This may be the most important reason to do everything possible to ensure the security of the sensitive data and its proper destruction. The fines associated with a data breach are a compelling reason to have secure processes in place. However, the loss of business and your company's reputation can be even more costly when the unthinkable happens.
It is an accepted fact that the best practice for data destruction is to have a certified third party perform all data destruction on hard drives and other forms of storage media.
The Department of Defense requires 10% quality control checks on data that has been digitally destroyed to meet their standards. We have found that a large majority of companies that do their own data destruction do no quality control checks ensure erasure. Our standard process is to check 100% of the drives digitally destroyed. This guarantees our customers that there is no data remaining once we've performed data destruction.
Hang on to your hat because you aren't going to believe this. Customers sometimes perform their own data destruction or pull their own drives and use Reclamere for disposal and recycling services. When this happens we perform random courtesy checks on those machines and drives when they reach our warehouse. We find data on drives or drives still in the machines almost 50% of the time!
If you want to know how this happens so frequently, please continue to the next paragraph.
Most IT departments are under staffed and over utilized. If you are like most IT personnel, you don't have enough time in the day to get your real job done (most IT personnel don't consider performing data destruction part of their "real job"), let alone perform data destruction on decommissioned drives and tapes.
In addition, we've found techs are often interrupted in the middle of performing data destruction by their "real job." These interruptions often lead to missed drives, poor quality control standards, and data that could be compromised. If you have ever attempted data destruction yourself, how many times have you been interrupted by an emergency (email server went down, someone spilled coffee on their laptop, CEO couldn't figure out how to print vacation photos to a CD, etc, etc) and had to leave the process and come back to it later?
An unavoidable problem for companies that do their own data destruction is lack of credible documentation for audits and litigation. Documentation created by company employed techs or other IT personnel in many cases is considered "the fox watching the hen house."
By having certified vendors perform your data destruction, the liability for the safe, secure destruction of that data transfers to the third party vendor when they take possession of your drives. In addition, the documentation provided is accepted by auditors and courts as proof that you've taken reasonable measures to ensure the security of the data at the end of life disposition of the storage media.
For all the reasons that are listed on this page, IT Auditors recommend having a certified third party vendor handle all of your data destruction needs.
We've saved the best for last. When polled, "cost reduction" is the number one reason why companies do their own data destruction. Most accomplish this by having techs and IT directors pull drives and run a data destruction program or take them out back and smash them with a sledge hammer. There is a strong case to be made that if you calculate the cost of the time spent, it is actually cheaper to pay a third party. Before you even think it, I'll say it......But when I do it myself it doesn't create a separate line item in the budget. The company is already paying my techs. Besides, I don't have to go through the process of getting extra money approved! This is true, so we'll give you that point.
What you need to consider is what is at stake if drives aren't destroyed in a secure and documented manor. The question you need to be asking yourself about cost is, what will a single PCI, FACTA or HIPPA violation cost my company? And, what will it do to my job security?
The annual cost of having a hard drive destroyed by a professional third party (using industry standard best practices) amortized over the life of a hard drive is between $2 and $5 per year, depending on your refresh cycle. Is saving a maximum of $5 per year per hard drive worth the risk of a data breach and the associated consequences?