A couple of weeks ago I was doing a consulting call with a small startup business (that in a short span of time is already performing outsourced cloud processing for a number of really huge clients) about information security and privacy. They had implemented just the basic firewall and passwords, but otherwise had no policies, procedures, or documented program in place. I provided an overview of the need for information security and privacy controls to be in place throughout the entire information lifecycle—from creation and collection, to deletion and disposal. They were on board with everything I was describing until we got to information disposal.
Me: "How do you dispose of hardcopy information, and of your computing and storage equipment? You need to make sure you include consideration of the information, in all forms, of your clients."
Jo (at the small business): "We do the usual; toss the papers into the dumpsters, and whenever possible, we plan to also junk our old equipment that way. Our trash service said we would throw away anything that fits, so that will be very convenient for us. They do their own recycling of whatever they can at their warehouse."
Me: "Your dumpster out back, behind the office strip mall? How often is it emptied?"
Jo: "Yes, that's it. They come by once a week."
Me: "Do you shred the papers first? Or do anything to remove the data from the equipment?"
Jo: "No, we don't have the time or staff to do that. It's not necessary anyway. Because we're a cloud computing business, we don't have to worry about disposal; that's all taken care of by our clients at their own sites."
A very good additional hour of discussion followed about the risks involved with improper disposal of information in all forms. However, this is not the first time I've had an outsource provider indicate that information disposal was not part of their information security and privacy compliance program. And of the over 200 outsourcing contracts I've reviewed, most did not even cover disposal requirements within their typically scanty security clause.
Trash-based breaches are worse than ever
The oldest security and privacy problem, unsecure disposal of personal information, is prevalent today as it was centuries ago. In fact, because of the incredibly growing amount of data (an IDC Digital Universe study determined that data is now doubling every two years) along with print information, there are even more ways in which disposal-related breaches are occurring. Here are just a few that have occurred recently:
- In Maine: Maine Veterans Hospital Investigating After Confidential Records Found In Dumpster.
- In Indiana: Personal documents that contained prescriptions for powerful pain medication and patient information were discovered in a dumpster, near an Indianapolis medical center.
- In Chicago, Lax document disposal leaves privacy in shreds.
- Powell, Ohio Hopes To Curb Dumpster Diving To Protect Residents' Personal Information May 15, 2012
- Phoenix: Passerby finds hundreds of documents with personal info in dumpster.
- In Canada: Canadian Privacy Commissioner troubled by poor computer disposal practices and lack of controls for wireless devices in government.
- In Australia: According to a recent study by the National Association for Information Destruction (NAID), 30% of organizations in Australia are unaware of their obligations when it comes to destroying personal information.
- In Singapore: A recent random purchase of disk drives from a Singapore-based online vendor revealed that all data remained on the supposedly sanitized drives. Although the disks Data were described as "wiped", they contained over 300 GB of private information, including emails, corporate databases and personal user information.
I could keep going for literally thousands of pages, finding reports in every country, state, and city.
So, what are some of the most common egregious information disposal dummy security and privacy mistakes?
- Donating print documents that have personal information on them to outside groups, like pre-schools and community groups, to use as scrap paper.
- Selling computers, smartphones, copiers, fax machines, and other computing devices, to recoup some of the investment, but not irreversibly removing the data prior to the sales.
- Putting digital storage devices in the trash without first irreversibly removing the data.
- Putting print documents containing personal information into unsecured dumpsters, and not shredding them.
- Never throwing away no-longer-needed hard copy and digital devices; letting them accumulate in storage areas, with inadequate or no security, allowing them to be taken by anyone who happens along.
Possibly the most unique disposal dummy situation I found was at a shooting range at a state nature reserve up the road from where I live. There were several CDs in the field where folks usually shoot skeet. I checked out the CDs that were missed and still intact to see if there was data on them, and someone had apparently brought their work CDs to use for target shooting. Quite a few files with thousands of individuals' names and addresses were on them. Lesson: Information disposal by skeet shooting is not secure (especially with bad shots).
Why it is important
The situation with increasing breaches caused by poor disposal activities is getting so bad that there are growing numbers of laws explicitly covering disposal, and bills are being proposed at the state and federal level.
The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. It has many very specific requirements that basically all types of businesses, of all sizes, that do most types of credit checks must take when disposing of information in all forms.
The most recent example of a proposed bill covering the disposal of information is New Jersey Senate Bill 3159 which provides updated procedures for the disposal of State surplus computers and certain other electronic devices designated for redistribution, sale, or disposal, including mandates that each device must go through a certified data security process prior to recycling. The "certification requires that any hard drives residing on computers or devices be sanitized beyond the possibility of recovery if the equipment is intended for refurbishment, or that hard drives be destroyed through a range of approved physical means prior to reclaiming." Most exist in other states, and expect more to be proposed.
Besides the fact that secure information disposal is now a legal requirement for basically all businesses of all sizes, it simply makes sense to dispose of information securely as an effective way to prevent privacy breaches. By having effective disposal policies, procedures and supporting technologies in place businesses demonstrate reasonable due diligence.
Disposal due diligence
All organizations, from the smallest to the largest, need to follow appropriate information disposal practices or they will experience significant privacy breaches and non-compliance penalties. What to do? Here's an action plan to get you started:
- Assign overall responsibility for information security and privacy compliance to a position or department within your organization, which will include responsibility for disposal of information in all forms.
- Perform a disposal risk assessment to determine exactly how your organization really disposes of all types of information.
- Create information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.
Those policies and procedures need to include direction and requirements for the following:
- Locating, inventorying and gathering at the end of the business usefulness all types of digital storage devices, including CDs, DVDs, USB drives, external drives, tapes (yes, many organizations still use them), microfiche (yes, these too) and any other type of storage media.
- Inventorying all types of computing equipment, including not just the "traditional" computers, but also devices such as printers, fax machines, copiers, smartphones, MP3 devices, and any other types of devices that do computing activities.
- Acceptable shredding methods and locations for paper documents. Finely cross-shredding hard copy information is recommended, in addition to ensuring any contracted shredding company does such shredding onsite.
- Acceptable methods of irreversibly removing data from computing and digital storage devices. Degaussers are still often used, in addition to contracted services to wipe storage devices clean.
Other tips about information disposal
Here are some good resources and articles to assist you with improving your own personal, and organizational, disposal practices: