Authors: Arleen Chafitz
Ping, Ping, Ping..…You know what that sound means. It’s a hacker trying to break in through your front door. They want to reach your network which is securing an endless amount of valuable data. So how do you stop them? You spend thousands of dollars, maybe more, to create a fortress-like defense to protect the criminals from crashing the front gates -- and gaining access to the keys to the castle.
Whatever definition you use for "Cybersecurity", the common denominator is to implement policies and procedures for protecting networks, computers and data from an attack and ultimately prevent costly data breaches.
While the major focus of Cybersecurity is keeping the front door impenetrable from global criminal activities, with little focus placed on the significant amount of data-rich electronic equipment and devices going out the back door for disposal or un-vetted recycling.
When data-containing equipment reaches its “end-of-life” and is taken out of service, the high level of front door security it was previously given may be totally ignored. Along with servers and PCs, items such as copy machines, printers, medical equipment, cell phones, tablets, phone systems, and a variety of other devices have hard drives or other storage media in them that retains data.
Visit any company or government agency and you'll find this equipment, filled with data, stored insecurely in hallways, storage rooms and offices. Even when the hard drives are removed from this equipment, the media can still end up on bookshelves or in boxes in the IT department waiting to be sanitized.
By not placing enough emphasis on the proper handling of data from end-of-life equipment, your IT Department may leave hard drives untouched for weeks or months waiting for someone to destroy the data. It's not their mission to take time to destroy data, plus it’s time taken away from other important tasks. It can take three hours or longer to sanitize a single hard drive. Think about the 600 man hours, or more, if there were 200 drives.
In addition to an IT Department not being able to “Self Certify" their own work to guarantee data was 100% sanitized and cannot be recovered, data sanitization experts will tell you that reformatting, deleting or even drilling holes doesn’t destroy data beyond any methods of forensic reconstruction. With the proper equipment, complete data destruction is accomplished following basic guidelines in NIST's 800-88R1 Publication or NSA/CSS STORAGE DEVICE SANITIZATION MANUAL
Unfortunately, too many businesses and agencies look at old equipment as "cash in the pocket". They’ll sell equipment online or at auction, or even donate it for the tax deduction. With some of this equipment still retaining data, confidential information may be winding up going to the highest bidder.
By creating vulnerability for a data breach, your operation may be in violation of one of the numerous federal regulations for safeguarding Personal Identifiable Information (PII) and confidential information. While most people have heard of HIPAA, the acronym maze of regulations you must become familiar with includes SOX, GLB, FACTA, COPA FISMA and others.
Not implementing the required safeguards can not only create a costly data breach, but can have a direct impact on your bottom line. Blue Cross/Blue Shield of Tennessee was fined $1.5 million when 57 unencrypted hard drives were stolen from a storage closet. In all, their total cost was over $18 million. According to a recent Ponemon Institute Research Report, a data breach can cost US organizations a per capita cost of $225.00/record with an average cost of $7.35 million. HIPAA violations can have up to a maximum of 5 years in jail and fines up to $1.5 million. Medical records are among the most sought after prize for a data thief. According to a Forbes 2017 article, “On the black market, the going rate for your social security number is 10 cents. Your credit card number is worth 25 cents. But your electronic medical health record (EHR) could be worth hundreds or even thousands of dollars. For Gramm Leach-Bliley (GLB) a financial institution can be fined up to $100,000 for each violation. The officers and directors of the financial institution can be fined up to $10,000 for each violation.If you think just because you’re not a healthcare provider that HIPAA doesn’t apply to you, that could be a costly mistake, as some large companies and other entities fall under HIPAA data security guidelines. Under the HITECH ACT, HIPAA enforcement has increased and now the Attorney General (AG) of each state is authorized to enforce HIPAA violations. Many AGs have gotten their states millions of dollars by successfully imposing fines for data breaches. (The state keeps the money.)By using HIPAA requirements as a guide, no matter what your business is, odds are you will remain in compliance for protecting PII. The HIPAA physical safeguard requirement is very simple – “Implement policies and procedures to address the final disposition of electronic protected health information, and/or the hardware or electronic media on which it is stored.”1 Just replace electronic protected health information with Personal Identifiable and Classified Information and you should have what you need.
Create written policies and procedures for isolating and securing old electronic equipment that contains data. Conduct spot-checks to ensure they are being followed.
* Designate someone responsible for inspecting all equipment for data. (Desktops, servers, laptops, cell phones, tablets, copy machines, phone systems, medical devices and others)
* Secure a NAID AAA Certified vendor who specializes in data sanitization following NIST 800-88R1 and NSA guidelines and can provide a Certificate of Data Sanitization that guarantees 100% of data is sanitized and not recoverable.
*Perform strict due diligence in selecting a vendor – Since you generated the data, you are still responsible for safeguarding it. Responsibility for safeguarding data does not shift to the vendor.
*Enter into a Business Associate Agreement (BAA).
*Consider “Data Breach Insurance” (aka Cyber Liability Insurance).
*Ensure proper recycling of equipment by securing a vendor who is R2:2013 or e-Stewards certified.
Now is the time to act. Every moment you wait, could lead to the next big data breach, costing your company or agency irreparable harm. Certified data destruction is not only a precaution, it’s a responsibility. Make it your priority.
Arleen Chafitz is the owner and CEO of e-End, a Certified Woman Owned Small Business. Arleen began e-End in 2006 with the goal of keeping old electronics out of landfills by proper recycling. As more equipment began retaining data she shifted her focus to data sanitization and preventing data breaches. Arleen has been an entrepreneur for over 40 years and has successfully operated various businesses. She can be reached at: email@example.com.
Steve Chafitz is President of e-End and is a subject matter expert on sanitizing electronic media and the recycling of electronics. He has briefed a variety of agencies and companies on data sanitization procedures and spoken at numerous Cyber Security conferences plus has held webinars on protecting data on end of life equipment. He can be reached at: firstname.lastname@example.org.
Suggested caption.It’s a familiar sight. Unused equipment sitting in unsecured room.
Suggested caption.Hard drives waiting to be sanitized in IT department