Privacy at Risk: Protecting Your Outgoing Data

by Brooks Hoffman, VP Finance & Operations, LifeSpan Technology Recycling

Reverse Logistics Magazine, Spring/Summer 2006

With security software spending estimated at $50 billion globally in 2005, many organizations are clearly taking the problems of data privacy and identify theft seriously. However, while most companies have focused on preventing perpetrators from breaking into their organizations, there has been comparatively little attention on protecting information that leaves the company on retired information technology assets. In the reverse logistics process, managers who dispose of these assets in an uncontrolled manner place their organizations at risk of inadvertently disclosing sensitive information and/or violating a number of federal privacy laws.

Many IT departments have implemented policies requiring sensitive data to be removed from technology assets that are designated for retirement. However, there is rarely sufficient time or controls to consistently implement this process due to competing priorities such as deploying new equipment or software platforms. These competing priorities, along with a lack of understanding of the data security and legal risks involved, may cause organizations to seek "easy" or "quick" solutions to their asset retirement needs. This may ultimately put the company at great risk if they rely on consignment organizations with no expertise in data security or sham recyclers disguised as used equipment brokers who offer "free" recycling.

The most obvious ramification of releasing proprietary corporate information is that it could assist competitors and other outside parties to identify potential customers, future products, and sensitive client correspondence. According to Special Agent David Mahon of the FBI's Denver Cyber Crimes Division:

"People just don't seem to realize what a significant risk that is posed by the potential compromise of information security. I recently observed some IT equipment being removed from a Denver office building. When I asked the staff what they planned to do with the hard drives, they indicated that they would probably just send them to a landfill. Not only is this against the law in Colorado, the information on those drives could easily wind up in the wrong hands."

The inadvertent disclosure of sensitive data may also violate a number of recently enacted federal laws that are intended to protect information privacy. These laws include: The Health Insurance Portability and Accountability Act ("HIPAA"), The Fair and Accurate Credit Transactions Act ("FACTA"), and the Gramm-Leach-Bliley Act ("GLB"). Violation of these laws can result in substantial criminal and civil penalties as well as significant negative publicity. In January of this year, the Federal Trade Commission announced a consent judgment against consumer data broker ChoicePoint, Inc., which admitted that the personal financial records of more than 163,000 consumers in its database had been compromised. Under the terms of the agreement, the company agreed to pay $10 million in civil penalties and $5 million in consumer redress to settle charges that its security and record-handling procedures violated consumers’ privacy rights and federal laws. The settlement also requires ChoicePoint to establish and maintain a comprehensive information security program and to obtain biannual third-party audits by an independent security professional for the next twenty years.

Data privacy controls for expired IT assets should be subject to a thorough cost-benefit analysis. Here are some initial questions to consider:

• Do internal or outsourced service providers have the necessary procedures and controls to check the efficacy of the data destruction process from transportation to actual destruction? Is the process being audited by a third party? What kind of a chain of custody procedures does the organization maintain? What type of photographic evidence is provided?
• What is the value of resale material vs. the potential costs of a breach of data security? Reselling the equipment may not outweigh the value of ensuring privacy - hence some organizations prefer to recycle all of their end-of-life assets regardless of residual value.
• Should you perform all of your data destruction activities in-house? If so, you should either physically destroy the drives or use disk over-write software. Commercially available programs such as Kroll-Ontrack's "Data Eraser" or LSoft's "Active Kill Disk" fill the drives with "0's." Physical hard drive destruction equipment is commercially available from companies such as Shred-Tech or SEM.
• Could an outside organization provide an additional level of security for your internal data destruction process? If so, what physical destruction capabilities does the vendor have? In addition to software based destruction, can they physically shred all media containing data? Does the outsourced vendor have your best interest in mind - i.e. are they motivated to provide the appropriate services to your firm or are they simply looking to profit from the resale of equipment? Lastly, is the vendor protected by errors and omissions insurance in the event that data is accidentally compromised?

Managing data security risk does not have to be difficult or expensive. It requires companies to:

• educate their organizations on the importance of maintaining information privacy
• develop and implement programs that mitigate risk, and
• continually monitor the on-going compliance with and effectiveness of these programs.

About the author: Brooks Hoffman is V.P. – Finance & Operations for LifeSpan Technology Recycling. LifeSpan provides customized IT asset disposal programs that ensure data security and environmental compliance to clients nationwide. Contact information: (888) 720-0900, info@lifespanrecycling.com, www.lifespanrecycling.com.

Reverse Logistics Magazine, Spring/Summer 2006