Certificate of Destruction does NOT release your Company of Liability
A certificate of data destruction is a document from a vendor that states digital media has been destroyed. The document can be as simple as a single sentence stating that computer hard drives have been destroyed to an extremely detailed document complying with NIST 800-88 specifications. A detailed certificate of data destruction from a vendor certified by NAID has more value than a simple statement from an electronic recycling company.
Certificate of Destruction
The truth is that most Certificates of Destruction contain signatures by people claiming to have provided the service. However, compliance and liability associated with data privacy laws requires much more than a piece of paper to prove that data has been properly completed. There’s no doubt that you should expect to be given a Certificate of Destruction – they are legitimate and important documents. But on their own they simply don’t provide you with the absolute proof that you need if a question arises.
Companies that are serious about complying with data privacy laws require data destruction vendors provide them with a Certificate of Destruction. Though proper documentation is certainly an important step in the data destruction process, it begs the question — are we still liable if data is lost?
Do not be under the impression that if you have a Certificate of Destruction in your possession, that it establishes your compliance and clears you of liability, that is not the case.
A certificate does provide a paper trail, and establishes that you exercised some due diligence, but trying to do the right thing isn’t enough to help you escape liability if your data ends up in the wrong hands. This is why it’s important to select a data destruction vendor and process that goes a step beyond.
Enhanced Certification.
Rather than relying upon a company’s assertions and a piece of paper, there are three basic things that will provide you with complete confidence when it comes to data destruction. These are:
On-Site (Witnessed)
If you want absolute certainty that your data has been destroyed, insist that the process is done on-site in a way that you and your employees are able to witness and verify. This eliminates all opportunities for your data to be accessed by an outsider.
Certified Vendor
There are a number of companies that offer data destruction but who have not been certified by the NAID. By choosing a company that has NAID Certification, you are choosing an organization that understands and complies with the requirements that data privacy laws establish.
physical destruction
The single best way to guarantee that your data has been destroyed is to have it physically shredded. Though there are many companies that offer to erase your drives and then recycle them, it is important to understand that this means that they will be reselling them, leaving you open to the possibility of data that has not been properly erased falling into the wrong hands and leaving you open to liability.