Regardless of sector or scale, data has become the lifeblood of organizations worldwide today. Today, businesses heavily depend on data to guide their operations. Whether collecting, using, buying, transferring, or storing data, all businesses share a common dilemma: what to do with data once it’s no longer necessary. With data breaches increasing exponentially over the last decade, following best practices for secure data destruction is essential. In this article, we outline best practices for securely destroying and disposing of data.
What Are the Dangers of Digital Storage?
According to the International Data Corporation (IDC), the digital universe is growing at 40% a year. Companies are responsible for generating, storing, and securing large amounts of data they create. Not surprisingly, data breach statistics continue to grow, and compliance regulations continue to tighten. While fines and legal fees associated with non-compliance vary widely, companies should prepare to pay more as both courts and class-action lawyers zero in on data misuse. Data breaches can affect a wide range of industries, including finance, healthcare, education, and retail. Considering the frequency of data breaches these days, it seems none of our details are as safe as we might think.
Data Breach Statistics
Some of the most alarming data breach statistics and trends show how the issue of compromised data is becoming an increasingly grave threat for all of us:
- Nearly 68 records are compromised per second.
- Around 70-74% of data breaches are monetarily motivated.
- Nearly 79% of firms worldwide experienced a phishing attack.
- The global average cost of a data breach reached $4.45 million.
- Nearly 75% of firms have reported facing material disruption to business processes due to a data breach.
- Around 3.4 billion phishing emails are sent worldwide every day.
- As of September 2023, small businesses are targeted in 43% of data breaches.
Now more than ever, proper data destruction is critical.
What is Data Destruction?
Data destruction is the process of ‘properly’ destroying information, whether paper or digital, in accordance with industry-set compliance and best-practice standards. Secure data destruction overwrites sensitive information with random data, rendering the original material unreadable. When individuals fail to destroy their data, they are vulnerable to identity theft. Recent studies show the risk is widespread: 90% of second-hand laptops, hard drives, and memory cards still contain recoverable data. Additionally, 17% of organizations that experienced a breach traced it to residual data on redeployed devices, underscoring the continued importance of proper sanitization.
The Importance of Secure Data Destruction and Disposal
The stakes are much higher for companies and larger organizations. Many organizations entrust reputable, fully managed document storage platforms, cloud hosting, and secure data centres to preserve their information and resources. However, that doesn’t mean that they should overlook an equipment and data disposal policy. No matter what data an organization collects, uses, transfers, or stores, all businesses must ensure it – along with any redundant physical media – is properly destroyed and disposed of.
What is PIPEDA?
But what happens if a business fails to manage its digital files when they’re no longer required? In April 2000, the Parliament of Canada passed the Personal Information Protection and Electronic Documents Act (PIPEDA) in response to growing concerns about private sector data collection. PIPEDA is a broad legislative act, and nearly every organization that does business in Canada must comply with it. There are a few organizations that are not subject to PIPEDA, but it’s now standard practice to evaluate a business. PIPEDA helps consumers determine whether they can trust an organization with their data.
Penalties for PIPEDA Noncompliance
PIPEDA is overseen by an older political body known as the Office of the Privacy Commissioner of Canada (OPC). While OPC has several duties, its primary responsibility is to investigate complaints about organizations that violate PIPEDA. OPC is also a great resource for organizations that need to improve data privacy handling. If your organization is found to be non-compliant with PIPEDA, you can expect three major penalties:
- Financial penalties. At this time, businesses and organizations can be fined up to CAD $100,000 for each violation.
- Further legal action. While OPC has limited jurisdiction and penalties, organizations found in violation of PIPEDA may be referred to the Attorney General of Canada for further legal action. Organizations may then be audited, forced into compliance agreements, asked to disclose vital company behaviour to the public, or otherwise punished.
- Reputation loss. Public perception is one of the biggest motivators of compliance. When the public learns that an organization has breached PIPEDA, the OPC publicly denounces the business for non-compliance.
Essential Factors to Consider for Secure Data Destruction and Disposal
Establishing clear data destruction and disposal processes ensures that all sensitive information relating to customers, stakeholders, accounts, intellectual property, partners, staff, and the organization itself is properly discarded, to the point where it is irretrievable. When that data is redundant, for whatever reason, it’s vital to securely wipe devices and storage media clean of all data so that it’s no longer accessible. When determining the right methods and approaches for securely destroying data, consider these six essential factors:
1. Understand Data Classification
Firstly, categorize and classify the data pertinent to your organization. For example, isolate specific data based on sensitivity (e.g. public, internal, confidential, restricted, etc.) Or, based on end-of-life value or media type. Be sure to consider all applicable regulatory or security frameworks that your company must adhere to. From this, you can determine the best method of destruction.
2. Institute a Data Destruction Policy
An information destruction policy – or a data destruction policy – is a formal, organization-wide, written document. It details proper data disposal procedures for physically destroying information that is no longer needed. This policy should contain what types of information employees must destroy and when. To remain compliant with the Personal Information Protection and Electronic Documents Act (PIPEDA), businesses must have an information destruction policy. PIPEDA includes the rules and regulations regarding how to legally use, store, and dispose of data.
3. Implement a Shred-All Policy to Safeguard Sensitive Data
Implementing a shred-all policy for employees dramatically reduces the risk of data breaches and improves compliance. A shred-all policy isn’t limited only to paper records and files. It includes the secure, physical destruction of all forms of confidential data, including computer data found on electronic devices.
4. Physically Destroy Electronic Devices Containing Sensitive Information
Simply erasing, degaussing, overwriting, or wiping data stored on digital devices, such as hard disk drives, backup tapes, optical media, or mobile data devices, isn’t enough to ensure that unwanted information is completely deleted. Instead, hard drives must be securely destroyed using a physical data destruction method, ensuring that all parts of the device are shredded into small shards and cannot be pieced together again.
5. Avoid Using an Office Shredder for Data Destruction
Many businesses think that using an in-house office shredder is an economical solution. However, the reality is that this time-consuming destruction method costs companies in productivity, security, and space. Security isn’t guaranteed with in-house shredders, either. Most office shredders only destroy paper into thin strips, which can be reconstructed and used for illegal purposes. Most importantly, this data disposal method is not compliant with PIPEDA.
6. Prioritize Privacy Law Compliance
In addition to requiring an information disposal policy and the use of approved secure disposal methods, the PIPEDA requires organizations to be able to demonstrate that business documents, hard drives, and other electronic data have been destroyed in compliance with industry standards. The way to achieve this is to obtain a Certificate of Destruction, a formal document that contains detailed information about the destruction of materials. This ensures that the shredding process is done in compliance with privacy laws. The only way to obtain a Certificate of Destruction is to outsource the proper disposal to a certified provider to confirm that files and data are destroyed in accordance with privacy laws.
Secure Data Destruction and Disposal: A Business Must-Have
If your organization isn’t well-versed in secure data destruction and disposal, you may leave yourself vulnerable to security incidents, stiff fines and penalties, loss of consumer trust, and damage to your brand. Should you need insurance products that will help you protect your business, you probably already have some that will protect you in case of unforeseen weather damage or employee theft. However, in this digital age, you are likely more vulnerable to far more serious risks that come with the proliferation of the internet.
Therefore, cyber liability insurance coverage is essential to protecting your business. Whether you’re a start-up, big corporation, non-profit, or somewhere in between, cyber insurance is a must-have to protect your organization. Our experienced brokers at isure work with you to create tailor-made security and privacy liability coverage for potential damages and vulnerabilities specific to your operations. Contact us or request a quote today!
Online Risks Are Growing. Keep Your Business Data Safe.
Shield your operations today — get your free cyber insurance quote!
By ensuring safe cybersecurity best practices, you can rest easy Read more
When we think about how much we depend on the Read more
The contents of your home are precious. You wouldn’t dream Read more
