ITAD Should Trigger an Internal Security Process

With multiple cybersecurity incidents in the news, organizations can get a false sense of security in their ITAD processes. It’s easy to trust that employees, vendors, and partners are all on the same page when destroying data and equipment. After all, who wants their data out there?

Interestingly, many small organizations need to list ITAD under their security team or processes. It lives in various places within an organizational structure, from HR (who handles the destruction or placement of computers at the time of a resignation or termination) to various operations teams. The bottom line is that whatever protocol is in place may not meet the requirements and/or regulations regarding security incidents. And ITAD issues are always an incident. For example, if a remote employee loses an iPhone (regardless whether personal or company-issued) used for business purposes, an investigation needs to happen to ensure a breach did not occur. That is an apparent incident and may fall more under asset management than destruction.

But are your destruction processes themselves handled like an incident?

Let’s dig in.

Breaches typically occur when IT assets are out of our control. That means they are being transported either by an employee (perhaps for training purposes), at the time of termination of a remote employee, or even in a process set up by your IT department – when a partner or vendor is transporting them for destruction. An open incident occurs when they are out of your control until you are confident they have been appropriately destroyed (or arrived). It’s easy for smaller organizations to fall victim to a “we did the right thing” state of mind and not require the proper follow-through once the equipment leaves their place of work. This way of thinking was commonplace in the early 2000s, and today, some industries and fast-growing companies still need to catch up to healthcare and other highly regulated industries in ITAD processes. They are breaches waiting to happen.

Let’s change the mindset of an incident.

An incident is sometimes positive. It simply means something has occurred or begun that needs proper follow-up. If your vendors and partners aren’t willing to participate in that process, they aren’t the right partners for you.

So what incidents do you need to investigate?

When destroying or removing IT equipment from approved environments, all businesses, regardless of size or industry, should require proof of destruction or arrival (as in ITAM). That seems obvious, but you should also require proof of what took place along the way, known as the chain of custody. Savvy breaches can occur along this chain of custody. What happens when a lazy employee at a partnering company gives access to someone, even unintentionally? Or could it happen inside your facility? Would you even know unless a significant breach occurred? Should you care?

You should, and you must care. There are moral and regulatory obligations to protect the data of your clients, patients, consumers, and partners. And the fines are accelerating. In recent months ITAD breaches have resulted in fines and lawsuits for healthcare, financial institutions, and retailers from $7.4 million to 4.9 billion (lawsuit). Yes, you read that correctly. In this case, the healthcare company’s deficiencies in ITAD were recurring and systemic.

In today’s complex work environments, combined with the heightened awareness of data breaches and the knowledge that (more people) access and sell this data, we live in a perfect storm. The only way to maintain peace of mind is to consider your ITAD process an incident and require the proper follow-up and proof to ensure a breach didn’t happen. Your ITAD vendors and partners should be willing to go above and beyond and be audited and examined regularly – as in being NAID-AAA Certified (at a minimum) and achieving their SOC 2 Type 1 Attestation. This is the only way to avoid breaches during the ITAD process.

The price of the right partner will cost you far less than fines and lawsuits. Examine and investigate your ITAD processes today.