Data Topics

Advertisement

The Legal Necessity of Secure Data Erasure in Preventing Data Breaches

By Namrata Sengupta on
Read more about author Namrata Sengupta.

A data breach is like the iceberg that sank the “unsinkable”  Titanic – it can swiftly bring down even the most powerful organizations. In today’s data-driven world, as per IBM’s 2024 report, the cost of data breaches has skyrocketed to $4.88 million per incident globally, while in the United States, this figure is almost double at $9.36 million per breach.

Given these data breach incidents, it is crucial for organizations to implement robust cybersecurity measures. Most organizations work on strengthening their networks with the latest firewalls and threat detection tools, but many overlook the critical final step in the data lifecycle: data erasure. This oversight can prove to be a nightmare, as it not only puts precious corporate data at risk but can also expose the personal information of clients, investors, employees, and stakeholders.

Personally identifiable information (PII) includes a wide range of data info, from names, SSN (Social Security Numbers), phone numbers, and passwords, to biometric and financial information. Due to the sensitive nature of this information, it requires enhanced protection, especially with data protection laws like EU-GDPR, CCPA, and UK-GDPR that demand safeguarding it. With legal non-compliance risks in the picture, organizations must carefully formulate their data management strategies and have a documented data disposal policy that covers the procedures, tools, and methods to be employed once the data or the data-bearing device has reached its end-of-life (EOL). 

Importance of Data Erasure in Avoiding Data Breaches

A data breach refers to a scenario whereby either the company’s own intellectual property, its finances, or a customer’s information gets leaked to unauthorized people. There are quite a number of causes of a data breach episode such as cyber-attacks, stolen or compromised login credentials, phishing, human mistakes, IT system failures, and inadequate disposal of the data. Organizations often take proactive measures for safeguarding data-in-use (active data); however, once the data has fulfilled its purpose or has become redundant and obsolete or the device that stores this data has reached its EOL, it becomes crucial to securely wipe data from the storage media before disposing, reallocating or repurposing it. Failure to do so can lead to episodes of data breach, like the one Morgan Stanley experienced. 

In 2016, Morgan Stanley outsourced the decommissioning of its data center to an external service provider. While the vendor had dismantled the data center, they did not wipe data from the server drives before selling in the secondary market. This major negligence exposed the PII of more than 15 million Morgan Stanley clients. This led to legal and financial repercussions that involved fines of over $150 million imposed by OCC, SEC, and court settlement. If Morgan Stanley had securely erased the hard drives to permanently wipe all confidential information, then the company could have prevented the data breach and avoided the associated damage to its reputation, finances, and legal standing. 

The Morgan Stanley data breach episode highlights a critical point: Data security cannot be neglected at any stage of the data lifecycle.

The Legal Imperatives for Data Erasure

There are several data protection regulations that require organizations to implement robust data privacy measures, including secure data erasure practices to ensure the confidential data of their citizens is protected.

  • The EU’s General Data Protection Regulation (GDPR) is an exemplary data privacy regulation that gives data subjects the right to be forgotten or the right to erasure and contains strict provisions for imposing fines for EU citizens’ data getting compromised. Fines of up to €20 million or 4% of the global annual turnover are imposed on the non-compliant organization.
  • The California Consumer Privacy Act (CCPA) empowers consumers with control over their data, including the right to erasure. The California Attorney General has the right to levy penalties for each intentional violation not more than $7,500 and for unintentional violation not more than $2,500. There is, however, no ceiling on the total amount of fines that can be imposed.
  • Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) instructs organizations to destroy, erase, or anonymize personal information that is no longer needed. An organization that may knowingly violate any part of PIPEDA guidelines for proactive data security safeguards may be liable to pay a penalty of up to $100,000 CAD per violation.

These laws, along with sector-specific regulations like SOX, GLBA, FACTA, and PCI-DSS, act as key safeguards in ensuring data protection. 

But compliance isn’t just about avoiding fines. It’s about building trust in an increasingly skeptical world rapidly turning digital. A 2023 survey by the Pew Research Center found that 73% of Americans are concerned about how companies use their data, and 67% of Americans have no clue why the companies are collecting their data. In a world where trust is currency, proper data handling – including secure data erasure – becomes a competitive advantage, showcasing a commitment to privacy that can set an organization apart.

The Technical Imperative: Beyond Simple Data Deletion and Formatting

It’s crucial to understand that “delete” doesn’t mean “gone.” Standard deletion methods don’t actually remove the data from the storage media. Rather, they just mark the storage sectors as available for use. Still, the data remains on the media until it is overwritten by new data, thus creating a ticking time bomb of potential breaches. I have previously discussed the myths of data erasure: Deletion and formatting are two such myths. Secure data erasure goes beyond simple file deletion or even disk formatting. It involves using methods like overwriting, cryptographic erase, block erase, secure erase, etc., ensuring that even advanced forensic tools or data recovery laboratories cannot recover the original information.

The above methods can be executed using the built-in OS or OEM commands but require technical expertise. Contrarily, professional data-wiping tools can simplify the process, allowing these commands to be executed via an easy-to-use interface requiring little to no technical knowledge. It is important to remember that the data-wiping tool you choose must align with your organization’s data disposal policy requirements. Data wiping software should ideally have the following features and certifications to prove its erasure efficacy:

  • Erase drives and devices, including hidden areas using international data wiping standards like NIST 800-88 Clear, Purge, US DoD 5220.22-M, etc.
  • Generate detailed Certificate of Destruction for audit purposes showcasing that the data was erased
  • Certified by global certification bodies like Common Criteria, ADISA, NIST, etc. 

Furthermore, you should also ensure that your organization:

  • Implements a clear chain of custody for all data-bearing devices, from acquisition to disposal
  • Pays heed to auditing your data erasure processes, including those of third-party vendors
  • Provides training to employees about data erasure, its need, and the proper procedures to follow

Looking Ahead: The Future of Data Erasure

In this evolving landscape, organizations must stay ahead of the curve. This means not only complying with current regulations but anticipating future requirements. It means viewing data erasure not as a burdensome compliance task, but as a critical component of overall data strategy and corporate responsibility.

As we conclude, it’s time for some hard questions: How confident are you in your organization’s data destruction policy? Are you certain that employees are aware of the best method to destroy data? 

In a world where data is the new-found gold and is both an asset and a liability, secure data erasure isn’t just a technical requirement – it’s a fundamental business requirement. The choice is clear: Invest in robust data erasure practices now, or risk paying a far higher price in the future. The question isn’t whether you can afford to prioritize data erasure. It’s whether you can afford not to.