Data Erasure: Essential Best Practices Your Organisation Must Implement
On September 9, 2021, HealthReach Community Health Center, a healthcare organisation based in Waterville, Maine US, found itself at the centre of a massive potential data breach.
The incident involved the sensitive and personal information of 101,395 residents falling into the wrong hands. Reportedly, several hard disks of the organisation containing data were improperly disposed of by an employee, instead of being securely wiped and shredded as per industry standards.
Consequently, HealthReach provided a $1 million reimbursement insurance policy to its affected consumers to minimise the impact of the data breach – a massive financial setback that is possibly difficult to recover from.
Could this data breach have been avoided?
Had HealthReach ensured that correct data erasure practices, like the use of reliable data erasure software, vendors that provide a certificate of data destruction, verification of the erasure process, and proper training of employees on data erasure, were incorporated into its processes, this incident could easily have been prevented.
While most organisations worldwide are largely focusing on preventing cyber security incidents and employing cybersecurity tools for efficient data security, the data breach incident of HealthReach reflects the other side of data security, i.e., data theft due to improper disposal of IT assets either during their end-of-life, resale or repurposing.
With the significant rise in data management and disposal issues worldwide, you do not want your organisation to be caught in the eye of the storm. The data erasure best practices mentioned in this blog will help to empower your organisation to avoid upcoming data disasters and safeguard your reputation, all through the permanent and secure removal of sensitive information.
Crucial Data Erasure Best Practices To Safeguard Privacy
Inadequate data erasure of your organisation’s devices can pose significant risks to your organisation, including privacy breaches, financial loss, and reputational damage.
Additionally, adopting secure data erasure measures is also mandatory under several laws like EU-GDPR, CCPA, PIPEDA, and the DPDP Act 2023, and their non-compliance can lead to severe penalties and fines. The following best practices of data erasure can help your organisation to keep up with these stringent regulations.
Developing A Data Retention & Destruction Policy
The first step that your organisation must take is to strategise and execute a data retention policy, highlighting the duration for retaining required data and the period after which it should be securely erased. Consequently, a well-defined data erasure policy can help your organisation in effective and secure data management.
Establishing An Inventory Of Data-Carrying Devices
Before executing data erasure procedures, you must understand the data your organisation holds and its location, therefore the mapping and visibility of all data-bearing devices across different locations are crucial. This inventory list should cover all IT assets of your organisation, comprising both physical and digital records, which will ensure that no devices are overlooked during data wiping after the retention period.
Key data breach statistics show that 21% of all folders in a typical organisation are open to everyone leading to malicious attacks, indicating a rise in data leakage and 51% criminal incidents. It is also reported that 18 percent of devices are left somewhere within the organisation with no action.
Defining The Data Wiping Process
When it comes to data erasure, your organisation can decide whether to implement an onsite or offsite process. The former grants your organisation a high level of control, enabling you to closely monitor the process within its premises and minimising the risk of data leakage. Alternatively, if your organisation decides to outsource its data erasure process to a third-party vendor, it is essential to validate certifications, conduct facility audits, and verify the vendor’s credibility in carrying out reliable data erasure.
It is also recommended that you employ certified data diagnostics and erasure tools like Securaze, that ensure the complete and secure removal of data from HDDs and SSDs in desktops, laptops, servers, and mobile devices.
Additionally, your organisation must employ reliable data erasure techniques that adhere to globally recognised data erasure standards for effective data deletion.
Even if your organisation employs trustworthy methods for data erasure, it should rigorously verify the results to ascertain their efficacy following the applicable data protection regulations.
For every sanitised storage device or drive, your organisation must maintain a verifiable certificate and a data destruction report to ensure its compliance with relevant data protection laws and standards.
You must educate your organisation’s employees about the importance of data erasure and set forth a clear framework for them to follow when dealing with sensitive data while maintaining a consistent audit trail.
Scheduling Regular Audits
Your organisation must implement regular audits as a proactive measure to ensure strict adherence to data erasure processes. This is very effective in diminishing the risks linked to data breaches, maintaining compliance, and preventing unauthorised manipulation of your sensitive business data.
17 percent of organisations report not having an audit trail for the destruction process, and 31 percent admitted not capturing the drive serial number.
Periodically Revising Erasure Policies
You must keep your organisation’s data-erasure policies up-to-date by regularly reevaluating them to align them with evolving technology and regulatory changes.
Staying Informed About Legal Requirements
It is imperative that your organisation stays vigilant regarding data protection laws and regulations in its area and ensures compliance with data erasure requirements. Lack of awareness and failure to comply with the latest laws and regulations can lead to your organisation facing considerable penalties.
💡 Based on Apple’s report titled “The Rising Threat to Consumer Data in the Cloud,” there were 5,212 verified breaches in 2021, resulting in the exposure of 1.1 billion personal records worldwide.
Moreover, a recent study analysed 159 second-hand storage drives acquired from eBay in the United States, United Kingdom, Germany, and Finland and the results revealed that 42% of the drives contained sensitive data, with 15% containing personally identifiable information (PII). What was even more alarming was how each seller stated that proper data sanitisation methods had been performed so that no data was left behind.
Such instances of improper data erasure can have serious implications on your organisation – monetary losses, reputational damage, legal issues, regulatory fines, and a significant decline in consumer trust – and by executing the aforementioned best practices for data erasure, your organisation can, not only mitigate all of these issues, but also ensure data integrity, and streamline its data management strategy.
