Introduction 

Data protection will not look the same in ten years. For Financial institutions, the demand for online services, constant account access, faster transactions, and personalized financial tools continues to increase the amount of sensitive data institutions are required to collect and protect. Even more so, trends such as Digitalization have affected the way customers primarily access their bank accounts, and has led to the closure of more than 2,500 branches across the U.S. in 2023. Amid these changes, financial institutions are forced to adjust to new market trends while protecting their customers’ data. 

In the last couple of years, financial institutions have revamped their services through AI-powered financial tools, online investing, and more. Due to these new features, the amount of sensitive data stored has significantly increased. These institutions approach data-protection by implementing strict security measures and policies to safeguard personally identifiable information (PII) such as Social Security numbers, government-issued ID numbers, and financial statements. Moreover, due to newer features in online banking such as face recognition login capabilities, biometric data is now an added concern. 

According to the American Banking Association (ABA), 71% of consumers prefer to manage their bank accounts through a mobile app or a computer. The research from the American Bank also shows that in 2023: 

• 97% of consumers have rated online services as excellent, very good, or good. 
• 48% of consumers use mobile banking as their primary choice of account access. 

Despite the positive reaction of the industry and high rates of satisfaction, not everything is sunshine and rainbows for financial institutions. One of the biggest struggles for these businesses is the proper decommissioning of large amounts of sensitive PII and the cost involved with it. Such was the case for Morgan Stanley in 2022 when they failed to protect sensitive PII of 15 million customers, resulting in a legal settlement with the US Securities and Exchanges Commission (SEC) that would fine the banking institution $35 million. 

Major Financial Institution Invested in Cyber Resilience and ITAD-Certified Partnership 

For a Fortune 1000 company, protecting their customer’s information while efficiently investing in data security-related services can be complex. This financial institution has over 5,000 employees and needed to decommission more than 25,000 devices containing sensitive information.  

Managing a project of this magnitude can take a massive amount of internal resources and can keep an IT department from providing much needed internal support to sustain day-to-day operations. On the other hand, due to the experiences of other institutions in the industry, the legal costs of a poor ITAD partnership are also well known. Consequently, this company decided that it was in its best interest to consider a reliable and experienced IT Asset Disposition company to handle such a responsibility.  

In the early stages of the project, this company stated that their priorities were:  

• Secure transportation 
• Constant tracking 
• Easy-to-access data sanitization records  

The first obstacle of this project was heavily related to transportation. This business has more than a thousand locations across the U.S., requiring secure vehicles to travel across 19 different states. Similarly, the project and security measures established by the company did not allow the use of a third-party service for transportation, a requirement acknowledged at the beginning of the project. 

The second obstacle would be the constant monitoring of the devices from the firm’s property to the ITAD facility. This requirement served to guarantee that no equipment was lost during transportation and that every device leaving their property could be easily traced until fully decommissioned. 

Efficient reporting was also a need for this project, the selected vendor needed to be proficient in providing accurate reporting on demand of all devices wiped or destroyed; they needed access to a reliable database that can account for the status of their devices and assure that all devices were properly decommissioned.  

CDR Global Accepts The Project 

Across several meetings, one of the early proposals to provide secure transportation while reducing costs for the institution was to concentrate these devices at the institution’s headquarters. CDR Global aided by guiding and providing the company with instructions, packaging materials, and return labels so that all satellite offices could send the equipment to be decommissioned back to Headquarters. From there, CDR Global would provide a white glove pick-up service and transportation. This service included proper equipment handling and assigning a unique ID (UID) per device for monitoring. 

Once all the equipment was ready to be shipped and transported securely, the institution and CDR Global could track all vehicles through their GPS Satellite systems. This provided assurance and real-time information on all shipments. 

With our R2V3 certification, CDR Global was able to guarantee data would be sanitized in such a way that it would not be recoverable. Likewise, CDR Global, would provide a free detailed report and a certificate of Data Destruction for each drive that had been cleaned, and all of these records would be available through CDR Global’s customer portal. 

As Carter Lanzner, IT Director of CDR Global, explained regarding this project: “We have more than 20 years of experience in the ITAD industry, and Data security has been the main focus since CDR Global started. For this project, we were able to give assurance to our client that all data sanitization records and certificates will be saved from the moment we start working together”. He also added, “Another relevant factor for this specific project is that CDR Global has never had a data breach and we’ve been successfully working with other institutions in the financial sector”. 

Why Choosing the Right Partner Matters 

The demands on financial institutions continue to grow, and so does the need to protect customer PII. According to IBM, the average cost of a data breach for a financial institution in 2023 was $5.9 million.  

Considering these factors, cyber resilience has become a major concern in the industry. The concept of cyber resilience embraces preventing, dealing with and recovering from cyber security incidents. Below are some examples of the impact of data breaches on Financial Institutions:  

Morgan Stanley 

In 2022, the company agreed to pay a $35 million settlement due to the lack of protection of PII for approximately 15 million customers. According to the U.S. Securities and Exchange Commission (SEC), the company “failed to properly dispose of devices containing its customers’ PII. On multiple occasions, MSSB hired a moving and storage company with no experience or expertise in data destruction services to decommission thousands of hard drives and servers”. Read more about the case here.  

Capital One 

In 2019, the company determined that an outside individual gained unauthorized access to PII of customers who applied for a credit card, and current customers at that time. Approximately 100 million individuals in the U.S. were impacted by this cyberattack. Read more about the case here.  

From protecting, and transporting to destroying data, ITAD companies with the proper certifications and verified processes (like CDR Global) can enhance cyber resilience for institutions managing large amounts of PII.