Peer to Peer: ILTA's Quarterly Magazine
Issue link: https://epubs.iltanet.org/i/1530716
62 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | W I N T E R 2 0 2 4 UNDERSTANDING DATA DISPOSAL METHODS To comply with the data disposition requirements of the above regulations, companies must ensure that data disposal is permanent and renders the disposed data irretrievable. Techniques for ensuring this level of responsible data disposal include: Cryptographic Erasure Encrypting data at the time of storage and securely deleting the encryption keys when the data is no longer needed, rendering the data mathematically irretrievable. Physical Destruction This describes incinerating hard drives or degaussing magnetic media. Certified Digital Erasure Using specialized software to overwrite data on storage devices multiple times, eliminating all traces of the original data. These methods comply with regulatory requirements for secure and irreversible data disposition. THE COST OF MISHANDLING DATA DISPOSAL: LEARNING FROM REAL-WORLD CASES Neglecting to follow these regulatory requirements can lead to a cascade of adverse outcomes, including data breaches, legal disputes, regulatory fines, and reputational damage. Several high-profile incidents underscore the critical importance of disposing of unnecessary data. c VISION CARE COMPANY'S 2020 DATA BREACH In 2020, a prominent vision care company experienced a data breach involving a shared email account containing six years of customer data. The breach compromised the personal and medical information of approximately 2.1 million individuals. Investigations revealed that the company had retained unnecessary data longer than needed and lacked adequate security measures. As a result, the New York State Department of Financial Services fined the company $4.5 million for violations of its cybersecurity regulation. ONLINE RETAILER'S 2019 DATA BREACH In 2019, a popular online retailer suffered a data breach affecting millions of customers and received a $500,000 fine from the U.S. Federal Trade Commission (FTC). The FTC noted that the company had retained personal information indefinitely without a legitimate business need, which increased the breach's impact. The company faced regulatory action partly due to its over-retention practices. CLOUD COMPUTING PROVIDER'S 2020 DATA BREACH In 2020, a cloud computing provider experienced a ransomware attack in early 2020. The attackers accessed extensive personal information, including Social Security and bank account numbers. The FTC criticized the company for retaining data longer than necessary, contributing to the breach's severity. As part of a settlement, the regulator required the company to delete unnecessary data and improve its data retention policies. So far, the company has received approximately $60 million in fines from various regulators concerning this breach.