Data Destruction Policies
We are collecting data at ever-increasing rates as the costs of data storage go down. Why get rid of our beloved data when we can always buy more storage space? Some companies like Google love collecting and working with data, and these companies will rarely or never get rid of their data. This column will focus on crafting an effective data destruction policy.
Unfortunately, over time, often a company’s storage of data starts to resemble the crazy old hermit’s house with newspapers dating back fifty years stacked floor to ceiling. Instead of newspapers, your company is drowning in old digital data. While you may have a method to your madness and know where everything is, you probably do not need all of your old outdated data. To fix this mess, your company needs to figure out what data it has and create effective policies for disposing of it.
Since I am a technology attorney, this column is going to focus on digital data--all those ones and zeros that are littering your storage media. This column will address the important questions of who, what, where, when, why, and how you should destroy your data. For those of you who hate to throw anything away, please bear with me. This will not hurt a bit.
Your process should guide your company in deliberately and irreversibly removing and destroying old data stored on your systems. This destruction is intended to be permanent.
Having a consistent data destruction policy followed by everyone within your company at all times is vital, especially when you have litigation. Legally and properly destroying data prevents extensive fishing expeditions by your opponents in litigation (legalized and ritualized warfare). A regular business process addressing data destruction should also get you some “safe harbor” protections under the Federal Rules of Evidence relating to electronic evidence should litigation arise. I hate to use the word “should,” but every situation is different. Be aware that the safe harbor protections exist. You should work with your tech attorney to take advantage of them.
A data destruction policy is the second part of your data retention policy. Completing and implementing your data retention policy will help you determine where you store your data, which makes it somewhat easier to delete the old data you no longer need. Once you have mapped out of where you store your stuff and developed a policy on how long you need to keep it, you must formalize the destruction process.
Naturally, your data destruction policy must handle media leaving the control of your company differently than media simply being reused internally. However, even then, different procedures may apply for media used by different departments. The general rule for the disposal of any data, even when media is reused internally, is that the simple deletion and overwriting of the data is not enough.
When reusing media, you must create processes whereby your company wipes the old data, validates that the data is gone and the media can be reused, and then documents the completion of the process. Only upon completion of these steps should you release the storage media for reuse.
Things get more complex with media that will leave the control of your company. Whether you are destroying your old media or reselling it to another party, your data destruction policy must require additional processes. Your policy has to cover the purging and destruction of your data and sometimes the physical destruction of your media.
But how much destruction is enough?
In developing and implementing your data destruction policy you face the challenge of coming up with a level of destruction that is appropriate for your company’s particular situation. Simple deletion and overwriting of data on media your company is retaining and reusing may be appropriate in some instances. In other situations, you may require the total physical destruction of your media that may include disintegration, shredding, incineration, pulverization, or melting of your media.
Whether your company is obligated to take certain steps in destroying your data really depends on the laws, rules, or regulations that regulate your company. Regulated industries have requirements in place through a variety of sources. For example, you have to look to Sarbanes-Oxley, Graham-Leach-Bliley, the Fair and Accurate Credit Transactions Act, and HIPAA for guidance. These laws may tell you that you need to keep your data for a certain period. Check with your tech attorney who can provide guidance on what laws, rules, and regulations apply to your company’s situation.
If you are not heavily regulated, you can look to some of the other destruction standards out there. The U.S. Department of Defense standards and methods might be good places to start, but do not forget other sources. Look to international, national, state, and local laws, rules, and regulations for guidance. Look also to international standards such as the National Institute of Standards and Technology’s "Guidelines for Media Sanitization.”
After your review of the applicable laws, rules, and regulations, you need to add steps to your data destruction policy. Your data destruction policy needs to address how to classify and handle each type of data residing on your media. Your policy needs a process for the review and categorization of the types of data your company has and what kinds can be removed. Classifications and contents of your data will also play a role. Data and media containing confidential information, trade secrets, and the private information of your customers require the strictest controls and destruction methods. Data and media containing little to no risk to your company may have relaxed levels of control and destruction.
Do not forget to look to your contracts with other companies to ensure you are handling data destruction within the terms of those contacts. For example, non-disclosure agreements sometimes contain data destruction terms and you must comply with those terms.
Educate your people and verify that they are complying with your policy. This is particularly important with media that you are not destroying, but instead are reselling or recycling. You should take samplings as appropriate to ensure you maintain the proper levels of destruction. If you are doing the data destruction in-house, you need to verify your data sanitation and destruction tools and equipment are functioning properly and maintained appropriately.
Document the entire data destruction policy so you will know what media is sanitized and destroyed. Your documentation should allow you to quickly answer those who, what, where, when, why, and how questions.
Finally, the last step of an effective data destruction policy is to have a process in place so you can follow up with regularly scheduled testing of your process and media to ensure the effectiveness of your policy.
Do not let your company become tomorrow’s ugly news headline when your data falls into the wrong hands.