The old saying that ‘if it looks too good to be true, it probably is’ applies to many things, but especially to free services that offer to erase or sanitise your old hard drives. Blancco – the IT security software manufacturer – highlighted this problem in a 2016 study. Blancco bought 200 used hard drives from eBay and Craiglist. On testing the drives the study found that 67% of the drives still contained data, including personal and financial information and photos.
The Potential Risks
A company might have good intentions around sustainability by recycling and reselling their old hard drives. However, the Blancco study illustrates how using a free or cheap third party service or software to erase data from old hard drives can be a risky and costly business.
The penalties for data falling into the wrong hands from data storage that has not been totally erased are high, both financially and in terms of reputational damage. The list of organisations that have been caught out by not having robust protocols and processes in place for IT asset disposal is long. It includes large organisations around the world, such as HSBC Bank, the University of Florida and the Australian Government.
In the UK, the requirement to dispose of hard drives securely is governed by GDPR legislation. Failure to comply with legal responsibilities regarding the security of personal data can lead to a heavy fine from the Information Commissioner’s Office (ICO). It’s important to be aware that hard drives that can store copies of personal data are not just found in computers, but also in multifunction equipment such as printers, photocopiers and scanners. Therefore, any secure IT asset disposal policy needs to cover these machines as well.
Companies and organisations that have mistakenly used free services to dispose of IT assets and paid the price include NHS Surrey. The ICO fined the health organisation £200,000 when an old computer containing thousands of patient records was purchased on an online auction site. The company who had ‘disposed’ of old computers had failed to erase all the data, and, the ICO found in their report, NHS Surrey had ‘failed to observe and monitor the data destruction process’.
Brighton and Sussex University Hospitals Trust was fined even more for a similar case. The ICO handed down a whopping penalty of £350,000 when over two hundred old computers previously belonging to the Trust were sold on auction sites containing both patient and employee personal data. At the time of the fine, this was the largest-ever penalty imposed on any organisation by the ICO, reflecting the severity and magnitude of the data breach.
With data harvesting currently in the news, retaining client trust is a critical business issue. Cutting corners with IT asset disposal is simply not worth it for any organisation, whatever the size. It’s vital to call in experts who can provide an audited protocol for secure disposal or recycling of IT assets. To ensure your business or organisation is fully protected, get in touch today for a free quote on secure IT asset disposal.
Image Source: unsplash.com