Something I’m planning to do this summer with my sons is to do some dumpster diving, with the advice of my police and security services company owner friends, to see just how much personal information is left out for just anyone walking by to pick up and use, or misuse. We’ll also see about any cell phones that were just dropped in the dumpster or trash can…
How do you dispose of your cell phones? At work, and at home? And what do you do with the papers that contain personally identifiable information (PII) and other sensitive information when you throw them away? Are you more diligent at work? Or at home?
With this in mind, here’s another section from the third article in my June issue of “IT Compliance in Realtime“…
—————————————–
Disposal of Cell Phones
It is easy to just toss your old cell phone in the trash when you no longer want to use it, or donate it to a charity that gives the cell phones to others, or even sell your cell phone on an online auction site to try and recoup some of the cost you paid for it. People who do these actions often do not take the time to remove the data stored on the phones, and as a result, embarrassment can result, or even privacy breaches.
In 2003, a Blackberry was sold on eBay for $15.50. The buyer discovered that the Blackberry, which had belonged to a VP at Morgan Stanley, contained more than 200 internal company emails in addition to a database containing more than 1000 names, job titles, email addresses, and phone numbers (many of them home numbers) for Morgan Stanley executives worldwide. The VP who sold the Blackberry indicated he had assumed the data was erased when he removed the battery.
Your personnel need to know how to effectively remove data from cell phones, and must understand that simply removing the battery does not delete the data on them! Create a procedure for all your personnel to follow to most effectively ensure cell phones containing PII are not disposed of in ways that will lead to a privacy breach. Communicate, periodically and using multiple methods, the disposal policies, procedures, and corporate-approved tools for the disposal of cell phones and other similar types of telecommunications objects.
Disposal of Paper Documents
As long as there has been paper, people have been throwing away their privacy, along with the privacy of many others. Unfortunately, things are not getting any better.
In October 2007, a man was going through the dumpster behind the Blockbuster video store in Sarasota, Florida and found boxes filled with membership forms and employment applications that included names, addresses, credit card numbers, and Social Security numbers. He told the store manager about it, and was very surprised and disappointed when he went back the next day and found even more of the same type of information in the same dumpster!
Your personnel must understand that ALL paper documents containing any type of PII, and other sensitive information, must be cross-shredded when thrown away.
Either provide personnel with cross shredders in their areas or provide locked containers to put the papers into so that you can centrally cross-shred the papers. Effectively communicate to your personnel, on an ongoing basis, the disposal policies, procedures and corporate-approved tools for disposal of paper documents.
Quick Reference
Providing a quick reference for personnel is always an effective way to give them the knowledge necessary to make wise disposal decisions for all types of storage media you use within your organization. Consider creating a 5 โรณ 8-inch (or similarly sized) reference card containing information similar to that in Table 1. Of course, change the information to be specific to your organization. Include a contact name, phone number, and/or email address for the person in Information Security to get in touch with.
[Download the full PDF to see Table 1: Approved disposal methods at Company X.]
—————————————–
And now on to July! ๐
Tags: awareness and training, cell phone, data disposal, dumpster diving, Information Security, IT compliance, personal privacy, policies and procedures, privacy breach, privacy training, risk management, security training