Hey stupid! Don't just throw that out - Corporate disposal policies keep your organization out of the headlines

The US and state governments heavily police privacy in the finance and banking sector.  From the Gramm Leach Bliley Act of 1999 (GLBA), Sarbanes Oxley (SOX) and state privacy and breach notification laws in such places as California, Montana and Massachusetts, governmental compliance and regulations weigh greatly on an institution’s bottom line.  This exemplifies the Sectoral Approach to privacy seen in the United States – different laws and rules apply to each market, whether it be medical facilities in the health care sector or weapons manufacturers for the defense contractors.  A few markets overlap (think multi-state, for-profit hospitals), and specific sectors apply additional, non-governmental regulations.  For example, in 2004 the Payment Card Industry banded industry best practices and disjointed individual issuer policies together and created a single overarching Data Security Standard.

Staggering Statistics

Types of Incidents resulting in Breach - all time from

Types of Incidents resulting in Breach - YTD 2009 from

All of this regulation and legislation covers day-to-day activities surrounding quarterly and annual reporting, personally identifiable information storage and protection, information security policies and appropriate retirement and disposal of files and data.  Much of the legislation was in response to rising problems with identity theft, corporate scandal or high profile private records breach.  The exposure numbers are staggering.  According to statistics collected by the Open Security Foundation, there was a 117 fold rise in data security breaches since 2000 and 400% escalation in breaches since 2005.  In 2005, the Federal Trade Commission estimated 3.7% of the US adult population were victims of a records breach.  By 2008, breach notifications affected 84 Million records, approximately 5.6% of the population.  17% of those breaches were based on paper losses, such as check stubs, account statements or other printed documents.  However, the other 83% of the breaches reported involved electronic records, accounting for over 98% of the total records lost.  The two graphs denote the source of the losses, with a consistent 36% breach rate because of theft or loss, but an interesting 9 point upswing this year (8% vs 17%) because of lost equipment or improper document disposal.  Some of the categories (like lost tapes) have been nearly eliminated in recent years by industry best practices and paradigm shifts.

Dumpster Diving for PII

So how is it that Mr. Steve Hunt happened across a treasure trove of private financial information lying in a dumpster behind what he describes as a “big bank in a big city”.  The bank hired Hunt’s company, Hunt Business Intelligence, and was surprised at the results, finding check stubs, bank statements, wire transfer information and even a computer from the “Chicago Board of Trade”.  There are obviously policies regarding file disposal, especially at any large banks to comply with the legislative requirements.  Checks, bank statements, files and other paper should be shredded.  Computer equipment should see more than simply file deletions – they at least require the digital equivalent of shredding and some regulations expect physical destruction of hard drives.  So how does a privacy professional work around this sort of data exposure problem when policy is absolutely ignored?




Mr. Steve Hunt discusses a dumpster diving experience behind a financial institution.

“There are so many physical security aspects to data protection it ought to never be considered merely an IT security issue,” Hunt said.  Mr. Hunt is referring to not only the lost bits in use on the device, which privacy and security professionals obsess over with technologies such as DLP (Data Loss/Leakage Prevention), but also losses where the data reside, be it paper bank statements, backup tapes, or used hardware disposal methods.  We see time and time again how smaller devices facilitate loss or theft, thereby impacting privacy, with examples ranging from memory stick losses at a prison,  a USB drive compromising major intelligence operations or stolen laptops and smartphones.  But most of the items Hunt calls out are not the ultra-portable electronics; they’re examples where companies apparently forget policy in the name of cleanliness - rejected Xerox copies, unclaimed faxes and a third party computer (which no one probably knew what to do with and someone finally grew tired of looking at).

Although Hunt called out pretty significant personal details uncovered on the papers retrieved, statistics, logistics and plain old physics consistently point to electronic records as the bigger picture.  You simply can’t compromise as much paper information without a tractor-trailer and physically being in a location.  It might only take Hunt 3 minutes to find items in the trash, but the planning and execution (and lingering odor) may encompasses hours.  The risk is also significantly more tangible to the perpetrator than a remote, network-based attack – instead of an air conditioned room and a laptop, a dumpster diver faces police and private surveillance, neighborhood watches, and the physical stigma of traipsing through the trash.  This likely deters all but the most determined adversary.  So don’t forget proper paper disposal: it’s well understood and it will place your company in the news 17% of the time, but realize that it amounts to 2% of the total disclosure problem.

An Inventory of Assets

Corporations should already have an inventory of assets in this age of eDiscovery.  A chart of who owns what equipment and what’s stored on it will allow you to meet court demands, quickly figure out what you should have at any moment of time and where to look when data are needed later.  At a minimum this includes such IT items as servers, desktops, laptops and smart phones, regardless of their owner, as well as any hardware off site.  This should help avoid mysterious losses of equipment like a laptop in the trash.

Information Lifecycle Mapping

Better still: enterprise information lifecycle mapping will go much further in defining what information may be at risk due to loss, theft or policy failure.  In dealing with privacy data, lifecycle mapping shows what data are being created during collection, for what use and purposes, in what formats the data are retained, and most importantly, delineate who has disclosure access to each piece of information.  This is especially useful in multi-sector corporations and third party / marketing vendor relationships, where management and administration of data flows must be reconciled across large population swaths.  Lifecycle controls also allow monitoring of customer opt-in and opt-out decisions and appropriate enforcement of policies.

Mitigating Data Recovery Risks

The recovered laptop’s battery was drained, but Hunt says, ”I know how to connect to a hard drive.” Would the laptop have been susceptible to recovery as Hunt suggested? Up until ten months ago in Indiana, the laptop wouldn’t require a breach notification, as long as the system had a password installed on the machine.  Anyone in the security industry will tell you how easy it is to circumvent or recover a user name and password, especially if that’s the best protection on the system.  My information security professor back in college regularly emphasized, “Once you get your hands on the hardware, all bets are off”.  So what may be done to manage this risk?

Cryptography eliminates disclosure risks?

Most states, including Indiana since their requirements change, expect encryption will provide adequate protection from information loss, and therefore do not require breach notifications for cryptographically secured equipment loss.  Cryptography is impressive, effectively eliminating data-at-rest risk in most instances where the equipment is turned off.  (There are plenty of cryptography protection examples for data-in-transit or data-in-use we’ll leave for another time.)    Encryption is not the disclosure panacea.  There are sometimes flaws in software code and, even when properly executed, eventually the mathematics behind encryption systems age.  Then there are security revelations, such as the Cold Boot presentation last year.  Security researchers at Princeton successfully circumvented military grade encryption, not by cracking the mathematics, but by taking notice of a peculiarity in how encrypted computer systems operate, and more importantly how users operated the computer systems.

Hard Disk Data Remanence

Everyone should be familiar with a computer’s “Recycle Bin”, the place where “deleted” files stay until the second stage deletion (empty recycle bin on Windows) removes the file.  Even that second stage doesn’t really delete the file.  The OS removes the file’s header information, and frees the occupied locations for writing.  Liken it to simply tearing off the top page of a fax and flipping the pages over to write on.  The short version: if you’re serious about deleting private information on decommissioned equipment, keep the encryption and ‘erase’ the disks following the old DoD policies, where drives are overwritten multiple times with a specific pattern.   That’s better than best practices and will easily avoid any sorts of negligence findings anywhere in the near future.  However, another security researcher named Peter Gutmann took notice of how the DoD drive erasure security process was actually implemented and determined that data were recoverable unless erasure was manufacturer and model specific – with rewrites of up to 35 times.  The DoD found the lengthy process of overwriting disks according to Gutmann’s studies too costly, and now most often uses NSA approved Degaussers to literally rip the bits off the drive.  A third alternative entails physically shredding the hard disks like paper records.

Third Party Equipment

The Chicago Board of Trade did well by labeling their equipment so it may be identified.  It appears they probably missed the mark by leaving off an easy to use contact method or shipping address.  Contracts for third party vendors must take into consideration loaned equipment installed on customer premises.  Mistakes made by third party vendors bring shame to their organization, but more than likely breach notifications will go out on your corporate stationary.  Regular compliance audits (including dumpster dives if you wish) and data lifecycle management are crucially important as the primary vendor.  All of these activities will help manage corporate risk.

Disposal Policy Conclusions

With each improvement in security technology, someone eventually notices a problem with how it’s implemented or nuances of actual usage, as evidenced specifically in the examples from both the Princeton folks and Gutmann.  Avoid complete technology reliance and prepare for the latest system’s failure.  Follow best practices relating to security & disposal, document the modifications into processes and write policies to manage the gaps.  Always be prepared to account for numb skulls in your organization – audit your processes and staff and you may be surprised at what you find.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with several topics found in this post including:

  • Privacy Regulations (Foundations:I.F.b, CIPP: I.B) and Compliance Requirements (Foundations:II.B),
  • Managing Risk and compliance (Foundations:I.G.b) including: Privacy Policy Development, Risk Management (Data Recovery and Disposal Policy )and Compliance and Incident Management
  • Policy (Foundations: I.C) including: Internal use and disclosure, Third Party Relationships
  • Data Lifecycle ( including: Collection, Use & Retention, Disclosure, Management & Administration and Monitoring & Enforcement
  • Information Security (II.C) including: Encryption(data-at-rest and disk encryption), Asset Management (asset inventory & information classification), Threats & Vulnerabilities, (Data remanence and Dumpster diving)

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>