ITAD has served organizations for many years.  However, as the standards of security rise, and as the difficulty in truly eradicating data on end of life (EoL) devices grows, ITAD has become obsolete.  Thus, those who continue to cling to this outdated methodology put themselves and their company in peril.  The number of regulations passed is on the rise.  Consequently, these regulations require more industries to be diligent about their EoL destruction needs. Organizations that still use ITAD are at risk.  They are at risk not only for fines, but for reputation damage that cannot easily be repaired.

Industry Wide Audits Tell Much of the Story

In examining data security trends the IG, SEC, HIPAA, DOT, NERC, and others posted summaries that show the top data security failures. In every account, the auditors find that corporations use ad hoc processes that do not comply with their own industry, federal or state regulations[1].

What are These Regulatory Bodies Finding ITAD Vendors Lacking?

Quite simply, there isn’t much understanding of how to be compliant with all of these regulations.  This isn’t surprising because the regulations have been changing to meet the demands of an ever-evolving landscape.  As a result, it is hard to keep up if this isn’t your total and complete focus.  Audits commonly uncover these issues and many more:

• Sending data out of your control does not meet your Risk Assessment or Data Security policies
• The ITAD recycler / third-party vendor is not Cybersecurity Framework certified
• No real time tracking and containing of loose failed data bearing devices
• Lone truck driver picks up data from your facility is a violation of Secure Transport rules
• Poorly secured ITAD processing facility is not equal to datacenter security
• Single worker access to your data without verification or supervision
• Certificate of Destruction does not meet NIST 800-88 requirements

In the last year, companies not following data security requirements have been fined for illegal data handling[2]. You can be fined for breaches because during the overwrite process.  The ITAD vendor can read 100% of your customer data or make mistakes[3]. Regulatory bodies can be fine organizations like yours for not following your own cybersecurity risk assessment. Additionally, you can be denied your cybersecurity insurance for not following published Federal, State and industry practices your legal department have agreed to in contract[4]. Finally, You can lose your job for not following your own corporate written data security policies.

How Can You Comply with Industry, Federal and State Regulations?

Let’s break this down.  One or more of the following regulations such as GDPR, NIST, ZTA, CCPA, and IRS 1075[5] likely apply to your company.  Cybersecurity assessors from the government GAO, IRS, DoD, NERC, PCI, HIPAA or others will examine you.  But going even a step further, they will examine your contractors and subcontractors they use as well.  Sadly, many ITAD vendors see compliance as a marketing strategy.  They will advertise compliance, but not deliver when it counts.  It is your responsibility to prove the compliance of your entire supply chain and ignore a supplier’s marketing hype surrounding data governance.

Why Can’t ITAD Keep Up?

As technology changes and the tactics used to try and circumvent security controls evolves, old processes like ITAD just can’t keep up.  For instance, SSD’s cannot be degaussed.  Also, the Internet of Things (IoT) is changing the types of devices that might hold personal information.  Social engineering (the act of using a human being unwittingly to access a system or data) has become sophisticated enough that any single individual, no matter how honest, should be trusted alone with critical data.  Furthermore, the Cloud ensures that even more data is accessible that used to be protected behinds layers of firewalls.  All of this makes adherence to Zero Trust that much more important.

So, as the landscape changes, industries must change as well.  Organizations still need IT Asset Destruction services.  However, almost every vendor in the industry has failed to anticipate the changes to technology and the regulations surrounding EoL processes.  Thus, ITAD is, for the moment, obsolete.

What Has Changed in Data Control?

• The Data Destruction process must meet your Risk Assessment requirements
• Data Destruction must occur under your control per Federal, State and Industry regulations
• Vendor must be Cybersecurity Framework certified per Federal, State and Industry regulations
• You must follow data destruction techniques based upon your published Data Classification Policy
• Data destruction by the Sanitizer must be Verified by a second individual
• Certificates of Destruction must be complete and meet NIST 800-88 requirements

 Do you need the Patented Tear-A-Byte® Method to Track – Contain – Destroy – Verify Loose Media?

The answer to your cybersecurity control challenge is the ISO, and NIST certified TechR2’s Patented Tear-A-Byte solution[6]. All TechR2 products and services incorporate Zero Trust Architecture data security techniques[7].

Contact TechR2

TechR2’s NEW Data Destruction as a Service (DDaaS) is the future model and the archaic ITAD processes are dead[8].

Contact Sepp Rajaie to learn more. Contact our experienced TechR2 staff.

1. Federal cybersecurity defenses not strong enough to protect American data, Senate report warns – CBS News
2. ITAD is the Slow-Motion Data Breach Nobody notices
3. Morgan Stanley names ITAD vendor behind its data loss incident
4. Avoiding The Most Common Cyber Insurance Claim Denials
5. Meeting IRS Safeguards Audit Requirements | Internal Revenue Service
6. Data and Hard Drive Shredding Tracking Destruction Containment Service (techr2.com)
7. Zero Trust Model – TechR2
8. DDaaS Data Destruction as a Service – TechR2