The article Disposal Dummies Cause Privacy Problems, posted at SecureWorld Post by Rebecca Herold lays out the privacy problems caused by dumb disposal policies. The article claims that trash-based breaches are worse than ever.
The oldest security and privacy problem, unsecure disposal of personal information, is prevalent today as it was centuries ago reports the author. She says because of the rapidly growing amount of data, in which EMC (EMC) and IDC claim that data is doubling every two years, along with print information, there are even more ways in which disposal-related breaches are occurring. Here are just a few instances I found:
- ‘Confetti’ Dropped During Giants Parade Contained Confidential Information
- School Accidentally Throws Out Books and Student Information
- Dallas convicts no longer shred confidential data
- Auction of Abandoned Storage Unit Contents Continues to Pose Data Security Risk
- Student Records Found in Field
- Spartanburg County Tax Records Found In Dumpster
- County improperly disposed of documents, told no one
- Student information compromised: Intact records found
- Donating print documents with personal information on them to outside groups, like pre-schools and community groups, to use as scrap paper.
- Selling computers, smartphones, copiers, fax machines, and other computing devices, to recoup some of the investment, but not irreversibly removing the data before the sale.
- Putting digital storage devices in the trash without first irreversibly removing the data.
- Putting print documents containing personal information into unsecured dumpsters, and not shredding them.
- Never throwing away no-longer-needed hard copy and digital devices; letting them accumulate in storage areas, with inadequate or no security, allowing them to be taken by anyone who happens along.
Data disposal is important because breaches caused by poor disposal activities are getting so bad that the article states there are growing numbers of laws explicitly covering disposal, and bills are being proposed at the state and federal level. The Disposal Rule (part of the Fair and Accurate Credit Transactions Act of 2003 (FACTA) has been in effect since 2005. The blog says FACTA has many very specific requirements that basically all types of businesses, of all sizes, that do most types of credit checks must take when disposing of information in all forms.
In Michigan, data destruction requirements are covered in IDENTITY THEFT PROTECTION ACT MCL Section 445.72a. where destruction of data containing personal information required; violation as misdemeanor; fine; compliance; “destroy” are defined.
Besides the fact that secure information disposal is now a legal requirement for most businesses, it makes sense to dispose of information securely to prevent privacy breaches. By having effective disposal policies, procedures and supporting technologies in place businesses demonstrate reasonable due diligence.
Ms. Herold argues that all organizations, from the smallest to the largest, need to follow appropriate information disposal practices or they will experience significant privacy breaches and non-compliance penalties. She presents an action plan to get started:
- Assign overall responsibility for information security and privacy compliance to a position or department within your organization, which will include responsibility for disposal of information in all forms.
- Perform a disposal risk assessment to determine exactly how your organization really disposes of all types of information.
- Create information disposal policies and procedures, or update existing ones, based upon the results of the disposal risk assessment.
The policies and procedures need actions:
- Locate, inventory and gather at the end of their business usefulness all types of digital storage devices, including CDs, DVDs, USB drives, external drives, tapes (yes, many organizations still use them), microfiche (yes, these too) and any other type of storage media.
- Inventory all types of computing equipment, including not just the “traditional” computers, but also devices such as printers, fax machines, copiers, smartphones, MP3 devices, and any other types of devices that do computing activities.
- Define acceptable shredding methods and locations for paper documents. Finely cross-shredding hard copy information is recommended, in addition to ensuring any contracted shredding company does such shredding on site.
- Define acceptable methods of irreversibly removing data from computing and digital storage devices. Degaussers are still often used, in addition to contracted services to wipe storage devices clean.
- Make sure you include information backups, and all types of information archives, in your disposal procedures. These items are typically overlooked, and many breaches have resulted with such items.
Bottom line for all organizations, the author argues is: You need to make sure there are proper safeguards for information, computing and storage devices, during the disposal process.
The author concludes with some recommended resources and articles to aid you with improving your own personal, and organizational, disposal practices:
Disposal guidance from the Federal Trade Commission (FTC)
Disposal tips from the Electronic Frontier Foundation (EFF)
Developing a Defensible Disposal Strategy (PDF) (IBM (IBM))
Drowning in Data? Disposing of Unneeded Content with Confidence (IBM)
- Employees Fret Over BYOD-Related Privacy Issues (misco.co.uk)