When the Office of the Comptroller of the Currency imposed a $60 million fine on Morgan Stanley for their recent data breach, they cited in part “[failure] to maintain appropriate inventory of customer data stored on the decommissioned hardware devices.”
In response to this, CyberCrunch President Serdar Bankaci said “Data destruction is only half the process — the other half is the documentation. The documentation is just as important as the actual destruction.” Yes, a good program of data documentation can protect your company from liabilities and fines surrounding a data breach.
Why is good documentation and recordkeeping so important? And what can you do to maintain good data destruction records? Find out in this article from CyberCrunch.
Why You Need Data Destruction Records
Data destruction involves making it so data no longer exists. While that seems obvious, it underscores the importance of keeping good records of what data was destroyed and when.
In the Morgan Stanley case, incomplete data destruction records forced regulators to assume that some data had survived the destruction process, and thus is at risk of being exposed. Had Morgan Stanley properly documented the destruction process, this would not have been an issue. They would have been able to use their records to reasonably prove that the devices containing the data had been properly sanitized and destroyed.
What Does a Data Destruction Record Need to Include?
Data recordkeeping can take many forms. The most common is a certificate of destruction. This is simply a listing of what data was destroyed and when. The record should include a general description of the data that was destroyed (financial records, PII, internal documents, etc.), how it was destroyed, and the destruction date. CoD’s should be filled out any time records are destroyed or deleted due to a retention policy.
When decommissioning hardware, destruction records typically include the type of device, the serial number of that device and/or the hard drive, the method of destruction, and the date.
How To Keep Good Data Destruction Records
Data destruction records need to be consistent and organized. Any time data is deleted or destroyed as part of a retention policy, equipment decommission, reorganization or any other reason, a certificate of destruction should be filled out and filed safely.
You can also keep good records by choosing a data destruction vendor that specializes in good recordkeeping. CyberCrunch can help you by organizing, recording and destroying decommissioned computers, servers and other equipment. We can provide fully serialized destruction reports with timestamps. And for added security in highly regulated industries, we even offer video destruction evidence.
Don’t leave your data destruction recordkeeping to chance. Contact CyberCrunch today to discuss your data destruction options.