ESTABLISHING A SECURE DATA MANAGEMENT PROCESS

Productivity, cloud storage, and automation are at the forefront of an organization’s technology needs. If we’re taking advantage of the tools available today, we are irreversibly tied to our mobile devices. We live in a world of Big Data. From location tracking to recommendations based on browsing habits, we’re all aware of the ever-growing swarm of information about who we are, what we’re doing, and forecasting what we’ll do next. In a world of data breaches, brand management nightmares, and litigation, forward-thinking organizations are taking action.

To protect against such threats, a secure data management process is essential for organizations of any size. Instilling security as a value in your organization by making it process-driven, developing a written policy that can be deployed company-wide, and reinforcing smart data management practices until they become habitual.

What do we do with our devices when they reach their end of life? What type of tracking is done to connect IT and Accounting departments to show a complete chain of custody? What level of detail is your first, second, or third touch vendors reporting with? Which individuals can physically reach unsecured data, and what clearances and protocols are in place to restrict access? These are all important questions that can be addressed with an established Secure Data Management Policy. See below about taking your first steps to establish an effective policy for your business. 

Over time, a company will inevitably amass an enormous amount of data.  In a world of Google Drive and Dropbox files; in addition to multiple local revisions, each company should start by determining contractual, operational, and regulatory needs for retaining and maintaining copies of data. Most companies have a standardized data retention policy that can be used as a component of the Secure Data Management Policy. After identifying what data should be duplicated in auxiliary media, as well as how to do this effectively and securely, we can evaluate other requirements for data storage:

CONTRACTUAL

This is largely based on the scope of services you provide, and the term limits you have with clients and vendors. If you have a contractual obligation to maintain records for, or on the behalf of a client, this should be outlined on a per-department basis.

OPERATIONAL

Removing bottlenecks for secure data access is at the front of the line for many organizations.  Maintaining file revisions in duplicate is one method to alleviate this and can make strategic sense. If, on the other hand, file usage statistics show that these items are not being accessed, or that they are already backed up sufficiently with some type of automated file management protocol, then duplicating these files would be unnecessary.

REGULATORY

Data protection laws have a number of provisions to promote diligence on the part of the original data controller. For instance, the regulatory responsibility to protect data remains with the data controller and cannot be transferred to downstream service providers. While legislators understand that the use of such subcontractors is a modern day necessity, they hold the data controller responsible for the actions of those vendors, as described in this excerpt from the “Proposed Modifications to HIPAA under HITECH”:

“…The covered entity remains liable for the acts of its business associate agents, regardless of whether the covered entity has a compliant business associate agreement in place. This change is necessary to ensure, where the covered entity has contracted out a particular obligation under the HIPAA rules, that the covered entity remains liable for the failure of its business associate to perform that obligation on the covered entity’s behalf.”

This isn’t anything revolutionary. This is representative of all major data protection laws currently enforced internationally. To be clear, the data controller may, and often does, assign financial responsibility to downstream vendors for financial damages they cause. However, the data controller is ultimately the liable party in data breaches, and damage to public image and investor confidence cannot be transferred to subcontractors or vendors.

Anything that is out of alignment with the policies above effectually become a liability for litigation. Properly managing data by removing it at the lowest level with detailed, serialized, auditable reports is the best way to provide a safe zone against such concerns. A secure process like this prevents any unnecessary and costly incident investigations, as well as potential perjury claims when asserting that your company discontinues records past a specific chronological interval.

HOW DO I REMOVE THE DATA FROM MY DEVICES?

Physical destruction

Although physical destruction seems like the first, logical solution, it’s ineffective at best when used independently of an inclusive software tool, like Clarabyte. 95% of data breaches are the result of a poor chain of custody due to human error. When managing hundreds or thousands of assets, it’s easy to miss an item. The longer the chain of custody, and the greater the number of handlers, the larger the liability.

Leading Fortune 500 companies have set a trend by creating best practices for reducing human error while contributing to eco-centric initiatives by avoiding physical destruction. If environmental impact is something your company values, the buck stops here.

Clarabyte’s Software Solution for Data Destruction

The best Secure Data Management Policy is easy, cost-effective, and automated. The absolute shortest chain of custody for the physical and digital management of a device is having all data removed and validated with an auditable, serialized report before the device is unplugged. This is what Clarabyte empowers companies with.

“I HAVE A GUY” – EXTERNAL VENDORS FOR DATA DESTRUCTION

Contracting to a third party for device removal is smart — relying on them for the management of your company’s intellectual property, legal documents, and trade secrets is not. There are several questions you should ask yourself and your stakeholders when evaluating whether your organization’s data management security process should be the responsibility of a third party company:

How detailed are their reports? What is your standard for comparison?

Have you visited the facility to observe their secure data destruction protocols? How are your devices staged, stored, and protected against uncontrolled access?

What is your company paying per device for data destruction services?

100% of the time, automating this decision by utilizing a company-wide, in-house process makes secure data destruction easier, more efficient, more cost effective, and much more secure.

FINAL THOUGHTS

A secure chain of custody is the most important variable to start from when creating your secure data management process. By removing all data with an automated, auditable trail before the device is unplugged or moved, you remove the risks associated with human error and the mishandling of devices.  

To find out more about how your business can implement secure solutions to data storage, management, and destruction with Clarabyte’s software and services, contact a representative to schedule a demo.