Implications: The most obvious ramification of releasing proprietary corporate information is that it could assist competitors and other outside parties to identify potential customers, future products, and sensitive client correspondence. According to Special Agent David Mahon of the FBI’s Denver Cyber Crimes Division: “People just don’t seem to realize what a significant risk that is posed by the potential compromise of information security. I recently observed some IT equipment being removed from a Denver office building. When I asked the staff what they planned to do with the hard drives, they indicated that they would probably just send them to a landfill. Not only is this against the law in Colorado, the information on those drives could easily wind up in the wrong hands. The FBI has recovered data that has been linked to criminal activity by both organized crime organizations and groups that threaten homeland security.”
The inadvertent disclosure of sensitive data may also violate a number of recently enacted federal laws that are intended to protect information privacy. These laws include: The Health Insurance Portability and Accountability Act (“HIPAA”), The Fair and Accurate Credit Transactions Act (“FACTA”), and the Gramm-Leach-Bliley Act (“GLB”). Violation of these laws can result in substantial criminal and civil penalties as well as significant negative publicity.
For example, in June of 2005 the FTC announced a consent judgment against BJ’s Wholesale Club based upon the inadvertent disclosure of thousands of customer credit and debit card numbers. In December of 2005 the FTC announced that it had entered into another consent judgment against retail shoe discounter DSW for failing to protect sensitive customer information. Both companies’ settlements imposed a number of onerous requirements – including obtaining biannual independent security audits for the next 20 years, and ongoing FTC oversight of their information security practices. In filings with the SEC, both BJ’s and DSW estimated their exposure relating to the security breaches to be in excess of $6.5 million.
In order to investigate the extent of the data security problem in Colorado, LifeSpan purchased 20 used hard drives from four different used computer dealers located both in the Denver area and online. Some of the vendors offered recycling services and all of the vendors advertised that the hard drives had been completely purged of all data. One retail operation even performed a Microsoft “format” as we waited to make our purchase. They represented that this procedure would eradicate any remaining data left on the drive. In fact, formatting a hard drive does not eliminate data.
- Credit Card numbers from point of sale logs
- Social Security Numbers from an employee accounting system
- Resumes and personnel files
- Customer lists
- Intellectual Property
- A corporate prototype database
- Complete Microsoft Outlook email &address files
Solutions: Data privacy controls for expired IT assets should be subject to a thorough cost-benefit analysis. Here are some initial questions to consider:
- Do internal or outsourced service providers have the necessary procedures and controls to check the efficacy of the data destruction processes from transportation to actual destruction? Is the process being audited by a third party? What kind of a chain of custody procedures does the organization maintain? What type of photographic evidence is provided?
- What is the value of resale material vs. the potential costs of a breach of data security? Reselling the equipment may not outweigh the value of ensuring privacy – hence some organizations prefer to recycle all of their end of life assets regardless of residual value.
- Should you perform all of your data destruction activities in-house? If so, you should either physically destroy the drives or use disk over-write software. Commercially available programs such as Kroll-Ontrack’s “Data Eraser” or LSoft’s “Active Kill Disk” fill the drives with “0’s.” Physical hard drive destruction equipment is commercially available from companies such as Shred-Tech or SEM.
- Could an outside organization provide an additional level of security for your internal data destruction process? Is so, what physical destruction capabilities does the vendor have? In addition to software based destruction, can they physically shred all media containing data? Does the outsourced vendor have your best interest in mind—i.e. are they motivated to provide the appropriate services to your firm or are they simply looking to profit from the resale of equipment? Lastly, is the vendor protected by errors and omissions insurance in the event that data is accidentally compromised?
- Educate their organizations on the importance of maintaining information privacy
- Develop and implement programs that mitigate risk