Your hedge fund's information security plan likely includes details on where information is stored, how it is accessed and who it is accessible to. But a critical component of this security plan often overlooked is how and why data is destroyed when it is no longer needed. Including data destruction procedures in your hedge fund's Written Information Security Policy (WISP) or as a separate document is vital to ensuring your firm’s sensitive data and intellectual property does not fall into the hands of the wrong people. Unfortunately, in today’s technology-driven, cyber-aware environment, simply hitting the delete key is not enough.
There are a few different scenarios that may warrant secure data destruction maneuvers:
Changing service providers
Retiring a service/product
Your methods and policies for secure data destruction may vary according to the above scenarios, or they may be standard across the firm. Your hedge fund should also consider if there are any regulatory implications. Do you need to maintain/archive data for a prescribed period of time in order to comply with state, federal or other compliance or auditing standards?
In any case, you’ll want to consider a variety of methods in the beginning to ensure your firm’s confidential data (e.g. investment portfolio, investor contact information, etc.) is securely destroyed, preventing unwanted breaches or thefts. Consider the following as you evaluate what makes sense for your firm:
Physical Destruction: Disk shredding, crushing or melting are common techniques. This method can be effective for a hedge fund's on-premise equipment, however, does not necessarily apply when using the cloud – as in most cases, firms are leveraging physical equipment owned by the cloud services provider. Paper shredding is the most common method of destruction for hardcopy documentation.
Encryption: If you choose not to destroy data through any particular means, you can take steps to ensure, if it is obtained by any unauthorized parties, it cannot be accessed or at least easily understood without the proper encryption key.
Degaussing: This is “the process of decreasing or eliminating a remnant magnetic field.” Degaussing is often the preferred method for firms looking to purge highly sensitive data, as it does not leave open even the remote possibility of recovery. The equipment storing the data, however, becomes collateral damage with this method, as it will be destroyed right along with the information.
Overwriting: In many cases, firms choose to overwrite old data with new information, making it difficult, at best, to locate or recover.
With the emergence of cloud services, concern has grown over data destruction methods and the level of destruction firms employ to eliminate data. Whether you are ending a relationship with a cloud services provider altogether or migrating your information to another platform, ensure there are written contracts in place to protect your data throughout the process. The vendor you are severing your relationship with should also provide a certificate of destruction to validate that any company data or information is no longer accessible to them.
Also, don’t forget about mobile devices. Many firms now employ BYOD programs, which give employees the option of using their personal smartphones and devices to run corporate software and email. As a firm, be sure you’re including mobile devices in your data destruction policies and are clear with employees on what happens to their data and devices in the event they leave the company. Many employers require users to sign contracts giving the firm permission to remotely wipe devices if employees are terminated or sensitive company data needs to be moved or transferred elsewhere.
As a final thought, we encourage firms to think through the risks of undestroyed data as they are developing and modifying their information security and data destruction policies. With cyber hackers seemingly everywhere and disgruntled employees bound to emerge, it is critical hedge funds take all measures to ensure sensitive company and employee data is protected while needed and eliminated when not.
Read on to learn more about best practices for information security: