If you dispose of your old corporate laptops without making sure – really sure – that their drives are erased, you could be liable for millions of dollars in fines or legal damages if sensitive data falls into the wrong hands.

Morgan Stanley fined $35m after hard drives sold with customer info still on them.

READ MORE

For example, in 2022, the US Securities and Exchange Commission fined Morgan Stanley Smith Barney (MSSB) $35 million for failing to properly dispose of devices that contained personally identifiable information (PII) after the finance firm hired an unqualified moving and storage company to clear out some datacenters.”According to the contract with MSSB, Moving Company would work with an e-waste management company (“IT Corp A”) to wipe or destroy any data present on the decommissioned devices,” the SEC wrote in a 2022 filing [PDF].”However, at some point during the engagement, Moving Company stopped working with IT Corp A and instead began selling unwiped devices removed from MSSB’s datacenters to another third party (“IT Corp B”).”Because MSSB didn’t properly oversee its vendor, the moving company sold 4,900 different assets, which included unwiped hard drives that contained thousands of instances of PII on them. The Office of the Comptroller of Currency (OCC) fined Morgan Stanley an additional $60 million and the company settled a class action suit for another $60 million [PDF], bringing its total liability to $155 million. Simply offloading the problem to a third-party did not shield MSSB from responsibility.These hard drives came from a datacenter, but they could just as easily have been inside laptops your company is replacing.

Guidelines for data or drive destruction – Any serious data destruction service will follow the NIST 800-88 guidelines Rev. 1 [PDF], first introduced by the US government in 2014. They don’t specify particular tools to use, but advise companies to make data sanitization decisions based on both the security categorization of the data and whether the media is leaving organizational control.

NIST says that there are three main ways to sanitize data:

• Clear: Overwriting the data with garbage data or, where that’s not available, factory resetting. The drawback is that there are usually inaccessible sections of a disk that the OS can’t write to, which won’t get erased. These occur because of features such as wear-leveling and overprovisioning that give storage devices extra data blocks they rotate in and out of use to extend their useful lifetimes. Data recovery is possible in a lab environment.
• Purge: Using extra techniques such as secure erase that clear all sections of the device, making data recovery difficult, even in a lab environment. Drives can still be reused, however.
• Destroy: Physically damaging the drives beyond repair so that they can never be used again. Methods include drive shredding and incineration. If done properly, not even individual NAND Flash chips can be left intact. This method is the most costly and worst for the environment because the drive (and possibly the device it powered) cannot be reused….

More about

• Data
• Laptop
• Lawsuit