Companies that have disposed of e-waste and IT hardware carelessly now face penalties
Once a distant concern to most, the POPI Act is now on our doorstep. Your company’s old IT hardware that you once just disposed of, sold or donated is now one of the easiest ways to land you in trouble.
Clayton Heldsinger, MD of Dispose-IT, provides some advice for companies disposing of these items. Dispose-IT is a specialist IT asset disposal business that has been assisting US and European clients for years in South Africa to ensure they comply with their local data protection laws – some of the most stringent in the world – and provide an auditable trail.
The old computers, laptops, printers and electronic waste you discard, sell or donate have hard drives which contain data – often sensitive personal and company information.
In terms of South Africa’s new POPI Act, negligent loss of this information will expose your company and directors to possible fines, penalties, reputational damage and jail time.
“These old devices often sit around in your storeroom for months or even years before being discarded. Many assume that because they are old, they are no longer important. Not so,” says Heldsinger.
Customer databases, financial records, employee HR and health records and even passwords saved on these devices are a treasure trove for unscrupulous hackers.
“The responsibility lies on you to ensure this data is removed or the hard drives destroyed – and you want to keep record of this. Formatting a hard drive to remove data is not enough,” says Heldsinger. “Using recovery tools available free on the Internet, data can be easily recovered from a formatted drive.”
To be safe, data should be removed or ‘wiped’ from hard drives using software that ensures that any data is irrecoverable. Policies and procedures as well as record-keeping should be put in place.
In principle, wiping a hard drive is an easy concept. Unfortunately, it is a far bigger undertaking than it seems, especially when faced with large quantities of distributed devices, some of which are no longer working. With limited resources and space, this could take months and great expense.
To add to the challenge, many companies are currently vacating or moving premises to accommodate COVID-19 changes or work-from-home. During these moves, a lot of old hardware and e-waste is discarded, sold or relocated.
If you need to dispose of e-waste or even working computers, Dispose-IT can assist you with specialised services to eliminate the data risk and recover value.
Don’t sit on it; the longer your e-waste and old devices lie in storerooms, the greater the risk of loss.
Here are some tips to consider:
- Wipe all hard drives and other storage media using internationally accepted NIST-800-88 Guidelines for Media Sanitization.
- Set up a secure dedicated data erasure area.
- Keep certificates of data erasure for compliance.
- In South Africa, the risk of theft or loss of computers is high. Avoid moving any devices containing sensitive data before either wiping or destroying the drives.
- Always transport devices containing storage securely.
- Despite all your best efforts, drives can get misplaced or stolen. Consider additional software-based security or encryption methods to keep sensitive data safe.
- Crush or shred any storage devices that do not work or that fail to erase.
- Old devices contain old software, often easy for hackers to crack! Old data is still sensitive. Do a company-wide search through drawers, filing cabinets and stores and gather any old data-bearing devices (including USB sticks). Process them or dispose of them compliantly.
- If you don’t have the facilities, expertise, time or capacity, consider contracting a specialist data destruction company to help you with your processing or strategy.
Feel free to contact Clayton or his team on firstname.lastname@example.org.
Dispose-IT Sales, (0101) 400 888