If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded.  However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence  and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

1. Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
2. Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
3. Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

1. Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
2. Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
3. Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

The Gramm-Leach-Bliley Act

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains  a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

• Introduction to Privacy:  “Information lifecycle principles” (Foundations: I.E.vi)
• Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)

There are numerous guidelines, best practices and regulations for collecting information on customers, patients or other data subjects (for this article, let’s generally call them consumers) in the United States.  The most regularly visited is probably HIPAA, where nearly everyone signs some sort of disclosure notification that a primary care physician, pharmacy, lab, hospital or some other medical office will share your Personal Health Records with third parties that handle administrative tasks for the provider.  There’s a decent sized list of who constitutes a health care provider, a third party and what information between all parties involved may be exchanged for transactions such as an insurance claim.  The financial sector also regularly distributes privacy policy notifications, although most times inaccurate information doesn’t affect anyone outside the credit reporting industry.  What happens when the collected data aren’t right?  How can a consumer even discover the inconsistencies?  What course of action does a consumer take, and what should a corporation do to respect the rights of their customers?

Historical Perspective

This is not a new issue, and has been tackled in multiple symposia and expanded several times over the past decades.  In 1973, the US Department of Health and Human Services introduced the Code of Fair Information Practices.  The 1981 Organization for Economic Cooperation and Development (OECD) guidelines and the comprehensive 1995 European Union Data Protection Directive 95/46/EC both deal with this issue.  They define two topics – “Individual Participation” and “Data Quality”.  Individual participation centers on consumer access, or the right to view any collected information and the ability to correct errors.  The EU expounds upon individual participation, where access must be at reasonable intervals and rectification without excessive delay or expense.  The Federal Trade Commission (FTC) released an advisory on online access and security in 2000. The CIPP defines these scenarios as customer access and redress.

Problems in credit reporting

Let’s first examine the US credit reporting world.  Information collected by the credit bureaus is used by banks and other money lenders to determine an applicant’s credit worthiness, or more important to the lender, their risk of default.  The credit bureaus have reason to keep the information collected as unavailable as possible – between the three main companies they had a monopoly on the compiled credit history the lenders need and each one tries to glean every ounce of data on an individual to justify ordering their credit report product.  The bureaus were charging consumers for every access to their credit reports, by what some would consider an inordinate amount.  A 1998 survey by the Public Interest Research Group underscored the customer redress situation:

• Of the consumers that did obtain their credit reports, at least 14% of them were forced to call back 3 or more times after receiving busy signals or had to write a letter in order to receive their report;
• And 12% of the consumers waited two weeks or longer to receive their report once they finished requesting it. It took more than a month for one California man to receive his report.
• Overall, 15% of consumers who attempted to participate in the survey either made at least 3 phone calls and never got through or requested their reports but never received them.

This treatment went against the privacy principles laid out in the OECD and Fair Information Practices.  Plus, mistakes were reportedly found on 79% of consumer credit reports.  Without more readily available customer access, the system was in jeopardy.  To compound these problems, there was simultaneously a rise in identity theft.

Congress steps in

In response, the US Congress passed the Fair and Accurate Credit Transactions Act (FACT Act or FACTA) in 2003.  The FACTA amended the 1970 Fair Credit Reporting Act (FCRA), and gave rise to a free annual credit report requirement from each of the major bureaus… and the slew of funny commercials about guys in pirate hats. Congress decided the credit bureaus’ reporting was simply too important to the US financial systems stating their rationale for the legislation:

(a)Accuracy and fairness of credit reporting. The Congress makes the following findings:

1. The banking system is dependent upon fair and accurate credit reporting. Inaccurate credit reports directly impair the efficiency of the banking system, and unfair credit reporting methods undermine the public confidence which is essential to the continued functioning of the banking system.
2. An elaborate mechanism has been developed for investigating and evaluating the credit worthiness, credit standing, credit capacity, character, and general reputation of consumers.
3. Consumer reporting agencies have assumed a vital role in assembling and evaluating consumer credit and other information on consumers.
4. There is a need to insure that consumer reporting agencies exercise their grave responsibilities with fairness, impartiality, and a respect for the consumer’s right to privacy.

(b)Reasonable procedures. It is the purpose of this title to require that consumer reporting agencies adopt reasonable procedures for meeting the needs of commerce for consumer credit, personnel, insurance, and other information in a manner which is fair and equitable to the consumer, with regard to the confidentiality, accuracy, relevancy, and proper utilization of such information in accordance with the requirements of this title.

Unintended Consequences

It is interesting to note, that in response to the FACTA, “imposter” domains sprang up, with a World Privacy Forum study calling out 96 specific known sites.  The web site touted in the pirate hat commercials is not the free annual credit report required by Congress, but actually one of the imposter domains belonging to Experian.  The World Privacy Forum study, “Call Don’t Click: Why It’s Smarter to Order a Federally Mandated Credit Report via Phone Instead of the Internet,” found:

• 28 of the imposter domains belong to Experian, a credit bureau.
• 68 of the imposter domains belong to or are hosted at “pay per click” companies.
• 50 of the “pay per click” domains are live, and some are luring consumers to inappropriate and risky Web sites. Some of    the “pay per click” sites lead consumers to Experian and other credit companies’ commercial sites in order to cash in on the credit bureaus’ affiliate marketing programs.

Electronic Health Records & HIPAA

Consumer access is probably not as obvious of a problem with the health care community.  Most of the work currently happens on the back end, where insurance companies and health care provider’s offices wrangle over receiving the right amount of money for procedures.  As an uninsured American, you may have to pick up the torch of dealing with doctor’s office blunders, but in those cases, you’re likely handling them at the time of service and wont pay until they get it right.  Most people simply don’t see the man behind the curtain.

The scary part will surround electronic health records (EHR) and the push to incorporate them through ARRA.  As digital bits, EHR integrity could become more questionable.  It will also uncover a slew of inconsistencies that have yet to reach the light of day – the proverbial Garbage In, Garbage Out.  A recent adopter of Google Health recounts his experience utilizing his hospital’s auto-migrate feature.  Some of his revelations:

• [T]he docs in the back room… quickly figured out what was going on… the system transmitted insurance billing codes to Google Health, not doctors’ diagnoses. [I]nsurance billing codes bear no resemblance to reality… if a doc needs to bill insurance for something and the list of billing codes doesn’t happen to include exactly what your condition is, they cram it into something else so the stupid system will accept it.
• EMR pontificators are saying “Online data in the hospital won’t do any good at the scene of a car crash.” Well, GOOD: you think I’d want the EMTs to think I have an aneurysm, anxiety, migraines and brain mets?? Yet if I hadn’t punched that button, I never would have known my data in the system was erroneous.
• [M]y 12/6/2003 x-ray identified me as a 53 year old woman… it took me months to get that error corrected, because nobody’s in the habit of actually fixing errors…

This was a contemporary hospital.  Their CIO touted the EHR revolution and already took steps embracing customer advocacy.  There will undoubtedly be push back with older hospitals or stodgier doctors.  The documented excavations are inevitable, especially with so many people involved in providing healthcare.  An article in Fast Company chronicled the clinical staff access associated with the writer’s medical care:

… a list of everybody that accessed the medical record from the time he was seen in the clinic to two weeks post-op.’There were 113 people listed — and every one had an appropriate reason to be in that chart. It shocked all of us. We all knew this was a team sport, but to recognize it was that big a team,every one of whom is empowered to screw it up — that makes me toss and turn in my sleep.”

To top it all off, there are already questions as to how older, paper records might be brought into the digital realm.  Who’s to handle the scanning?  What’s to be had of the old records?  Will the security provisions be in place to prevent EHR compromise?  It’s already time consuming to update a digitized hospital’s records – how about those of a newly computer literate doctor’s office?

International Example

The US doesn’t have a lock on the access and redress problem.  Even with the heavy emphasis placed on privacy in the EU and a separate Information Commissioner’s Office (ICO) responsible for privacy, the United Kingdom has had it’s share of reporting and correction problems, most recently with their national health database.  Until late May, citizens only had the option of opting out of the National Healthcare System (NHS) electronic health database or masking their data in the system.  With the socialized health care in the UK, there were instances where the opt out had serious consequences.  In British health care, a summary care record (SCR) includes information such as allergy information, current medications, medical conditions and resuscitation preferences.  There is obviously personal information included in the SCRs, and security of the communications medium between the hospitals (called the Spine) has been called into question.  Additionally, access controls on the system allow any authorized users to view any patient’s information, not just those currently being treated.

The NHS agency Connecting for Health (CfH) runs the records system.  An ICO spokeswoman confirmed medical record deletion would now be possible after discussions with the ICO privacy watchdogs and CfH managers.

People want the assurance that they can restrict who can access their personal details in NHS electronic records.  We met recently with Connecting for Health (CfH) to discuss the permanent deletion of summary care records once a patient requests their summary record no longer appears on the database.  We are pleased that as a result of these discussions CfH have found a way to ensure that these records are permanently removed from the database when appropriate and we are continuing to talk to them about how this is put into practice.

Summary

When drawing corporate or group policies, general best practices dictate data subjects should have the ability to review all information an organization holds on them and have the right to change any errors.  Those changes must be reconciled across the organization, either pushed upward from third party partners or downward from the main collecting organization.  By adhering to this standard, nearly every organization will be kept in lock step with multi-national laws with regard to data subject access and redress.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

• Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B)
• Data Subject Access & Redress (Foundations: III.B.d)