Data destruction is a crucial information security for any organization handling private data, be it a for-profit or non-profit entity. Even organizations not handling citizen data, have data they would not want accessible to unauthorized persons. Failing to destroy data that is no longer needed can have very dire consequences. Data could be stored on hard copy or digitally in devices such as hard disks, flash drives, DVDs, tape storage, cameras and mobile phones.
Improper data destruction includes failure to have a data destruction plan. Sometimes there may be a will to destroy data, but there is a lack of technical capacity to handle the task properly. Engaging a professional service like SPW data destruction is the only way to ensure that proper data destruction happens.
An organization will face existential threats from improper data destruction. These risks include:
Identity Theft
Nowadays businesses collect a lot of data of their clients, on top of the employee data they have in HR management. This private data is very valuable to malicious actors. Personal Identifiable Information (PII) is any data that can be easily attributed to a person. It includes names, address, phone number, social security or identity number, driving license number and any other private data.
PII is valuable to malicious people because they can easily assume the identity of the owner. They can then access all the privileges that are due the real owner of the identity. They can access loans, credit cards, and expensive subscriptions depending on the creditworthiness of the owner.
A more serious threat occurs when identity theft is used to commit serious crimes like supporting terrorism. It lands the real owner of the identity in serious trouble and takes much trouble for a person to extricate themselves from such a situation.
Legal Penalties
Various data privacy laws have been enacted to protect private data. In the US there is the Gramm-Leach-Bliley Act (GLBA). This law is targeted to organizations in the finance industry. It requires businesses to keep client data confidential including social security numbers, customer names, addresses and phone numbers. The Health Insurance Portability and Accountability Act (HIPAA) has similar requirements for businesses in the insurance industry.
Violation of these laws cost businesses a lot of money in financial penalties. In 2010, medical provider Rite Aid was penalized for violating HIPAA. They improperly disposed prescriptions and pill bottles that had client information. They were penalized $1 million. Financial firm Morgan Stanley was fined $60 million for improper handling of client data on obsolete hardware.
In Europe, there is the General Data Protection regulation (GDPR). This is a wide law covering what businesses can do with data they collect from European clients. The GDPR has very stiff penalties for mishandling private data. A business will suffer a up to €20 million, or 4% of the revenues from the past year, whichever amount is higher.
Several global brands have already fallen afoul of the GDPR and paid heavy fines for it:
- British Airways paid €22 million ($26 million)
- H&M paid €35 million ($41 million)
- Google paid Google €50 million ($56.6 million)
These global brands can afford to pay such hefty fines. But for smaller businesses, such hefty fines spell death. The costs of engaging professional destruction services are completely justified in the light of such heavy financial penalties.
Loss of Trust in the Brand
The loss of trust that comes with a data breach or any other information security incident is more damaging than direct financial penalties. The damage to the brand’s reputation is long term. A business will probably spend huge money in reputation management than it spent on direct fine penalties.
The erosion of trust in a brand takes a long time to repair. This damage is a big risk regardless of the industry, but it is more apparent in sensitive industries like health and finance. Clients need to feel that their confidential information remains confidential. More people are also aware of the damage to identity theft, so they are very wary of dealing with a business that has suffered a data breach.
Even a minor breach can generate a lot of news because in the age of social media, word spreads fast. The unfortunate thing is that when a data breach makes news, people searching for your brand will most likely see this information first. A huge and costly online reputation management campaign is needed to reverse this damage.
Business Death
The risks that come with improper data destruction can mean death of business. A study by Inc. magazine showed that 60% of small and medium businesses that suffer cybersecurity breaches fold up within six months of the incident. The alternative is rebranding and starting from scratch.
What is the Solution?
Proper data destruction is too important a task to be left to untrained in-house staff. The prudent choice is professional data destruction services. They have the technical and equipment resources to pull off a proper job. The consequences of failing in this crucial task are too grave to not have professionals on the job.