The High Cost of “Free” Data Destruction

cyber security reform

IT asset disposal made headlines around the world last week when the UK Information Commissioner’s Office (ICO) fined NHS Surrey £200,000 (about $300,000) over loss of secret data of more than 3,000 patients.

According to the data watchdog, thousands of patient records were discovered on a second-hand NHS computer that had been auctioned online after undergoing a “free” data destruction process.

ICO head of enforcement, Stephen Eckersley said the facts of the breach are truly shocking.

“NHS Surrey chose to leave an approved provider and handed over thousands of patients’ details to a company without checking that the information had been securely deleted,” Eckersley said.

“The result was that patients’ information was effectively being sold online. This breach is one of the most serious the ICO has witnessed and the penalty reflects the disturbing circumstances of the case,” he said.

During the course of investigation, ICO found that the data destruction firm had offered free disposal of the computers in return for the sale of salvageable stuffs.

As the technology recycling industry continues to grow, we have seen a flood of new and existing businesses now offering supposedly free IT asset disposal (ITAD) services. While this is great for their bottom line, it leaves the door wide open to risks such as data breaches and potential fines from local and state governments.

The concern should not just be removing old computers from an office, but focus on helping decrease the risk of a data breach by providing secure data destruction and liability indemnification. At TechR2 this includes a department of defense (DoD) 3 pass overwrite on all hard drives, certified destruction of all data bearing devices, and responsible recycling, in addition to overall compliance with local, state and federal legislature (i.e. HIPAA, HITECH, Gramm-Leach-Bliley, PCI, Sarbanes-Oxley).

It is very difficult to provide all of these services without a price tag, which leads to our next point, how “FREE” is free?

Steve Mellings, chief operating officer at ADISA, an industry body representing about 30 ITADs, said the NHS Surrey case highlights that companies must value quality as well as price when disposing of outdated equipment.

“There is no such thing as free,” he said. “There’s always a cost and in this case, it is £200,000.”

Information adapted from: ChannelWeb, CBRonline, and Risk vs. Cost.