The work performed by data center decommissioning companies is critical. In a world driven by data, how data-bearing hardware is securely disposed is enough to keep CIOs awake at night.
So when federal authorities slapped a $60 million fine on Morgan Stanley last year for failures in its data center decommissioning processes dating back to 2016, industry leaders paid attention. The ruling served as a timely (albeit expensive) reminder of the rigor required in protecting customer data.
It’s clear the relationship between data center operators and data center decommissioning companies demands close management. But what does this mean in practice? Here are four lessons to draw from the penalty issued issued to the banking giant:
1. The Ultimate Responsibility for Data Oversight Is Yours
According to the Office of the Comptroller of the Currency’s consent order, Morgan Stanley failed to exercise proper oversight of the decommissioning of two of its U.S. data centers.
The bank failed to sufficiently vet and monitor third party vendors, including subcontractors. It also failed to maintain an appropriate inventory of customer data stored on the decommissioned devices, the ruling asserted.
In 2016, Morgan Stanley closed two data centers and decommissioned the computer equipment in both locations. As is customary, we contracted with a vendor to remove the data from the devices. We subsequently learned that certain devices believed to have been wiped of all information still contained some unencrypted data.
– Morgan Stanley letter to potentially affected customers
As a data center operator and custodian of personally identifiable information (PII), the ultimate responsibility for customer data sits with you.
This is why the companies you hire to assist with decommissioning work must be thoroughly vetted. You cannot hide behind shortcomings in your contractor’s work.
Action Points for Mitigating Risk
- Adequately assess the risk of using third party vendors. Are your vendor contracts clear on the use of subcontractors?
- Ensure due diligence in selecting third party vendors. How do you assess for relevant certifications and experience?
- Agree with your vendors on a framework for performance monitoring.
- Maintain a robust inventory of the types of customer data stored across devices.
2. Build a Solid Framework for Data Management
For most businesses nowadays, data is lifeblood. This is almost certainly true for your company, too.
Commit to the strongest possible practices around data management. This includes how you manage the decommissioning and disposal of the data center equipment you no longer need. Most firms don’t have sufficient expertise to do all the decommissioning work themselves.
In your data management framework, take care to specify:
- in what circumstances you might seek third party support for the decommissioning of your data centers
- your process for selecting qualified decommissioning vendors and undertaking due diligence
- core standards for supervising your vendors as they perform the work
- your procedures for internal oversight
Morgan Stanley’s failures in this case don’t mean decommissioning work shouldn’t be outsourced.
What it does mean is that your organization must include clear direction around 1) the handling of data-bearing hardware, and 2) the hiring and supervision of data center decommissioning companies in its data management policy.
“There is no statute of limitations or safe harbor for improperly discarded IT assets. The equipment at Morgan Stanley was discarded four years ago. If a hard drive turns up five or ten years down the road with personal information on it, it is still a data breach plain and simple.”
NAID / i-sigma boss Bob Johnson
3. Cultivate a Culture that Prioritizes Data Security
Your policies are only as good as the culture that sustains them.
Develop a strong culture around data security. This culture should permeate all aspects of your operation, from staffing and software to physical premises and hardware.
As with any culture, its development starts at the top. While the responsibility in larger firms rolls up to the management board, mid-sized companies and start-ups must also embrace core principles of data security at the highest level.
As for Morgan Stanley, it was later claimed that far from properly vetting an ITAD firm, the financial giant didn’t even use one!
Lawyers allege that decommissioning was instead outsourced to a local moving company with minimal ITAD experience. They also claim that a vice president in charge of overseeing the delegation of decommissioning responsibilities for Morgan Stanley was terminated after the incident came to light.
The lesson to draw from this development is the importance of internal oversight. It’s not enough to thoroughly vet an ITAD firm一you also need internal transparency in order to double-check, even at high levels, that proper decisions are being made.
Ultimately, data center decommissioning is not a place to cut costs. By outsourcing responsibilities without sufficient due diligence, Morgan Stanley saved around $100,000…only to be hit with a $60 million fine.
5. No Business Sector is Exempt from Data Protection Requirements
It doesn’t matter whether you’re on the cutting edge of fintech, running a B2B e-commerce operation, or offering video streaming and adtech services一data protection regulation cuts across sectors. Pizza chains and florists are as dependent on customer data nowadays as they are on fresh dough and flowers.
Consider the European Union’s General Data Protection Regulation (GDPR), which requires tight standards for any organization holding the data of individuals in the EU, wherever that company operates in the world. Or the California Consumer Privacy Act, which is widely seen as the first step toward a more comprehensive approach to data privacy in the United States.
In Morgan Stanley’s case, it was ruled to be “engaging in unsafe or unsound practices relating to information security and noncompliance under 12 C.F.R. Part 30.”
Bottom line: it doesn’t matter what sector you operate in, where you’re headquartered, or to what degree you contract out the work. The protection of your customer data ultimately remains your responsibility—and that extends to the practice of decommissioning data centers.
Manage Your Risk
Working with data center decommissioning companies shouldn’t be unduly burdensome. A good data center decommissioning company will help securely solve your problems and save you a headache.
Invest time in the vetting process. Identify firms that
- offer flexible solutions for the needs of your data center environment
- confidently demonstrate knowledge of your regulatory framework
- display a deep commitment to compliance and adherence to process
Once you find the right partner, you’ll be in good hands.
Horizon Technology is a trusted leader in data center decommissioning services, committed to the highest levels of security throughout. Contact us to discuss how we can help.
