Hard disk drives (HDDs) don’t last forever. And if a data breach occurs with your end-of-life (EOL) equipment, the resulting chaos could damage your company for a long time.
A major data disaster
In 2016, the multinational investment firm Morgan Stanley made severe errors that exposed personal data for 15 million customers. The problems began seemingly innocently when Morgan Stanley engaged a moving and storage company called Triple Crown to decommission some of its IT assets from two data centers. Triple Crown did not sanitize the EOL hard drives before passing them along to a third party. Unfortunately, the hard drives contained customer financial information, which was snapped up at an auction site. The data breach was not discovered for almost a year. Finally, one of the parties in possession of the information brought the breach to the attention of Morgan Stanley, who then notified affected customers and the Security and Exchange Commission (SEC).
The SEC response
In September 2022, following an in-depth investigation of the data breach, the SEC fined Morgan Stanley \$35 million, citing three specific issues:
- Morgan Stanley did not establish and enforce procedures for properly disposing of customer information.
- The financial firm failed to properly vet service providers to ensure they had the expertise to dispose of customer information safely.
- The firm did not conduct sufficient due diligence on Triple Crown’s ability to dispose of hard drives containing sensitive customer data.
Further data issues
In 2019, Morgan Stanley compounded its errors in data protection when it retired 500 servers from offices nationwide. The servers were sold to third parties, but the investment firm could not account for the whereabouts of specific devices that contained encrypted data. Their inability to do so resulted in a $60 million fine from the Office of the Comptroller of the Currency (OCC) in 2020. Later that year, this fine was followed by another $60 million settlement from a class action lawsuit.
What to do
Smaller companies with different objectives may not face data breach issues that result in multi-million-dollar fines, but all companies must ensure that their customer information is well protected. There are specific steps to take, such as:
- Establish a data destruction process: Consider destruction by shredding hard disk drives. This will get rid of 100% of the data. Shredding follows the security requirements of the National Security Agency and the Department of Defense.
- Establish a verification plan: Ensure regulatory compliance with a verification process that emphasizes accountability and generates an audit trail.
- Rely on e-recycling professionals: Depend on Urban E-Recycling for state-of-the-art, hard drive data destruction, free of charge.
A matter of trust
Customers expect the companies they deal with to protect their highly sensitive personal information. It is a matter of trust that, if lost, will damage a company’s integrity. To avoid possible financial penalties and damage to your company’s reputation, be aware of the importance of EOL data security. To this end, the trials of Morgan Stanley come with essential lessons. Learn from other’s mistakes.