Lessons in ITAD From The Morgan Stanley Data Breach – CyberCrunch September Newsletter

Joe ConnorsUncategorized


Welcome to the September edition of the CyberCrunch newsletter!

In this issue, we’ll examine the consequences of the recent Morgan Stanley data breach and what that means for businesses who trust their data destruction to outside vendors. We’ll also answer the questions “What is data destruction?” and “What is shredding?” and how understanding both of these concepts can protect your business from data breaches and associated liabilities.

Morgan Stanley Faces Lawsuits Over ITAD Mishaps

Financial firm Morgan Stanley was in the news during August after being named a defendant in several lawsuits stemming from their mishandling of decommissioned computer equipment. In separate incidents in 2016 and 2019, the company’s IT Asset Disposition (ITAD) vendor failed to completely wipe hard drives from server equipment that contained sensitive data. Though Morgan Stanley has stated that they “have not detected any unauthorized activity related to the matter”, the company is being sued in at least two lawsuits alleging “negligent and/or careless acts and omissions and the failure to protect customers’ data”.

This incident emphasizes the need to select ITAD providers that have the knowledge, skills and tools to effectively dispose of sensitive information on old hardware. Even years down the line, your company could be liable if private data is found to have been left intact on old equipment.

CyberCrunch provides NAID AAA certified, 100% guaranteed data destruction and ITAD services with fully serialized reporting and recordkeeping. When you trust your data destruction process to CyberCrunch, you can rest assured that your customers’ sensitive information has been completely destroyed and rendered unreadable — and that you’ll have the paperwork to prove it.

Protect yourself from future data disposal liabilities — contact CyberCrunch today.

What You Need to Know about Data Destruction and Shredding

The best way to protect your business from liabilities stemming from data breaches is to have good data lifecycle management. This involves collecting, storing, disposing, and documenting of data in a responsible manner that protects it from unauthorized disclosure.

Data destruction is the final step in this data lifecycle. When data is destroyed properly, it can no longer be read, accessed, copied, or otherwise used by anyone. Correct data destruction and documentation techniques are a key component of regulatory frameworks like HIPAA, PCI-DSS, and SOX. And it’s also being incorporated in state, national and supranational laws like California’s CCPA and the EU’s GDPR.

As we saw in the Morgan Stanley incidents, data destruction documentation and reporting becomes especially important when equipment is removed from service and disposed of. Data destruction can take several forms, including wiping, degaussing, shredding and pulverizing.

It’s important to choose a data destruction partner who can help you select the appropriate data destruction technique for your old equipment. For example, shredding is a fast and efficient way to destroy old hard drives, but the resulting shreds must be small enough to ensure that nothing can be recovered from them even by a determined attacker. Or if wiping or degaussing is used, the process must be tested, verified and certified to make sure that no data remains intact on the hard drives. Finally, you must maintain serialized records. As noted in the Morgan Stanley case, proper documentation, including chain-of-custody records, were not maintained, resulting in lost data and millions of dollars in liabilities.

CyberCrunch is proud to offer our customers a full range of data destruction and shredding services. Our processes are audited and certified by NAID to ensure that your company stays protected.

Contact us today to discuss how we can help you manage your data lifecycle.