have received a Certificate of Destruction from your third-party e-waste recycler or hard drive destruction vendor thinking the document transfers liability to them, but it does not.  The original collector and holder of personally identifiable information retains 100% of the liability for protecting it – even if the recycler is contractually obliged to destroy the data.   Allowing digital media such as hard drives and cell phones to leave your custody without first being physically destroyed breaks the chain of custody, and you have no proof that the third party destroyed the data.  Certificate of Destruction.

A recent survey on hard drive disposal best practice conducted by The ITAM Review shows that Information Security is overwhelmingly the strongest consideration when disposing of hard drives.  Interestingly, 61% of the respondents did not follow a specific data destruction standard while 29% had no way of proving proper disposal or data destruction.  These statistics are bound to change in the future after companies get audited and fined by the FTC.

How do you properly dispose of hard drives to comply with the Disposal Rule?

Physically shred your hard drives, memory modules, and mobile devices.  NIST 800-88 Guidelines state that physically shredding media is more secure than erasing, wiping, and degaussing.  Erasing media may allow you to recoup some residual value, but it takes time, is prone to mistakes, and most of all, is not compliant with FCRA or NIST most stringent requirements.  Not to mention that the recovered value would pale in comparison to the fines associated with a data breach.

On-site hard drive destruction.  Have your data destruction vendor come to your office.  This allows multiple employees to witness and verify the data destruction results.  Hire a certified vendor specializing in hard drive destruction.  Data privacy laws require that companies have a written data destruction plan in place prior to destroying hard drives and other digital media.  There is also a requirement that a company perform proper due diligence on the chosen data destruction vendor. Hiring a vendor certified by an internationally-recognized association such as NAID fulfills most due diligence obligation.  NAID certified hard drive destruction.

In the past, companies focused their IT Asset Disposal efforts first on recouping residual value from retired IT assets, then on complying with environmental laws for e-waste assets, and then on disposing of confidential information by the easiest method possible, in that order.  The constant recurrence of data breaches has thrown this thinking out the window and has placed the spotlight squarely on secure data disposal processes.  The public is rightfully angry that their personal information is being exposed on a daily basis, and to garner support, politicians are rallying for more robust security regulations and putting pressure on governance bodies such as the FTC.  To avoid becoming the next target of an FTC investigation and the resulting fines, your business would be well advised to overhaul its hard drive and data disposal processes and consider leveraging the services of a certified disposal partner.