Month: November 2024

The Sarbanes-Oxley Act of 2002 (SOX), primarily known for its stringent financial reporting and corporate governance regulations, also has significant implications for corporate data management practices. One of the often overlooked aspects of SOX is its relevance to data destruction, a crucial component in maintaining compliance with data integrity and security standards. Here, we highlight some best practices for SOX compliance, especially regarding end-of-life electronics, ensuring companies protect and dispose of sensitive information appropriately.

Understanding the Sarbanes-Oxley Act

SOX was enacted in response to major corporate scandals like Enron and WorldCom to increase transparency in financial reporting and hold companies accountable for their financial practices. Key provisions include:

• Enhanced financial disclosures
• Increased corporate responsibility
• Stricter penalties for fraudulent financial activity
• Enhanced internal controls and audit requirements

Data Destruction and SOX Compliance

While SOX does not explicitly mandate data destruction, its requirements for record retention and internal controls imply a structured approach to handling and disposing of data, especially financial records. Here’s how SOX influences data destruction:

1. Record Retention Requirements

SOX Section 802 sets stringent guidelines on the retention of financial records.

 Companies are required to maintain accurate and detailed records for a specified period. These guidelines require a clear policy for the retention and eventual destruction of records once they are no longer needed. The destruction of records must be managed carefully to ensure compliance with these retention schedules.

2. Internal Controls and Procedures

SOX Sections 302 and 404 require companies to establish robust internal controls to ensure the integrity of financial reporting. This includes controls over how data is archived and destroyed. Adequate internal controls should address the following:

• Identification of data that needs to be retained
• Secure storage methods
• Proper authorization for data destruction
• Documentation of the destruction process

Failure to properly manage data destruction could result in loss of critical records, leading to non-compliance and potential penalties.

3. Preventing Fraud and Data Tampering

The prevention of fraud and data tampering is a core objective of SOX. Inadequate data destruction practices can leave sensitive financial data vulnerable to unauthorized access or tampering. By implementing secure data destruction policies, companies can protect against data breaches and ensure that obsolete records are permanently destroyed, thereby upholding the integrity of their financial reporting.  Partnering with an experienced data destruction partner can increase this protection level and add another layer of protection to your process.  Securis recently completed an on-site shredding job for a financial services company.  They told us that all hard drives had been removed and that we could recycle the eight server cabinets.  We found 86 drives (72 SSDs and 14 Hard Drives) upon inspection.  We shredded the 86 drives, saving the company from what could have been an expensive breach.  The missed 86 drives represented 15% of the total destroyed drives.

Best Practices for Data Destruction Under SOX

To align data destruction practices with SOX requirements, companies should consider the following best practices:

1. Develop a Comprehensive Data Retention and Destruction Policy

Create a clear policy that outlines the following:

• Retention periods for different types of records
• Procedures for secure destruction of paper and electronic records
• Roles and responsibilities for managing the process

2. Implement Secure Destruction Methods

Ensure that data is destroyed using methods that make it unrecoverable. This includes:

• Shredding for physical documents
• Degaussing or overwriting for magnetic media
• Wiping, Shredding, or Disintegration of electronic data

3. Audit and Monitor Compliance

Regularly audit data destruction processes to ensure compliance with SOX and internal policies. Monitoring should include:

• Verification of destruction methods
• Documentation of destruction activities, including a certificate of destruction 
• Regular reviews of policies and procedures

4. Employee Training and Awareness

Educate employees on the importance of data destruction and their role in ensuring compliance. Training programs should cover:

• Legal Requirements for data storage and disposal
• Company policies and procedures for data storage and disposal 

Conclusion

The Sarbanes-Oxley Act’s impact on data destruction is a critical but often underappreciated aspect of compliance. Companies can comply with SOX requirements and enhance their overall data security posture by understanding and implementing effective data destruction practices. Ensuring that obsolete data is properly destroyed protects against potential fraud, data breaches, and non-compliance penalties, ultimately contributing to a company’s integrity and trustworthiness. Partnering with a secure and certified data destruction and IT recycling partner like Securis can ensure your compliance with SOX and many other compliance standards. 

If you’re ready to responsibly dispose of your company’s IT assets, contact Securis today. We’re here to help you protect your data, the environment, and your bottom line.

Smartphones are indispensable in our daily lives. We use them to stay connected, work remotely, navigate cities, track fitness goals, manage our finances, and capture cherished memories. According to Reviews.org, Americans check their phones 144 times daily and spend over four hours daily on them. But when it’s time to upgrade, most of us assume that a factory reset wipes everything clean. That assumption is not just wrong—it’s risky.

Why We Upgrade—and What Happens Next

As smartphone technology evolves rapidly, most people upgrade regularly. These old phones don’t just vanish—they’re often traded in, sold, or handed down to someone else. Before that happens, we typically perform a factory reset. But here’s the problem: a factory reset doesn’t entirely delete your data.

What Factory Reset Really Does (and Doesn’t Do)

Many users believe a factory reset protects their data. But that’s a misconception. A reset removes the pointers to your data—not the data itself. On the surface, the phone looks fresh and empty. In reality, your personal and corporate information still lives on the device.

In a 2015 study by Blancco Technology Group and Kroll Ontrack, researchers purchased over 120 used phones online. They found that 35% of those phones still contained recoverable data—including texts, emails, photos, and more.

“People think their data’s been destroyed, and really all you’re doing [with a factory reset] is removing the table of contents. The rest of the chapters of the book are sitting there waiting to be discovered.”   — Pat Clawson, CEO, Blancco Technology Group

Security Risks by Operating System

Apple iOS: Strongest Native Protection

Apple uses hardware-based encryption. After a factory reset, the encryption key is deleted, rendering the remaining data unreadable. While not infallible, this makes data recovery extremely difficult.

Android: Ongoing Vulnerabilities

Android devices—especially those powered by Qualcomm—are far more susceptible. That’s because they often store encryption keys in software rather than hardware. Once the key is exposed, data can be accessed. Recent attacks using brute-force tactics have compromised millions of Android phones.

Windows Phone: Easy Targets

A factory reset on a Windows Phone simply removes data pointers. The actual data remains intact and can be recovered with basic tools.

Mobile Data Erasure: The Secure Solution

Proper security comes from using software that meets NIST 800-88 standards for data sanitization. Mobile data erasure doesn’t just hide your data—it overwrites it, making it completely unrecoverable.

Benefits of Mobile Data Erasure:

• Overwrites all data multiple times
• Compliant with HIPAA, GDPR, CCPA, and other data regulations
• Generates proof of erasure through certification
• Can be performed on-site or remotely

Whether you’re an individual protecting personal data or an organization safeguarding proprietary or regulated information, certified mobile data erasure is the only reliable choice.

Securis offers professional mobile data erasure services at our NAID AAA-rated facilities. We’ve tested and vetted the top four software vendors, so you don’t have to guess what’s safe.

Physical Destruction: For When Erasure Isn’t Enough

When dealing with highly sensitive or classified data—like information created by federal agencies—a more aggressive method is required: NIST 800-88 Destroy.

What It Involves:

• Battery removal (to prevent fires)
• Physical shredding or disintegration

Shredding destroys the phone’s components and storage, making data recovery impossible. However, it also prevents the device from being reused or resold. That’s why it’s best reserved for high-risk cases. At Securis, Phones are not just shredded; they are disintegrated into pulp, ensuring nothing remains. Work with a certified R2v3 electronics recycler like Securis to reduce environmental impact.

Final Thoughts 

As smartphones become even more central to our lives, so do the risks of mishandling their data. A factory reset isn’t enough. If you’re serious about protecting sensitive personnel or professional information, don’t cut corners. Choose certified data erasure or physical destruction.

Need Help Disposing of Mobile Devices Securely?
Securis offers compliant, certified, and environmentally responsible smartphone data destruction. Contact us today to schedule a secure pickup or learn more.

Research for this article:

1) Privacy for Sale: A Study on Data Security in Used Mobile Devices & Hard Drives Blancco Technology Group and Kroll Ontrack, October 2015