Data Breach in End of Life IT Assets; The E-Waste Monster!
Spooky! Dead Computers Tell Secrets!
Data Breach in End of Life IT Assets; The E-Waste Monster!
While we continue to wage a war against dumping e-waste into landfills and promoting reuse or recycle of computers, we are faced with yet another daunting task of managing data security associated with recycled, reused, lost and stolen computers. Most companies, as part of their corporate social responsibility programs, would encourage reusing or recycling their IT assets, but when asked about data security management in these retiring assets, most have none of little or no planning in place.
While businesses are trying to do the right thing by recycling, decommissioning or giving away or donating old computers and obsolete IT assets, they undermining the grave nature of data security breach threat associated with those assets if not handled properly. “In a survey of 350 companies, of which 75% had given away or donated their computers, only 23% had erased data from discarded computers”.
A dead computer without proper data security management is like a ticking time bomb waiting to explode!
In May 2013, the Ponemon Institute released its 2013 Cost of Data Breach Study: Global Analysis (“Ponemon Study”), indicating that the average cost of a data breach for US companies in $188 per record. Based on an average 28,765 records per US breach, the Ponemon Study identifies a total organization cost of $5,403,644 per data breach
The Poneman Institute study shows the gravity, financial implications and reputational impact of data breach on an organization.
Healthcare Data Breaches- A few independent studies recently concluded that Healthcare security breaches are on the rise. Scary, isn’t it?
According to Information Security & Data Breach Report (November 2012 update) Healthcare entities again accounted for the largest percentage of the data breaches identified in either quarter (Q3: 49% vs. Q2: 40%).
With more and more healthcare organizations adopting Electronic Health Records (EHRs), data security management on assets holding these records have become extremely important. Rising adoption of high-tech devices, HER digitization of records and increased usage of mobile technology, data breaches are even harder to track. As a result of HITECH Act, which is an expansion of HIPAA’s privacy and security policies, healthcare organizations are even more hard-pressed to protect and safeguard patient information and notify those whose information has been breached. It is mandatory for these organizations to protect patient data at the most vulnerable stage of an IT asset’s life- its end!
End of Life IT Asset Management “Dos” and “Don’ts”
|» –||Establish clear and concise goals on handling disposition of IT assets|
|» –||Use an eStewards or R2 certified electronic recycler to handle data security while disposing, recycling and remarketing your old computers.|
|» –||Explore options in regards to donation, reuse, remarketing/reselling, recycling of IT equipment and methods of data destruction.|
|» –||Document every piece of data storage equipment. Its not just computers and servers, even printers, scanner, USBs, mobile phones, BOYD devices or a volatile RAM could hold data.|
|» –||Store IT assets in need of replacement. In addition to high cost of storage, fixed asset tax, they can serve a useful purpose, perhaps through reuse, refurbishing or recycling.|
|» –||Discard computers into landfills. It is environmentally unsafe, Illegal*, irresponsible and extremely risky from data security point of view.|
|» –||Give away or donate computers for reuse without handling data security issues first.|
Recycle! Recycle! Recycle! But with data security in mind.
It is an irony of electronic waste entering the waste stream at an unrelenting pace, there’s a little education on what happens to e-waste in the end. Out of 25% of the total e-waste recycled, a starting 70-80% of it is actually shipped to third world countries, where it gets informally treated, using primitive methods like incineration, acid washing, burning and stripping often by under-aged kids!
“In a recent study, everything from bank records to classified missile test results were found on a random sample of hard drives on eBay. The Ponemon Institute estimates that 70% of data breaches come from offline computers, usually after they have been disposed of by the equipment owner”.
Data Destruction is not a DIY project, especially when your reputation, credibility and legal standing is at stake. Seek an eStewards certified recycler.
Certified Recyclers provide open indemnification for data leakage or breach assets they recycle. It is a good idea to outsource managing end of life IT equipment to eStewards Certified Electronic Recyclers, who are qualified and experienced in handling, recycling and data security management in end of life IT Assets as per National Association of Information Destruction (NAID) standards.
When it comes to telling secrets, there are no exceptions!
While decommissioning your IT assets, you’re probably separating high-risk data storage devices from the low risk ones. However, even the low risk assets can open up doors to more serious breaches in to sensitive data merely through an ignored, missed, overlooked or hidden piece of information on a low risk asset. The point I am trying to make here is, while decommissioning your assets, place equal emphasis on all assets regardless of perceived risk associated with each.
Reformatting, Wiping or drilling is not enough With data security threats becoming so sophisticated, it is often not enough to just reformat or repartition your drive, needless to say disposing it in a landfill is the least safe bet, and illegal in most states.
Secure data destruction is not accomplished by simply running a software application, formatting, drilling or smashing a hard drive. It is also about complete documentation, serialization, life cycle accountability and establishing a trail of events while destroying each storage device. Secure Data Destruction by a certified e-cycler includes:
|» –||Secure transportation with chain of custody documentation|
|» –||On-Site Data destruction specifically designed done in compliance with HIPAA, HITECH and as per DOD standards|
|» –||Off-site data destruction under video surveillance with certificate of destruction, fully insured and covered under professional liability insurance|
|» –||Security e-Bins for safe storage of hard drives and storage devices|
|» –||Serialization and documentation of assets|
|» –||Recycling, Refurbishing, Donation Options, Re-marketing/Reselling of IT assets|
|» –||Quarantine or hold assets in safe/secure place while data is migrated to new assets|
|» –||De-install, move or relocate assets securely|
|» –||Certificate of Data Destruction and Certificate of Recycling|
Information security and data breaches are on the rise. Data Security is not just as a result of deliberate infiltration by a criminal hacker, it can happen as a result of organization’s negligence in handling it’s old IT assets; computers, cell phones, printers, media disks and all other data-bearing devices. By carefully reviewing an organization’s IT disposal process, and auditing recyclers for required e-waste certifications which ensure specific health, safety and data security requirements, an organization can prevent embarrassing, costly and at times threatening data breaches on end of life assets. Nip the monster than threatens to tell your organizational secrets in the bud, recycle IT Assets responsibly, ethically and with data security in mind!
Infographic by Veracode Application Security