How much can a leaky ITAD strategy cost?
We won’t name the bank here, but one of the big ones paid out these sums so far:
✱ $60m fine in 2020 for the improper management of drives during decommissioning and refresh projects
✱ $35m fine in August 2022 for data loss related to failures to dispose of IT assets
✱ Agreed to pay $68.2m in September 2022 to protect customers whose personal information it cannot account for
The data security breaches stem from a series of mishaps dating back to the 2016 decommissioning of two wealth management business data centers. Experts like Gurbir Grewal from the SEC’s Enforcement Division have labeled the oversights as woeful. “Customers entrust their personal information to financial professionals with the understanding and expectation it will be protected,” he commented. The headaches don’t just end with the fines. The bank will need to pay for forensic data investigators to retrieve devices sold to third parties and get to the bottom of the blunders. They will need to learn how they happened and outline steps for preventing similar issues in the future.
We recommend establishing a firm chain of custody for your assets before you enter into any ITAD agreement. Most data breaches occur once your assets leave your possession. An established chain of custody is absolute evidence that your assets are being tracked through each step of the ITAD process. This lets your business know exactly where your assets are during disposition, and mitigates the risk of sensitive data breaches.
The chain begins at your premises, then moves from collection, into transit, before the assets arrive at your ITAD partner’s facility. But here, it is not a case of out-of-sight-out-of-mind. You should also know how and where your assets will be stored while in queue to be audited. This may mean asking your ITAD partner to provide details of who has access to your devices before the data is wiped and what measures are in place to make sure your assets won’t be getting mixed up with anyone else’s equipment.
The chain ends with a certificate of data destruction confirming your assets have been successfully wiped or destroyed so data can no longer be retrieved. This report is in many ways more valuable than the equipment itself, as it provides peace of mind against potential data breach lawsuits which could run into the millions.
