I’ve been talking a lot lately about the need for business leaders to more effectively address the secure disposal of information, particularly personally identifiable information (PII). Why? Because it seems like more and more attention is being given to security technologies to protect day-to-day business…attention is good and MUST be done…but often it seems it is at the expense of then overlooking, or perhaps shrugging off, how to securely dispose of PII, systems, applications and hardware when they are no longer needed in the business. This has led to many information security incidents and privacy breaches.
I address the reasons why business leaders must give attention to information disposal in the second article of my May issue of IT Compliance in Realtime, “Business Leader Primer for Effective Information Disposal.”
Download a PDF version to get a much nicer-looking copy, the super-duper graphic I put into the article, plus the sidebar information and facts. Here is an unformatted version of the article…
…………………………..
Many organizations spend significant time and money on activities and tools to prevent technology-based security incidents (unauthorized network intrusions, malicious code, and so on). However, it seems controls are becoming increasingly sloppy when it comes to managing the disposal of computer hardware and media (including printed paper) that contain personal information. The number of reports concerned with the disposal of personally identifiable information (PII) is increasing. Many information security and privacy incidents have occurred through non-technical means–organizations simply and thoughtlessly throw away printed documents into publicly accessible trash bins or even put computers, USB drives, and sensitive documents out on the streets.
An interesting report from October 2006, created in conjunction with National Identity Fraud Prevention Week in the United Kingdom (UK), revealed most businesses in the UK, and almost all their citizens, throw away documents containing personal information, such as account numbers, that can be used for crime and fraud as a result of not being irreversibly destroyed/shredded/etc. prior to disposal. The rate of such risky disposal practices had increased more than 20% from the findings in 2005.
[sidebar fact; see PDF]
Because of these alarming findings, an information Web site (http://www.stop-idfraud.co.uk/), was created to educate individuals and businesses about the risks associated with and how to better dispose of sensitive information. The site is interesting, with a variety of facts, statistics, and recommendations. One fact I found particularly interesting was that “It takes 467 days to discover that you are a victim of identity fraud according to Experian.” Thus, organizations must be very careful in making public statements such as “There is no evidence that PII has been used for fraud” within even a few months of any kind of privacy breach, including when the breach was the result of improper disposal.
Know the Disposal Laws
The U.S. has the Fair and Accurate Credit Transactions Act (FACTA) Disposal Rule plus several other laws that include requirements for safeguards for proper disposal of PII. According to the U.S. Federal Trade Commission (FTC), the FACTA Disposal Rule “applies to people and both large and small organizations that use consumer reports, including: consumer reporting companies; lenders; insurers; employers; landlords; government agencies; mortgage brokers; car dealers; attorneys; private investigators; debt collectors; individuals who pull consumer reports on prospective home employees, such as nannies or contractors; and entities that maintain information in consumer reports as part of their role as a service provider to other organizations covered by the Rule.”
[sidebar fact; see PDF]
The provisions of the FACTA Disposal Rule require proper disposal of consumer information, and applies not only to credit reports but also to the information contained within credit reports. The FTC reported that when it comes to the proper disposal of information in consumer reports and records, organizations need to demonstrate due diligence to protect against “unauthorized access to or use of the information.” The FTC Disposal Rule enables companies to consider the sensitivity of the information, the costs and benefits of different disposal methods, and changes in technology before deciding, and documenting, what measures are reasonable.
FACTA is not the only rule requiring proper disposal of personal information. The Gramm-Leach-Bliley Act (GLBA) Safeguards Rule and the Health Insurance Portability and Accountability Act (HIPAA) Security Rule and Privacy Rule also require the proper disposal of personal information. In addition to these regulations, there is a wide range of state-level laws that have personal information disposal requirements.
Federal bank and credit union regulators, along with the Securities and Exchange Commission (SEC), have finalized their own disposal rules under Section 216 of FACTA, which are similar to the FACTA Disposal Rule. However, the FACTA rule covers a much wider range of industries and organizations than any previous regulation. In fact, many companies may not even be aware that FACTA applies to them. The National Association for Information Destruction (NAID) estimates that more than 10,000 U.S. businesses that fall under the Disposal Rule. Considering the FTC’s description of the organizations to which the rule applies, I believe the number is probably much higher than the NAID estimate.
[sidebar fact; see PDF]
So how will the Disposal Rule be enforced? Will the FTC be lurking behind every building to catch companies throwing consumer information into their trash dumpster? Well, this is highly unlikely. However, the FTC can act on consumer complaints and news reports about consumer information breaches and “periodically do sweeps” of identified companies.
[sidebar fact; see PDF]
Similar disposal rules are also found, and are emerging, in other countries. For example, the UK has the Data Protection Act, which requires, among other safeguards, that confidential information must be securely disposed of. The British Standard for the secure destruction of confidential material, BS 8470:2006, applies to confidential information in all its forms and supports compliance with the Data Protection Act. It requires companies to dispose of confidential information by shredding or using disintegration. Confidential materials include such things as paper records, computer hard drives, CDs/DVDs, and even company uniforms.
Don’t Forget Employee Information
Don’t forget about your employees’ personal information; it must be destroyed properly under the FACTA Disposal Rule as well as under many other data protection laws worldwide. With the huge increase in the past decade of the number of employee investigations, criminal checks, and background checks performed, employers now possess more sensitive information about their employees than ever before.
It is important for organizations to make prudent use of the employee information they possess, and ensure that access to it is strictly controlled. Be sure to implement procedures to dispose of background and investigation reports properly to ensure that the information does not still exist electronically or on paper somewhere. You risk not only being in legal noncompliance but also putting your employees at risk of harassment, identity theft, and other fraud.
Employers should know not to put background, credit, and criminal check information into personnel files. Doing so is not a good idea in general; managers and other employees throughout the organization could potentially see the information and use it adversely against the employee. Doing so could also create quite a treasure trove of information for opposing counsel if the files are ever subpoenaed.
Disposal Options
Businesses must understand that all information has a life cycle, as represented in Figure 1. Controls must be built around every new retrieval or creation of information in addition to appropriate information classification, data and records retention, and then finally, when no longer needed, disposal of the information. Controls must exist throughout the entire life cycle. Unfortunately, the controls are often exceedingly lax, or even completely lacking, during the disposal stage within most organizations.
[Figure 1: The life cycle of organizational information management. See PDF]
Organizations should consider having external audits periodically performed to reveal where their disposal vulnerabilities exist. It is common for organizations to appropriately address one type of disposal, such as shredding papers, but then completely overlook removing data from hard drives, storage devices, cell phones, or other types of electronic storage.
Organizations can meet the terms of the FTC Disposal Rule by establishing and complying with policies and procedures that will prevent the unauthorized access to or use of consumer information. The FTC specifically lists the following as “reasonable” protective measures:
- Burn, pulverize, or shred papers containing consumer report information so that the information cannot be read or reconstructed.
- Destroy or erase electronic files or media containing consumer report information so that the information cannot be read or reconstructed.
- Conduct due diligence and hire a document destruction contractor to dispose of material specifically identified as consumer report information consistent with the Rule. Due diligence could include:
- Reviewing an independent audit of a disposal company’s operations and/or its compliance with the Rule;
- Obtaining information about the disposal company from several references;
- Requiring that the disposal company be certified by a recognized trade association;
- Reviewing and evaluating the disposal company’s information security policies or procedures
.
[sidebar fact; see PDF]
Electronic information can be destroyed in many ways, some more reliable than others:
- Overwriting (also known as wiping)–Successfully overwriting data is much more secure than merely deleting data, but overwritten data is still vulnerable to unauthorized recovery. Overwriting can be accomplished by various utility programs and commands that overwrite files and free space on disks using alternating patterns of binary digits or other types of characters. Overwriting is more effective with each overwriting pass. Some overwriting tools, such as those with PGP, default to multiple passes.
- Low-level formatting –This method overwrites data below the level of the operating system (OS) and is generally not as effective as overwriting with utilities programs because it typically only overwrites once and with a single pattern; the more overwrites that can be done, the less likely it is that the data underneath can be recovered. Also, with low-level formatting, it may be possible for someone to subtract known patterns of 1s and 0s to get to the data underneath. Because of this weakness, multiple overwrites of data are recommended.
- Degaussing –Demagnetization of media, or degaussing, when done appropriately, is generally more effective and quicker than overwriting. Most degaussers use alternating current to create an electromagnetic field to erase electronic media in one or two passes through the most intense part of the field without ruining the medium. A disadvantage of degaussing is that corporate-sized degaussers are not very portable.
- Physical destruction –Thoroughly destroying the medium upon which data is stored is the most secure way of protecting the data. Burning is an option for destroying a small quantity of media, but it can produce toxic gases or waste products and may violate safety or air quality standards. Merely cutting media into a couple of pieces will typically not make it unusable; it can often be successfully put back together and read. Degaussing the media first, then cutting or shredding it into small pieces makes the data far more difficult to recover. Many other methods of physical destruction are available, but some, such as acid baths, can be dangerous.
[sidebar fact; see PDF]
If you decide to outsource disposal to a third-party company, make sure they will certify the documents and data have been destroyed in compliance with applicable laws and will indemnify your business from harm. Additionally, include within the contract that you have the right to audit the disposal company at any time to ensure that the material is being disposed of properly and that it is not being resold or otherwise misused instead of being destroyed. Look for information destruction vendors that are certified to be BS 8470 compliant. This compliance will confirm that they are transporting, storing, and destroying all types and forms of sensitive information according to the requirements of the Data Protection Act and other laws with disposal requirements.
Don’t Throw Your Company’s Reputation in the Dumpster
The multiple regulations and laws, in addition to recent personal information breach incidents, should serve as a wake-up call to organizations to ensure that they have appropriate policies and procedures in place to properly dispose of personal information when it is no longer needed. Not only does your company risk large fines and penalties from noncompliance with applicable regulations, but you also risk what is likely even greater organizational impact from the lost consumer confidence and the bad publicity that could result from just one personal information disposal incident.
Companies must address the issue of PII disposal. Your customers and/or employees may bring civil suits when their information is carelessly disposed and subsequently used inappropriately or to commit fraud. The U.S. FTC may come after you if you do not take the proper actions to create a documented, fully implemented, auditable, and executive-supported disposal program. Providing effective awareness communications and ongoing training to your personnel and business partners about the proper way to dispose of your PII will help to lessen the chances that you will experience a privacy breach as a result of poor disposal practices.
…………………………..
Please let me know what you think!
Tags: awareness and training, BS 8470:2006, degauss, FACTA, HIPAA, information disposal, Information Security, IT compliance, National Identity Fraud Prevention Week, personally identifiable information, PII, policies and procedures, privacy, risk management, security awareness, security training