How Dumpsters Cause Data Breaches
After a laptop breaks, where does it go? Your old work laptop, perhaps too slow to keep up with the growing pace of the Internet, is retired to the IT department, which issues you a nice, shiny new one. But what about all of your old files? Your data? Your client information? It might have been transferred onto your new machine, but are you certain that it’s not still lurking on your old one?
The problem lies in the mindset, according to Kyle Marks, CEO of Retire-IT, an IT asset disposal company.
“There’s no fox watching the henhouse,” he says. “In the industry, we say that ‘Laptops have legs.’ Any asset with reuse or resale value is at risk. This is a people issue, not a technology issue.”
And while many security professionals are not yet directly involved with IT, (according to the 2012 Security 500 report, only 21 percent of CSOs report being responsible for cyber or IT security) they are involved in asset management and theft prevention.
Employee theft tops the list of risks associated with IT asset disposal, and the problem is – many employees think of it as a victimless crime.
“You’re going to throw the machine away,” Marks says. “So IT employees sometimes help themselves to the equipment. But they take it while data is still on the machine, and they can cover their tracks because they know how that organization’s disposal program works.
“You might spend millions protecting data from hackers, but one old computer carries billions of dollars in liability risk,” Marks adds.
While employees might not be necessarily targeting the data itself, stealing the hardware is still a data breach, with the potential to raise costs dramatically. HIPAA violations, for example, could cost millions of dollars per hard-drive that goes missing.
And that doesn’t just apply to laptops, says Karrie Gibson, CEO of Vintage Tech Recyclers. Data loss can occur from CDs, DVDs, flash drives and even printer/copiers, which have hard-drives that can hold data of every printed document.
“The Average Joe only needs three things to gather information off of old devices,” Gibson says. “Want and need, software, and a little expertise.
“You have to check with your IT department and your recycler about the depth of data destruction they use. Ask what software they’re using, how many times they cache data, and their data security procedures. How will they handle your equipment once it’s there? How would you bring it to the facility?” Each step is an opportunity for a breach, she says, so knowing where the weak spots are for each third party association helps security professionals conduct a more thorough risk assessment.
Marks recommends putting strong policies in place, and making sure to enforce them (“An unenforced policy is not a policy,” he says). But first, a shift in mindset is required.
“HIPAA and HITECH are extended to associates and downstream vendors,” Marks says. “There are tiers of security breaches, but the most costly is willful neglect. You’ll get increased penalties, and plaintiff attorneys just get more fuel.” So even after paying for remediation and sanctions, organizations face a whole other wave of litigations from plaintiffs at an average of, Marks says, $1,000 per record.
“At this point, it’s not just an IT problem – it’s an issue of governance, risk and compliance,” he says. Sometimes, you have to take the “IT” out of “IT disposal,” and mitigate the security risks directly as a loss management problem.
Creating a reverse procurement process is the most surefire way to keep tabs on old equipment and avoid litigation, according to Marks.
Legally, organizations should have adequate controls to avoid equipment and data loss. Barcodes or “disposal tags,” Marks says, help to create an unimpeachable chain of custody and the ability to quickly reconcile inventory. For example, if an IT manager scans 14 laptops to be moved to a recycling facility, but the delivery person only scans 13 when they are loaded onto the truck, it’s clear that a breach occurred and within a very short period, cutting down on the timeframe that security professionals would need to investigate.
Also, Marks says, every IT department should have a policy to destroy data before assets are moved or disposed of. The vendor used to dispose of the equipment itself should be regarded as a secondary safeguard.
“There are 3,000 electronic recycling vendors,” says Gibson, “but only 300 are voluntarily certified.” That certification means having an open-door, open-information policy, and Gibson also subjects her company to a third-party audit every month, which tests individual hard-drives to recover any possible data.
Gibson also says that, following the NIST-800-88 data security standard, hard-drives are written over no fewer than seven times, and the devices are dismantled – removing any potentially toxic components – then shredded and crushed into mill-ready product.
“Whole units should always be tracked,” Gibson says. “Your third-party vendor should always be able to produce a product flow chart of where a device is at any given time.”
This goes back to asking every potential third-party vendor those difficult questions about how they treat assets that organizations send to be destroyed. A commonly used program – “Darik’s Boot and Nuke,” says Gibson – is free erasure software from the Internet that does not guarantee the full deletion of hard-drive files. While certified services might cost more (ranging up to $250 per hard-drive), they offer more services, transparency and accountability, she adds.
Even if a laptop is entirely broken, the hard-drive could still have enough data to cause serious compliance complications. By wiping and writing over the hard-drive before destroying it, that data moves further and further out of danger.
“An ounce of prevention here is worth billions,” Marks says.
Proper disposal or recycling of IT isn’t just a good environmental decision (although that plays a major part), it’s a law.
The average American owns approximately 24 electronic devices, according to the Consumer Electronics Association, and in 2007, 2.25 million tons of televisions, cell phones and computer products were disposed of. Eighty percent of those ended up in landfills.
Now, in 2012, throwing these electronic “scraps” into landfills does not just result in bans, but fines as well, Gibson says. Precious metals and toxic substances such as mercury, lead and chromium are often found within electronics, which can cause serious harm to the environment, she adds. Some recycling companies save money by sending their scrap to foreign landfills instead of recycling it domestically (for more information, Gibson recommends the 60 Minutes special “The Electronic Wasteland” VIDEO).
Some states are working to ease the pain of IT recycling – New York covers 17 devices, offering vouchers or credits to recycle free. Others, such as Illinois, only cover residential recycling.
However, the Environmental Protection Agency (EPA) is working with several companies (including Gibson’s) to promote IT recycling through its Sustainable Materials Management (SMM) Electronics Challenge. Companies pledging to this cause – including Panasonic, Sony Electronics and Dell – send 100 percent of their used electronics to a recognized third-party, certified recycler by the third year of their participation, helping to increase the number of devices collected.