The disposal of hardware in the wrong manner can leave an organization offside its regulatory obligations under privacy legislation. Depending on the residence of the individuals or entities whose personal data is stored by organizations, improper disposal of hardware storage devices may be offside of regulatory obligations in several countries.
Morgan Stanley recently agreed to pay US$35 million to the U.S. Securities and Exchange Commission (SEC) further to an inquiry by the SEC regarding the alleged improper removal of computer devices from the Morgan Stanley offices. The SEC alleged that the company hired a moving and storage company with no expertise in data protection to decommission thousands of servers and hard drives. The SEC further alleged that the moving company sold those devices, which included the personal identifying information of millions of customers. Morgan Stanley has not admitted the allegations.
This case raises an important risk which is often overlooked. Hardware used by an organization typically contains substantial amounts of personal and confidential information. If not wiped properly, that information can be subject to unauthorized access. If an organization outsources the task of removal and destruction without taking the appropriate steps, that organization is exposed.
Typically the manner in which hardware is disposed of by an organization is left to the IT department. However, the risks inherent in this exercise call for management oversight on how this task will be carried out, including for example the vetting of third-party suppliers who may be retained to dispose of the equipment, contractual obligations and indemnity terms in the agreement with those suppliers, and limitations on the supplier's ability to outsource its obligations.
The Office of the Privacy Commissioner of Canada (OPC) recommends the following (among other things) in its guidance document entitled Personal Information Retention and Disposal: Principles and Best Practices:
Privacy and confidentiality issues require careful planning and consideration at every step of the data life cycle, from collection to disposal. The consequences of failing to do can be significant.
The Bennett Jones Privacy and Data Protection group would be pleased to assist you with any questions you may have.