1. “Security and Privacy Training is inadequate and poorly aligned with the different roles and responsibilities of personnel.”

Proper security and privacy education is part of the administrative safeguards needed to properly protect data. Information handlers must understand the risks facing sensitive information and their responsibilities towards maintaining the Fair Information Practices Principles. The report instructed agencies to include privacy and security training upon employment, maintain awareness through weekly tips, annual “security days” and other creative reminders. Agencies should also target individuals with more security and privacy responsibilities and provide more extensive training.

2. “Contracts and data sharing agreements between agencies and entities operating on behalf of the agency do not describe the procedures for appropriately processing and adequately safeguarding information.”

The Privacy Act of 1974 allows the sharing of information between government agencies provided the information receives the same level of protection after disclosure and the two agencies sign and follow a data sharing agreement. Failing to comply with a  data sharing agreement may allow serious breaches of a individual’s privacy. Agencies are encouraged to offer incentives for successful compliance with a data sharing agreement or contract. Agencies are also required to create detailed agreements (using Federal Acquisition Regulation Language) describing the procedures for protecting the information and assigning an individual to oversee the data sharing process.

3. “Information inventories inaccurately describe the types and uses of government information, and the locations where it is stored, processed or transmitted, including personally identifiable information.”

Under the Freedom of Information Act and the Privacy Act of 1974, government agencies are required to maintain adequate records on the type or information systems they maintain and the types and uses of the information. With a few exceptions, such information must be available to the public. Improper record keeping poses a threat to the transparency of government activities and an individual’s right to access the information and agency maintains about them. Agencies should use enterprise architecture and inventories to review the type, location, and uses of information it has on record. Security controls should be developed in consideration of the inventory and all systems containing personally identifiable information should be regularly assessed to ensure the integrity and security of the data.

4. “Information is not appropriately scheduled, archived or destroyed.”

Information must be protected at all stages of its lifecycle including those when it is not in active use. The proper destruction of information is particularly important to safeguarding privacy. Information must be assessed to determine how long it needs to be maintained and whether it is permanent and needs to be archived by the NARA or temporary and needs to be destroyed. Agencies must obtain the National Archives and Records Administration approval to dispose of their records according to established record schedules.

5. “Suspicious activities and incidents are not identified and reported in a timely manner.”

Information security is an ongoing process which requires identifying and detecting potential threats. Instituting a system without following up with security checks and incident response is ignoring a fundamental part of the information security process. Agencies should develop and follow a set of procedures to identify and respond to security or privacy incidents. Response should be timely in order to be effective. Agencies should configure their computer systems to detect intrusions, monitor use, and log any incidents. Furthermore incidents should be reported to authorized personnel and agencies to reduce risk as quickly as possible.

6. “Audit Trails documenting how information is processed are not appropriately created or reviewed.”

It is not just the type of information that is collected but how it is used that is restricted to protect privacy and civil liberties. Accurate audit trails are necessary to record how information is being collected, used, maintained and disclosed by an agency. Agencies should use managed data repositories to develop and review the necessary audit trails. Those audit trails can then be used to identify anomalies, determine the status of data and destroy data when it is no longer necessary.

7. “Inadequate security controls where information is collected, created, processed or maintained.”

Security controls include technical, physical and administrative safeguards. They are the primary defense against unauthorized access and use of information. Agencies should maintain inventories of their physical property including real estate and mobile devices. Stronger controls should be applied to areas of high impact or high risk. Security procedures should be reviewed regularly (at least annually) to ensure physical access is granted only to authorized individuals.

8. “Information security controls are not adequate.”

The sole purpose of information security controls is to prevent unauthorized use and access. When such controls fail, the system must be improved or replaced to be provide adequate protection to information which is guaranteed under U.S. law. Security controls should be tested annually with higher risk systems tested more frequently. Personnel that test controls should be separate from the personnel that administer the controls regularly, to allow outside enforcement. Problems and improvements should be shared among agencies to promote awareness. All common security configurations should follow NIST guidelines. Agencies must also consider how the public availability of information affects how government information is protected.

9. “Inadequate protection of information accessed or processed remotely.”

Mobile devices and the increasing use of cloud computing technologies all government employees to access government information when working away from the office. Data must be protected equally when accessed from a computer at the agency and when accessed from a mobile device. Agencies should maintain an audit log of any information accessed or processed remotely. NIST encryption methods, two factor authentication, and automatic log outs after a certain period of inactivity should be employed. Agencies should ensure personnel understand the security risks involved with remotely accessing such information and have them sign a document denoting their privacy and security responsibilities.

10. Agencies acquire information technology and information security products without incorporating appropriate security and privacy standards and guidelines.

The E-Government Act of 2002 requires that all new information security systems conduct Privacy Impact Assessments prior to use, and periodically thereafter in order to evaluate the effectiveness of the system in protecting the information it maintains. Failing to assess new technologies for their privacy protections leaves large holes in the security of the system. Agencies should include information system planning, development and maintenance in their procedures and budgets. Systems should be purchased and implemented only when found to be cost effective in adequately protecting information. Software and hardware encryption products should be used according to the NIST certified cryptographic modules.

Summary

While there are a number of regulations such as the Privacy Act of 1974, the E-Government Act of 2002, as well as the Fair Information Practice Principles which guide the use of information by the Federal Government, such regulations are not always implemented properly. Reports such as the Common Risks Impeding the Adequate Protection of Government Information are necessary to maintain an ongoing discussion regarding information privacy and security and continue to increase security protections as technologies and threats evolve.

CIPP/G Candidate Preparation

In preparation for the Certified Information Privacy Professional Government exam, a privacy professional should be comfortable with topics related to this post including:

• Common Risks Impeding the Adequate Protection of Government Information
• Information Privacy Laws for U.S. Government Practice (I.C.)

If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded.  However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence  and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

1. Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
2. Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
3. Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

1. Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
2. Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
3. Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

The Gramm-Leach-Bliley Act

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains  a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Information lifecycle principles” (Foundations: I.E.vi)
• Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)

With cloud computing, individuals with average or even basic computing skills have been able to make use of high tech applications, software and other technologies. In turn, this has increased productivity and encouraged interaction between different users and platforms. However, it has also created a nebulous area within data protection laws concerning data ownership, access and privacy rights. Far more of an individual’s information and data may be available to third parties and the public than they may realize.

What is Cloud Computing?

Cloud computing is a broad concept which contains many types of technologies, applications and systems.

The official definition from the National Institute of Standards and Technologies states: “Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction.”

More simply, cloud computing allows users to use the Internet to make use of a an application, software or service. In this way, a user does not need to have the computer expertise or the storage or networking capabilities to utilize highly technical applications.

Cloud computing contains many layers:

Cloud Clients are hardware systems which make use of the cloud. This includes Mobile clients such as the iPhone and Windows mobile and Thin Clients which have limited processing power and use network connectivity to perform most functions.  They also include Thick clients such as the typical computer which conduct many processes without connection to a network. Thick clients use web browsers to make use of cloud computing technologies.

Cloud Applications include peer-to-peer programs such as Skype, and web applications such as Twitter and Facebook. It also includes Security as a Service and Software as a Service (SaaS) which provide small businesses with security and business management related software on-demand, through the Internet.

Platform as a Service allows developers to create and support their own applications through the Internet and does not require the personal use of their own network or storage capabilities to run or host the application.

Infrastructure as Service allows users to purchase all outsourced computer services from one vendor on a per use basis instead of paying for each service individually.  

Risks Involved with Cloud Computing

Privacy Risks– In current U.S. information privacy law, particularly the Electronic Communications Privacy Act, data hosted with a third party is not as strongly protected as data stored on an individual computer or network.

• Under current data laws anything posted to Facebook or Twitter, any messages sent through Gmail or other web based email providers, any document shared with Google docs, basically any information uploaded to cloud computing services, can potentially be subpoenaed by law enforcement officials, as provided for under the Patriot Act, without ever notifying the consumer.
• Because technology has grown faster than the government’s ability to regulate it, there are fewer legal regulations protecting data in the cloud from unauthorized use and disclosure and few systems in place to investigation and prosecute violations.

Vendor Risks– As more businesses use Software as a Service to complete business functions, they need to make careful decisions regarding the vendors they use.

• Reliability– Placing data in the cloud means that a business relies on their vendor for business functions. Problems with a vendor, such as data outages, bankruptcy or legal issues may result in disruption of business activities.
• Accountability– Service Level Agreements or End User License Agreements should be signed to protect both parties. These are agreements created between the provider and consumer of a software or service which outline the responsibilities, capabilities and rights of each party.
• Transferability– While it is convenient to upload data to a cloud service so it can be accessed anywhere, such services are notorious for creating difficulties in downloading data. As of now, there are few services that allow bulk downloads, which means data may only be downloaded one or a few files at a time. Furthermore, some services may charges fees for you to download the data. This may make it extremely difficult to switch your information to another vendor.

Accountability Risks– Though data may be placed or serviced by a third party, the consumer is still responsible for the security and integrity of the data.

• Since the user will not have personal control over which individuals are given the authority to access and service their information, users should look into a vendor’s hiring and employee policies. Many cloud services deal with sensitive or protected and data and it is the responsibility of the user to make sure their information is adequately protected.
• Because data is not stored locally on the user’s computer, often the user may not know the exact location of their data. It is possible that a vendor may store data in facilities located outside the jurisdiction of U.S. or E.U. data protection laws. Users should check a vendor’s policies to make sure they comply with all information privacy regulations.  A breach to these regulations and any resulting unauthorized disclosure of a consumer’s personal information, will be the responsibility of the user and not the vendor.
• Even with the faster, more reliable, more secure systems that cloud computing offers, there may be incidents of data loss, unauthorized disclosure and misuse. Users should work with vendors that contractually allow for investigations into such incidents and have a history of looking into such incidents. Users should also be aware that investigations with cloud computing services are often extremely difficult because information is stored on various hosts and servers alongside the information of many other users as opposed to personal networks and applications which have a smaller number of storage facilities and system users.

Data Loss- While using a cloud service may prevent against the loss of data should a user’s computer or storage facilities fail, it also creates many more opportunities for the loss of data.

• Data on web based service networks is stored along with the information of hundreds, thousands or even millions of users. While encryption is widely used to protect data it does not guarantee complete safety. Wrong encryption can occur creating data that is completely unreadable and/or unrecoverable. A user has little control over the technologies and methods used to protect their data when using a cloud computing service.
• Data outages and natural disasters can wreak havoc on a user’s ability to utilize a service. In October 2009, a number of T-Mobile Side Kick subscribers lost important information such as their contacts, calendars, and other data involved with applications when Danger, a Microsoft Service, experienced outages and data loss. Users should be aware of a service provider’s policies for disaster recovery management.
• Data stored by a third party can potentially be made inaccessible or destroyed by that party. Amazon recently deleted a number of purchased copies of 1984 from Kindle users computers during a copyright dispute. While the action was not an attempt at censorship, the incident raised serious issues at the rights of e-book owners and the potential for censorship in the future.
• Similarly some services, like Flickr, limit the number of uploaded documents that can be accessed unless a paid account is purchased. Other services, such as Facebook and Myspace fail to delete photos and other data immediately after the delete request has been made, and may take months for the data to be completely removed. This denies users the ability to control the destruction of their data.

Summary:

Cloud computing has been a remarkable development in computing technology. It allows for high levels of specialization so that a small group of individuals, with expertise in a particular area can create a specific service and make that service widely available through the Internet. Such specialization has created giant leaps in technological capabilities. It has made information mobile, across locations and devices and revolutionized the way people share, store and consume information. However, it does not come without its risks. Until information privacy laws can catch up with the changes in technology, consumers must be personally responsible for learning about, monitoring, and protecting against the risks associated with sharing data in the cloud.