The Relevance of the Sarbanes-Oxley Act to Data Destruction

The Sarbanes-Oxley Act of 2002 (SOX), primarily known for its stringent financial reporting and corporate governance regulations, also has significant implications for corporate data management practices. One of the often overlooked aspects of SOX is its relevance to data destruction, a crucial component in maintaining compliance with data integrity and security standards. Here, we highlight some best practices for SOX compliance, especially regarding end-of-life electronics, ensuring companies protect and dispose of sensitive information appropriately.

Understanding the Sarbanes-Oxley Act

Sarbanes-Oxley Act of 2002SOX was enacted in response to major corporate scandals like Enron and WorldCom to increase transparency in financial reporting and hold companies accountable for their financial practices. Key provisions include:

  • Enhanced financial disclosures
  • Increased corporate responsibility
  • Stricter penalties for fraudulent financial activity
  • Enhanced internal controls and audit requirements

Data Destruction and SOX Compliance

While SOX does not explicitly mandate data destruction, its requirements for record retention and internal controls imply a structured approach to handling and disposing of data, especially financial records. Here’s how SOX influences data destruction:

1. Record Retention Requirements

Document Management

SOX Section 802 sets stringent guidelines on the retention of financial records.

 Companies are required to maintain accurate and detailed records for a specified period. These guidelines require a clear policy for the retention and eventual destruction of records once they are no longer needed. The destruction of records must be managed carefully to ensure compliance with these retention schedules.

2. Internal Controls and Procedures

SOX Sections 302 and 404 require companies to establish robust internal controls to ensure the integrity of financial reporting. This includes controls over how data is archived and destroyed. Adequate internal controls should address the following:

  • Identification of data that needs to be retained
  • Secure storage methods
  • Proper authorization for data destruction
  • Documentation of the destruction process

Failure to properly manage data destruction could result in loss of critical records, leading to non-compliance and potential penalties.

3. Preventing Fraud and Data Tampering

The prevention of fraud and data tampering is a core objective of SOX. Inadequate data destruction practices can leave sensitive financial data vulnerable to unauthorized access or tampering. By implementing secure data destruction policies, companies can protect against data breaches and ensure that obsolete records are permanently destroyed, thereby upholding the integrity of their financial reporting.  Partnering with an experienced data destruction partner can increase this protection level and add another layer of protection to your process.  Securis recently completed an on-site shredding job for a financial services company.  They told us that all hard drives had been removed and that we could recycle the eight server cabinets.  We found 86 drives (72 SSDs and 14 Hard Drives) upon inspection.  We shredded the 86 drives, saving the company from what could have been an expensive breach.  The missed 86 drives represented 15% of the total destroyed drives.

Best Practices for Data Destruction Under SOX

To align data destruction practices with SOX requirements, companies should consider the following best practices:

1. Develop a Comprehensive Data Retention and Destruction Policy

Create a clear policy that outlines the following:

  • Retention periods for different types of records
  • Procedures for secure destruction of paper and electronic records
  • Roles and responsibilities for managing the process

2. Implement Secure Destruction Methods

Ensure that data is destroyed using methods that make it unrecoverable. This includes:

  • Shredding for physical documents
  • Degaussing or overwriting for magnetic media
  • Wiping, Shredding, or Disintegration of electronic data

3. Audit and Monitor Compliance

Regularly audit data destruction processes to ensure compliance with SOX and internal policies. Monitoring should include:

  • Verification of destruction methods
  • Documentation of destruction activities, including a certificate of destruction 
  • Regular reviews of policies and procedures

4. Employee Training and Awareness

Educate employees on the importance of data destruction and their role in ensuring compliance. Training programs should cover:

  • Legal Requirements for data storage and disposal
  • Company policies and procedures for data storage and disposal 
Securis' hard drive shredder
Securis provides solutions for wiping, shredding and disintegration of electronic data.

Conclusion

The Sarbanes-Oxley Act’s impact on data destruction is a critical but often underappreciated aspect of compliance. Companies can comply with SOX requirements and enhance their overall data security posture by understanding and implementing effective data destruction practices. Ensuring that obsolete data is properly destroyed protects against potential fraud, data breaches, and non-compliance penalties, ultimately contributing to a company’s integrity and trustworthiness. Partnering with a secure and certified data destruction and IT recycling partner like Securis can ensure your compliance with SOX and many other compliance standards

If you’re ready to responsibly dispose of your company’s IT assets, contact Securis today. We’re here to help you protect your data, the environment, and your bottom line.

Is Your Smartphone Data Safe after a Factory Reset?

Smartphones have become indispensable in our daily lives, revolutionizing how we communicate, work, and navigate the world. They allow us to stay connected with loved ones through calls, messages, and social media, access information instantly, from news to directions, manage our schedules and boost productivity, capture and share life’s moments through photos and videos, entertain ourselves with games, movies, and music and even monitor our health and fitness goals.   According to a survey from Reviews.org, Americans check their phones an average of 144 times a day and spend four hours and 25 minutes daily on their phones. It’s safe to say these devices are firmly entrenched in our lives. We don’t think much about what happens to the data on these phones when we upgrade. Does a factory reset do the job of erasing all of our data as we assume it will?  Read on to find out.

The Upgrade Cycle

Because mobile devices have become such an essential part of most people’s lives, they will likely upgrade frequently as technology advances and new features are added. What happens to the millions of phones that are no longer wanted?  Sometimes, they are traded for credit towards a new device, and then those devices are sold on the secondary market. Sometimes, they get passed on to friends or relatives.  We do this after performing a factory reset that we believe wipes all data from the phone, but those beliefs are not actually true, and a factory reset can still leave us vulnerable.  When it comes to organizations, failing to eliminate data from company mobile devices properly can result in severe financial and reputation consequences. 

The Limitations of Factory Reset

Many users believe performing a factory reset is sufficient to protect their data when disposing of an old smartphone. However, this common misconception can lead to significant privacy and security risks. Most people don’t know that factory reset only removes the pointers to data, not the data itself. The device may appear on the surface to be new and clean. However, skilled individuals can still recover “deleted” information remaining in the device’s internal storage and on external secure digital (SD) cards using specialized software. In a 2015 study, Blancco Technology Group and Kroll Ontrack purchased over 120 second-hand drives and mobile devices from Amazon, eBay, and Gazelle to determine if residual data could be recovered after they were resold. Of the mobile devices studied, 35% had residual data.  So, the sensitive and personal data you think you responsibly removed may remain accessible to future device owners.  This vulnerability highlights the need for more robust data protection measures when upgrading or disposing of your smartphone, especially when these devices contain private company information. 

Factory reset has limitations

“People think their data’s been destroyed, and really all you’re doing [with a factory reset] is removing the table of contents. The rest of the chapters of the book are sitting there waiting to be discovered.”   — Pat Clawson, CEO, Blancco Technology Group

Security Limitations by OS

Apple iOS: The safest option, Apple uses sophisticated encryption to render any data left on the device after a factory reset unreadable. 

Android:  Android continues to experience significant security limitations. Most recently, media reports indicate hackers have used brute force attacks to break into tens of millions of Android devices thanks to a series of security issues linked to Android kernel flaws and Qualcomm processors. Unlike iOS, Qualcomm-powered devices store the encryption key in software, which leaves them vulnerable. Once a hacker has the key, all data can be unlocked.

Mobile Data Erasure: A Secure Alternative

Mobile data erasure presents a superior solution for those seeking a more secure option to protect sensitive information. With Mobile Phone Data Erasure, all data – both personal and corporate – is overwritten, erased, overwritten again, and certified as unrecoverable to anyone else.

Benefits of Mobile Data Erasure:

  • Overwrites all data on the device, making recovery virtually impossible
  • Complies with various data protection regulations
  • Provides certification of erasure for peace of mind
  • It can be performed remotely or on-site 
Safe erasure of mobile phone data

Organizations can use mobile data erasure techniques to ensure that their employees’ personal information, financial data, and other sensitive content on their mobile phones are irrecoverable. Securis offers mobile data erasure services that can be performed onsite at your offices or our NAID AAA-rated facilities. 

In conclusion, as smartphones continue to play an increasingly vital role in our lives, it’s essential to consider the security implications of upgrading or disposing of these devices. While factory resets may seem sufficient, they leave users vulnerable to potential data breaches. By opting for more secure methods like mobile data erasure, we can enjoy the benefits of smartphone technology while protecting our privacy and security in the digital age.

Research for this article:
1) Privacy for Sale: A Study on Data Security in Used Mobile Devices & Hard Drives Blancco Technology Group and Kroll Ontrack, October 2015