CyberCrunch® May Newsletter: Advice on safe, secure data destruction

adminNews, Newsletter

CyberCrunch™ News: Advice on safe, secure data destruction and electronic recycling

Welcome our monthly newsletter, designed to help you avoid data breaches and manage your data destruction more effectively.

This month, we’ll show you how important it is to have the proper certification when destroying data. We’ll also discuss the data destruction best practices for the new HIPAA privacy rules, which are likely to affect your business.

In addition, we’ve included a news story on our efforts to prevent identify theft with our new partners DELCO District Attorney.

If you would like help or advice about the safe, secure disposal of sensitive information, or any information about recycling your electronics more generally, visit us at http://dev1.ccrcyber.com.

3 reasons you need Certificates of Destruction

We all know that businesses are required to dispose of sensitive data, but it’s easy to forget that law requires solid proof of destruction.

The best way to do this is via a “Certificate of Destruction” – a formal document, confirming that data has been correctly destroyed.

If you run a business and aren’t sure if you need one or not – here are 3 big reasons why a certificate of destruction is important:

1. Compliance with the law: Serialized destruction is an absolute must when it comes to dealing with laws such as HIPAA, GLBA, SOX, PCI and GDPR. If you don’t have one, you’ve no proof that you have been following your legal obligations of data destruction.

2. A solid paper trail: Without a proper Certificate of Destruction, a company has no proof that items were destroyed. By maintaining a proper audit trail, including chain of custody, a company can be protected in the event of litigation.

3. Proper insurance: The most important aspect of a certificate of destruction is the insurance that backs it up. A certificate of destruction is not worth the paper it is written on if it is not backed by professional cyber liability insurance.

Unfortunately, despite it’s importance, many recyclers and shredders do not provide these certificates owing to high cost. Don’t be fooled by a general liability insurance certificate, this generally does not cover data breaches.

What should a Certificate of Destruction contain?

  • A list of assets including serial numbers
  • Date material was transferred, and ownership was changed
  • Date material was destroyed
  • How the material was destroyed
  • Who was the material destroyed by
  • Cyber Insurance to back up the Certificate of Destruction

Always ensure these details are present before entering into an agreement with an external data destruction company.

By selecting a company like CyberCrunch™ you can be ensured that our certificates of destruction are backed by our 1M cyber insurance guarantee.

At CyberCrunch, our IT asset disposition (ITAD) services provide secure erasure before assets are remarketed, donated or destroyed. We’ll always provide you with a full Certificate of Destruction for your records.

How do the new HIPAA privacy rules affect your data destruction?

With a growing number of data privacy laws, it’s now vital that businesses owners have strong policies in place to avoid fines and penalties.

Unfortunately, recent privacy developments in health-related data are making these laws more complicated and difficult to follow.

If you in possession of any ‘Protected Health Information’ (PHI), you must meet strict guidelines for both its handling and destruction.

Once you look into the details of what these ‘HIPAA privacy rules’, involve, it can suddenly become overwhelming,

To help you, we’ve put together a quick guide so you understand your HIPAA data destruction responsibilities.

Is your organization affected?

According to the Federal Government, ‘covered entities’, which are possession of Protected Health Information (PHI), must meet strict guidelines for not only handling but also the destruction of such data.

‘Covered entities’ are defined as organizations that electronically transmit health information in connection with transactions for which HHS has adopted standards.

They could be individuals or private or public institutions such as hospitals, academic medical centers, physicians, and other health care providers.

However, covered entities may also be business associates of any of the above who reviews, analyzes, transmits or otherwise comes into possession of PHI. That includes business associates performing legal, actuarial, accounting, consulting, data aggregation, management, administrative, accreditation, or financial services to or for a covered entity.

As you can see, this definition could easily include your business.

With that in mind, here are some of the data destruction best practices, as set out by the HIPAA…

1. Disposal of hard drives, computers and other electronics
Whether it’s an old company-issued phone or an outdated laptop, you need to be aware of the specifics when it comes to electronic data destruction best practices.

Under HIPAA Privacy Rules, e-waste that has previously held protected data must be thoroughly cleansed of any such information.

For electronics that contain PHI, various approved methods for disposal are suggested including:

  • overwriting of sensitive data using specialty software or hardware
  • purging data using degaussing or magnetic disruption methods
  • destroying devices using methods such as melting, pulverization, incineration or shredding.
  • 2. Destruction of physical documents

    Physical copies such as patient files, paper copies of bills or procedure orders and even remitted receipts that potentially contain PHI are all still commonly used in HIPAA related fields.

    Physical destruction of these documents must ensure that any PHI containing material is no longer decipherable via methods such as incineration, shredding and more.

    An often-overlooked area of physical document destruction can also occur when a company ceases to do business. The end of a company’s commercial activities does not end their obligations under HIPAA.

    3. Custom tailored data destruction

    Normal methods of data destruction may not be satisfactory for your business. You must review their own circumstances, including the form, type and amount of PHI to be disposed of, in order to develop appropriate destruction safeguards.

    If you possess highly confidential PHI, you may need a higher level of care due to the sensitive nature of the information. This might include social security numbers, debit or credit cards numbers or diagnosis or treatment information.

    Ensure you perform risk assessments of your PHI and physical and electronic data destruction programs to ensure you remain compliant.

    4. Ongoing workforce training

    The healthcare privacy rules require your employees to receive initial and ongoing training in data destruction policies and procedures.

    The education should be tailored to the level of the employee’s exposure to confidential PHI. There is no on-size-fits-all program for this so training programs should be specially designed with a company’s individual workforce in mind, maintained and documented rigorously.

    How can you make this easier?

    Some employers may feel intimidated by the HIPAA rules, but the good news is that there are a growing number of highly educated, certified and experienced data destruction firms who are knowledgeable in the strict requirements of HIPAA when it comes to PHI.

    At CyberCrunch™, we can help you dispose of your data so you are completely compliant with all current data laws, including HIPAA.

    If you’d like to learn more about how a strategic partner in the space can help reduce your company’s liability and ensure compliance with the HIPAA privacy rules, contact us.

    CyberCrunch™ Partners with DELCO District Attorney to Prevent Identity Theft

    Cybercrunch™ is now providing a FREE physical data destruction service for Delaware County residents by partnering DELCO District Attorney, Katayoun M. Copeland.

    “Many of us have old computers and cell phones that contain personal data that we would not want in the hands of others. The safest way of making sure that data is never compromised is to have the hard drive or cell phone shredded,” said Serdar Bankaci, President of CyberCrunch™.

    Our digital data destruction service ensures fast and secure destruction of hard drives and other data storage devices. Complete destruction of data ensures that classified data or highly sensitive business data on your hard drive or mobile devices does not fall into the wrong hands.

    Proper data destruction services involves some cost but on Saturday, June 2nd from 9 am to 12 pm, District Attorney Katayoun M Copeland is sponsoring a FREE data destruction event for Delaware County residents. Our professionals will be onsite to physically destroy your media so there is no chance of data recovery.

    “These days our cell phones and computers contain all of our personal details such as passwords, account numbers, addresses and phone numbers which a criminal could use to steal your identity, steal your life savings,” said District Attorney Katayoun Copeland.

    “Protecting both sensitive personal and business data couldn’t be easier. CyberCrunch™ professionals will be onsite to securely shred your hard drives, mobile devices, and removable media. There is no need to remove your hard drive from your desktop or laptop. You can bring the computer to the event and CyberCrunch™ will handle the rest.”

    This FREE data destruction event will take place at:
    Clifton Heights Firehouse Parking Lot
    20 W. Baltimore Avenue
    Clifton Heights, PA.

    All Delaware County residents who need data destruction will be welcome.

    The Public should please take note that the event is for data shredding only. No TVs, CRTs, computer monitors or any other type of electronics will be accepted. Information for e-waste recycling will be available at the event.

    For more information on CyberCrunch and the wide range of e-waste and data destruction services the Company offers, visit http://dev1.ccrcyber.com