The blind spot in Chain of Custody

The blind spot in Chain of Custody

The blind spot in chain of custody
It’s easy to accidentally create a chain of custody liability gap during the asset disposition process. Equipment leaves the building with the right “paperwork” for data destruction but, because hard drives are usually tallied by the device, the chain of custody documentation is often wrong the minute the device leaves the loading dock.

Problem 1: Drives are not obvious
If you have one device, how many drives are a part of that device? What if it’s a server? It’s one device, right? One unit on your chain of custody documentation. Inside the server (or other complex IT asset), it’s a different story because it is made up of many hard drives: 4, 10, 20, sometimes 200+.

For your chain of custody audit and verification, are you counting this single server as one item for processing /disposition? Or as 1 device containing  20 (or 200) hard drives that need to be processed?

Tricky.

Digging in a little more (only because we see this time and time again), do the drives have data on them? What is their final disposition plan? Is each drive on the device included in the disposition (data destruction) chain of custody?

Without understanding the number of drives in the devices and what the final disposition and accountability of each drive there is an opportunity for legal liability and a data breach before or during the data disposal process.

This is a risk no company should be exposed to.  The answer is creating a plan to double check the device for drive and perform onsite data destruction before the assets leave the building.

Problem 2: Data storage isn’t obvious
What is your data destruction chain of custody like when your asset disposition team doesn’t even realize that the device has a hard drive at all?

Newer servers and some desktop equipment have internal drives that are not visible until the unit is opened.

Other devices have solid state drives (SSD) plugged right into the motherboard. Blade servers are even more complex with multiple server modules (“blades”) in a single chassis. The blade is another animal unto itself; each may have a few drives and solid state drives as part of the motherboard.

Smart office equipment like copiers, all-in-one printers, scanners, POS (point of sale) equipment and more are often not included as part of the data destruction chain of custody. Because they may not even be considered to be IT devices. They’re under different contracts from different providers and managed by different staff.

But these devices have hard drives that are holding data-sensitive documents that were scanned, printed, duplicated from HR, patient records, legal teams, financial records, and more.

Gulp.

The chain of custody backup plan
When the device leaves the building, do you know the number of drives in that device? Data destruction is the chain of custody backup plan.

That’s why it’s important to work with a data destruction provider that understands your company, your devices, your disposition plan and your risks.

As a device is confirmed, audited and decommissioned, they should double check each unit, either confirm and record any hard drive discrepancies so that the final chain of custody to the processor is accurate. Final result: every hard drive and every SSD is included in your asset transfer form, your data destruction chain of custody record and your corresponding certificate of data destruction.

You are covered.

Working together to eliminate risk
How do you get a handle on all the IT office equipment that is heading out the door for  asset disposition?  How can you ensure that your devices (and their data) aren’t mishandled or misdocumented or unaccounted for?

  • Step 1: Understand which devices in your organization hold potentially damaging data and include in your chain of custody and asset disposition plan.
  • Step 2: Understand which devices may have multiple hard drives and adjust your chain of custody inventory system to match
  • Step 3: Work with an ITAD or VAR who will develop a data destruction plan that understands the value of a cradle-to-grave chain of custody.
  • Step 4: Insist on providers that understand the complexity of IT equipment and, without asking, will double check your equipment for error
  • Step 5: Data disposition through a secure, compliant provider is the only guarantee of chain of custody and to ensure that your devices (and their data) aren’t resold, forgotten, mishandled or casually thrown away

Reduce risk and liability
Whether you take care of data disposition internally or outsource IT asset disposition, you must be able to account for anything that leaves your custody.

Review our “30 common places your company data is stored (and waiting for a breach)” list to see other devices that should be included in your device lifecycle planning (and chain of custody protocols).

If you need help understanding asset tracking, regulatory compliance, chain of custody as part of the asset disposition process, talk to us. Without obligation. And, we can refer you to a VAR or ITAD if you need one.

Sharing is caring!