Disposed data, whether on paper or digital devices, leaves your secure environment and is no longer subject to any of your safeguards. It is a gold mine for identity thieves. That is why the GLB act requires businesses to securely dispose of customer data.
For physical (paper) copies, it is obvious that all sensitive paperwork should be shredded.
Maintaining a local shredder is an option, though often too slow for the volume of shredding required. A more practical solution is to collect paperwork to shred in a secure bin that allows anyone to drop in papers but controls access for removing papers from it. This bin should itself be secured (e.g. with a cable lock) to the building. Periodically, the bin is emptied by a collection service provided by a secure shredding vendor.
If your shredding volume is not high enough to warrant a scheduled collection service, you or your staff may take the paperwork to a shredding facility. Many office supply stores offer shredding services.
For digital data, deleting a file does not remove it from the hard disk or other storage media (except in case of certain SSD drives on specific operating systems). It simply marks the storage area as available to store new files. Free software tools can be used to recover data that was previously deleted, even from files that were written over with new files.
So if you are disposing off an old computer or storage media, you have two options:
Data destruction services: Many PC recycle facilities offer data destruction (a.k.a. disk shredding) services, and can even give you a certificate stating that the disks or storage media you submitted have been destroyed in a manner that does not allow recovering any data. The service is not free.
Disk Wipe: If the computer is still working, and you are willing to spend the time, install a free disk wipe software such as DiskWipe, Eraser, or paid ones such as Active @ KillDisk and Shreddit. Then use that software to erase all data on the computer's hard disk. These software programs follow standard processes to write dummy data on all of the disk space multiple times, to make your confidential data unreadable. This is a good option if you are re-purposing the PC for other uses.
Your phones may have sensitive data even if you do not explicitly store data files on it, such as:
- emails or text messages stored in your inbox or sent folders,
- documents opened from a secure website or document portal, left open in your mobile device web browser,
- a picture taken at a client meeting with whiteboard notes, or
- voicemail left by a client containing sensitive information
Whenever disposing off a mobile device, do not simply give it away or drop it in a phone recycle bin. Use a data destruction service. They will shred the device physically.
If the device is lost, you can use the remote wipe feature available on iPhone (as described here) and Android (see here). This assumes that you had set up the device correctly to begin with, as we covered in digital safeguards for devices.
WARNING: Remote wipe only happens when the device is turned on and connected to the network. If you had not setup device encryption, data can still be read by someone in possession of the device without turning it on or by preventing it from connecting to the network (e.g. by removing the SIM). Hence it is important to both encrypt the device and enable remote wipe, as described in digital safeguards for devices.
If you stop using an online service, it is not sufficient to just log out and stop logging in again. The data from your past usage is still stored in your online account with that service provider.
At the very least, you should retrieve all necessary data and close the account. Closing an account typically does not delete it immediately. You may have to contact their support desk to find out when, if at all, closed accounts are deleted.
Some service providers keep the closed accounts for a long time, hoping their customer may return to re-activate the account. If that is the case, you may have to request deleting your data through their support channel. Different service providers may vary in terms of their data retention and disposal policies. So the best strategy is to find out what is best mitigation available and implement that.