When IT Assets containing sensitive data are disposed of, transferred, or sold, data erasure and maintaining a secure chain of custody assume critical importance. A chain of custody helps in inventory reconciliation, maintaining data security, and mitigating the risks of data breaches or leakage. This blog explores the need to maintain the chain of custody and why ITAD companies must pay heed to it.
Data security is one of the biggest challenges businesses face in the era of evolving data protection laws. Companies are on guard due to rampant data theft, breaches, and dumpster diving. They spend millions of dollars to protect sensitive data and secure IT assets from cyber security threats. However, end-of-life IT assets are most vulnerable when disposed of, transferred, or sold.
A secure chain of custody is a vital step to ensure IT asset security and mitigate the risks involved in storing or transporting these assets.
As the name suggests, a secure chain of custody refers to safeguarding evidence or items during the transfer from one person/location to another. Simply put, a chain of custody is knowing and cataloging the location of the company’s assets and in whose possession they are at all times. Proper documentation is necessary when the IT assets leave the company premises and change ownership. In addition, it is essential for audit purposes and indemnification in case of a data breach or theft. This process is vital in the case of IT asset disposition, where data security and compliance are of utmost importance. There are several reasons why ITAD companies must pay heed to secure chain of custody, so as to:
Therefore, a secure chain of custody is vital to IT asset disposition and something that all ITAD companies should take seriously.
A secure chain of custody is necessary for data safety and security because it helps prevent data breaches and other security risks associated with improper asset disposal. Unfortunately, the risks associated with not maintaining a secure chain of custody are plenty; here are a few reasons why:
Numerous cases have been witnessed where not maintaining a secure chain of custody resulted in huge losses and data breaches. For example, the National Health Service in the UK was fined GBP 200,000. This breach happened because the IT disposition vendor hired by NHS didn’t sanitize the computer before selling it online, which contained the personal information of over 3000 patients.
Another more recent case happened with Morgan Stanley when they were fined by the OCC ($60 Million) for improper disposal of their IT assets that were later found to contain confidential data of over 15 million customers.
Both these examples tell us that if a proper chain of custody was maintained and documented, severe fines and penalties could have been avoided. Instead, when such breaches happen, they result in heavy financial losses, legal ramifications, and customers’ losing trust in the brand.
Maintaining a secure chain of custody means tracking the movement of IT assets from the moment the company no longer needs them until they are correctly disposed of. There are several critical steps involved in maintaining a secure chain of custody:
The above points can be implemented by businesses and ITADs alike to ensure the least amount of risk is involved while moving and disposing of the IT assets. The policies must be devised according to the business needs and prevailing federal & state laws that govern the business.
Businesses should routinely audit chain of custody procedures to establish that the integrity of the data is upheld across all phases of the device lifecycle. In addition, the effectiveness and durability of the policies, practices, systems, and training should be regularly evaluated through audits. By following the secure chain of custody, companies can rest assured that their data and devices are in safe hands.