Data destruction specifications still have significant shortfalls that require the attention of those with a broader approach to security. The future of e-scrap depends on this perspective. When most people think of data destruction, even those government officials responsible for establishing data security specifications, they usually limit their attention and guidance to the specific point at which that destruction takes place. This focus is an understandable but dangerous practice since it ignores the fact that the destruction of data, whether on paper or electronic media, is a process. As a process, security is required at many points in addition to the act of destruction itself.
This “specification tunnel vision” is particularly dangerous since data destruction requirements are increasingly more likely to be outsourced to a service. Organizations have good intentions and look for applicable specifications to help build data destruction practices that are secure. Unfortunately, current specifications provide little or no defined specifications for the full range of flow issues or vendor selection qualifications.
As data (and the media on which it is stored) flows from an organization, it passes through a number of phases inside and, increasingly, outside the organization. This “flow” includes authorization, collection, staging, transport, processing (destruction), and the disposal of destroyed materials. Securing the flow of material though the destruction process also includes:
- Employee screening and monitoring
- Transfer of custody
- Acceptance of fiduciary responsibility
- Access control
- Written policies and procedures
- Audit trails
Tunnel Vision Leads to Security Issues
If focus and specifications are strictly limited to the destruction event, it would be possible to employ known identity thieves to sanitize hard drives on a busy street corner as long as they were properly trained – and still comply with the specification.
Even if there were a compliance audit included within such specifications, which there is not, the absence of specific criteria on the full range of processes and vendor selection issues would render such an audit of little value.
No sanitization process or shredded particle size can overcome the security deficiencies that would result if all phases of the destruction process, within the organization and at vendor processing locations, are not secure throughout. Audits will not uncover if these security issues exist or not because the audits are reflections of generally-stated specifications that only deal with a limited portion of the destruction process.
Data Protection Regulations Favor a “Process” Perspective
While there is more work to be done, many regulatory bodies understand the need for more extensive specifications. The need for a broader view is probably why every major data protection regulation in the US includes a requirement that organizations have written data protection policies and procedures, including how they select data-related vendors. In other words, they require that the data protection “process” is identified.
For instance, in the Final Disposal Rule of the Fair and Accurate Credit Transaction Act (FACTA), the nation’s first data destruction requirement, the US Federal Trade Commission (FTC) addresses baseline vendor qualifications for destruction service providers. However, the FTC did not define any destruction specification whatsoever, simply stating that destruction must “reasonably” render the information practicably unreconstructable or irretrievable.
In another example, the US Department of Veterans Affairs specifically defaults to the industry standard of NAID AAA Certification as a requirement for secure destruction services. While the NAID AAA Certification does contain reasonable destruction method requirements, the strength and emphasis of the certification is in verifying nearly twenty different aspects of the service provider’s destruction process.
Customer Rights and Opportunities
When hiring a company to destroy records, customers have both the right and the obligation to determine the method of destruction that provides the best protection. Organizations that reference specifications in their destructions are taking the right steps. The problem is that specifications focus on the data destruction method and sometimes to the exclusion of any other guidance.
Unfortunately, there is no shortage of service providers with machines and methods that meet these specifications but who also grossly lack the necessary security in the other areas of the process.
However, with a little diligence it is fairly easy to find quality services providers that do embrace the entire field of security issues and they are worth finding. Compared to all other alternatives, including in-house destruction, they provide customers with the best solution for meeting their evolving data destruction responsibilities. The number of providers with high security services is expected to grow over the coming months and years; if only because of rising demand for this level of service from customers.
Embracing Secure Destruction Processes
Outsourcing of secure destruction to quality service providers is expected to grow in popularity because the outsourcers are so much better prepared to provide a full range of security issues. It stands to reason that the outsourcing companies who take that challenge seriously are going to get the lion’s share of that opportunity.
An additional factor is the data destruction on obsolete computers. It has long been known that outsourcing of sanitization to a service provider with a robust quality control system is really the only viable alternative for organizations that must protect information on obsolete computers.
In 2003, a study by Dr. Simpson Garfinkel, which led to his article “Remembrance of Data Passed,” was the first that demonstrated that many hard drives on the second hand market still contained an extraordinary amount of sensitive information. Further, he and his team were able to discern that many of the drives containing such information had undergone some attempt at being overwritten. The problem, according to the article, was not the sanitization process but that those applying it did not know what they were doing. It was the first of many similar studies over the years that showed the importance of trained personnel and quality control to effective hard drive sanitization – something that is only provided by companies that specialize in data secure destruction and have complete security process in place.
Turning Up the Heat
Over the last few years, organizations with a high data protection requirement (and their data-related vendors) have seen a number of trends in this new “data protection age.”
Up until about 3 years ago, there had been few if any enforcement actions related to improper data disposal. No fines. No law suits. No firings.
The first sign that this might be changing came in December of 2007 when a mortgage company in the Chicago area was fined $50,000 by the FTC under the FACTA Final Disposal Rule for demonstrating a “pattern of improper disposal of consumer report information.”
Since that time, there has been an increasing litany of such fines; each higher than the last. Regulatory watchdogs and law enforcement officials including state hospital boards, states’ Attorneys General, state insurance boards, the Office for Civil Rights, and Federal Trade Commission are now handing out fines that have climbed as high as $2,250,000.
And, the threshold for what is finable is also lowering. A hospital in Texas was fined $990,000 for putting six boxes of unshredded records in its trash.
Recently, when asked exactly what type of data breach violation would result in the maximum level of new mandatory fines under the revised Health Insurance and Portability and Accountability Act (HIPAA), HHS wrote that a casually discarded computer hard drive containing patient information is such an example. According to the new mandatory fine schedule that fine ranges anywhere from $10,000 to $50,000 per patient record (capped at $1,500,000 per year)!
The new HIPAA regulation also requires data breach notification in the event that any unencrypted hard drive containing patient information goes missing for any reason.
The big news is that most experts see the new HIPAA as nothing short of a preview of the next national data protection law that will apply to all personal information and not just healthcare data.
Responding to the Needs of the Market
While data-related services providers are subject to the same risks as the customers they serve, that does not change the fact that they are in the best position to capitalize on these trends. No customer is going to be able to do all things they would have to do to match the security of a service provider who specializes in data security.
The good news is that customers already realize this fact. They are already looking for help and they will surely jump at the chance to switch to a service provider that understands that they need a destruction vendor who addresses the entire security process.