Archives

Data Destruction and Privacy

 

If asked to identify the point in the information lifecycle in which data is often most vulnerable, most people would not say “Destruction.” Destruction itself is a simple concept. After personal data or technology storing personal data is no longer useful it is discarded.  However, completely erasing data from existence is not that easy. Computer files are particularly difficult to destroy. Furthermore, with the increasing use of cloud computing services, more and more personal data is being stored on third party servers, where the information controller has to trust their provider to remove the information when requested. Control over the deletion and destruction of data is taken out of the data controller and the data subject’s hands.

The problems associated with proper disposal, make it so that the destruction of data is one of the times personal information is most likely to be at risk for unauthorized access. Because of this, data destruction remains an important privacy issue discussed among professionals in the industry today.

Why is Data Destroyed?

Data Destruction is a necessary and important part of the information life cycle. Deleting data from a server frees space on the hard drive for other data that may be more pertinent to business operations. Destroying untimely data also helps limit the extent of a breach should unauthorized access occur.

The Fair Information Practice Principles include regulations regarding the limits and uses of collected data. Once data is collected, the data controller is restricted to using it for purposes related to the reasons for which it was originally collected. Data that is outdated or no longer useful is destroyed. Data destruction may also occur after transferring data to new technologies and discarding the old ones. Data, especially that has been hosted with a cloud computing service, may also be deleted at request of the data subject or data controller.

How Do Data Breaches from Improper Destruction Occur?

Today, data usually takes two forms: electronic and paper. Paper files containing personal information are a frequent cause of data breaches due to carelessness. Unclaimed copies, faxes and other paper files are often thrown into recycling bins or the trash with little thought as to the personal information that may contain. This leaves personal information vulnerable to dumpster divers that sort through trash looking for information that may allow them to commit fraud.

Another common way that deleted data may be accessed is through the improper disposal of computers and other electronic equipment with the ability to store data. Sending files to the recycle bin or hitting the delete key does not actually erase a file from existence. What it does is remove the link from the file directory while a copy of the file still remains until it is written over by other files. Some operating systems support software which allows undeletion so that files have been previously deleted can be restored. Computer hard drives, USB drives, cell phones and other related products are all susceptible to data breaches if they are recovered by dumpster divers or through computer recycling programs and their hard drives have not been overwritten, encrypted or physically destroyed.

Cloud computing has improved the interactivity and productivity of businesses and individuals but it has also increased the potential for the unauthorized access of information. When a company or individual stores personal information with a cloud computing service be it a Payroll Account Servicer or Facebook, they are trusting that servicer to protect and eventually delete their information when requested. However, it may be days, weeks or even months before that information is deleted. Furthermore, placing information in the cloud allows more individuals, that are not under the control or supervision of the data subject or the data controller to have access to personal information, laying the ground for misuse of information.

Data breaches are a serious occurrence  and take place on a regular basis due to carelessness and general ignorance of the danger that improperly disposed data may pose.

How Should Data Be Disposed?

While different regulations may call for various means of protecting data, there are a number of commonly accepted ways for individuals and businesses to properly dispose of in both paper and electronic forms.

Physical Destruction:

  1. Shredding- the most commonly used form of destruction in homes and small business in which paper is cut into small pieces to make the information harder to reassemble. Cross-cut shredders are more effective than length wise only shredders which may be reassembled into usable data with a minimal amount of work.
  2. Incineration- Paper and/or electronic equipment may be burned to make it unreadable. While the destruction is effective there is a large debate concerning its impact on the environment.
  3. Pulverization- Uses high pressure to crush objects into unusable forms. Like incineration it is effective in protecting data, but poses environmental problems as the chemicals and products used in computers and paper degrade in landfills.

Electronic Destruction:

  1. Overwriting- Involves writing over data files with files containing junk information. The more times a file is overwritten the more securely it is protected from possible recovery. Overwriting is not 100% effective, however it is a common tool that is available on all computers to protect data.
  2. Encryption- Involves the use of private and public cipher keys to code data using algorithms. Only users with the correct key can decode the data to readable form. The HITECH act is considering using encryption as the exclusive method of data destruction.
  3. Degaussing- Involves realigning the magnetic fields of devices which use magnetization to store data such as hard drives, magnetic tapes and audio cassettes.

What are the U.S. Federal Regulations Regarding Data Disposal?

There are number of different regulations in place in the United States that deal with the proper disposal of personal information. These are often incorporated into the various laws regulating privacy in different sectors and industries.

The Fair and Accurate Credit Transactions Act

In 2003, the the Fair and Accurate Credit Transaction Act was passed as an amendment to the Fair Credit Reporting Act, both which deal with the protection of personal information in consumer reports. FACTA includes a disposal rule for the protection of information contained in consumer reports by any entity which may use such information for business functions. Such entities may include landlords, employers, automobile dealers, debt collectors and financial institutions. The law requires such entities take take reasonable measures to destroy consumer reports including the physical and electronic destruction of data to make it unreadable. It also calls for independent audits to determine an entity’s compliance with the disposal rule.

 

The Gramm-Leach-Bliley Act

 

In 1999, the Gramm-Leach-Bliley Act was passed to protect personally identifiable information used by financial institutions. It includes a Safeguards Rule which requires financial institutions to designate a coordinator of their information safety program. It also requires extensive routine risk assessments of the physical, technical and administrative safeguards to determine the threat of internal or external abuse of personal information. The proper disposal of data is included in such risk assessments.

The law sets up for the proper protection of data against security risk, but like many information privacy laws in the U.S., is criticized for being largely unenforceable due to the variations in technology, methodology, and use of information from business to business. The GLBA does set up heavy penalties for businesses that do not complete risk assessments and develop security plans to handle potential threats.

 

The Health Insurance Portability and Accountability Act

HIPAA is a broad law dealing with issues within the health industry. It contains a Privacy rule and Security Rule for the protection of personal health information. While HIPAA does not specifically have rules regarding the destruction of data, it does require covered entities to take reasonable measures to ensure the protection of data and compliance with HIPAA standards. Historically, improper disclosure has been one of the number one methods of unauthorized access to protected health information.

 

The Federal Information Security Management Act

In 2003, FISMA (pdf) was passed to regulate information security within the Federal Government. Similar to the Gramm-Leach-Bliley Act, FISMA requires periodic risk assessments to determine the threat and magnitude of harm due to unauthorized access, use, modification, disclosure, or destruction of sensitive information throughout its life cycle. The act calls for detailed plans and security measures to be implemented in order to protect against potential threats.

Data destruction has been recognized as an important security risk in U.S. regulations, however many of the aforementioned regulations do not set clear or standardized guidelines for the correct disposal of information. Data destruction remains  a confusing and complicated topic. Most regulations use language such as “reasonable measures” to acknowledge the fact that data is extraordinarily difficult and expensive to destroy. However, “reasonable measures” also creates a lot of room for interpretation and so data destruction through the United States and its industries remains largely self-regulated.

 

What About Data Destruction Services?

As awareness has grown about the dangers posed by improperly disposed data, a number of independent data destruction services have appeared to be part of the solution. Many of these companies offer certificates of destruction assuring it’s customers that their data is well protected and properly destroyed. While many of these companies may properly dispose of data, potential customers should be aware that the industry is completely self-regulatory. There is no government authority that certifies data destruction services in the United States and so the certificates they issue are only as good as the reputation and accountability of a company.

In Conclusion

 

Data Destruction is an often overlooked part of information security which is essential to individuals and businesses alike. Maintaining the security of personal information is one of the key elements of information privacy and not data is fully secure until it is completely and properly destroyed. Both individuals and businesses need to be aware of the potential consequences of improper disposal of data, recognize their accountability in ensuring its destruction and complete extensive research when choosing other services such as cloud computing and/or data destruction services which may be given control over the process.

CIPP Candidate Preparation

In preparation for the Certified Information Privacy Professional exam, a privacy professional should be comfortable with topics related to this post including:

  • Introduction to Privacy:  “Information lifecycle principles” (Foundations: I.E.vi)
  • Information Security: “Cryptography” (Foundations: II.C.a.iii), “Implementing information security controls – Asset management” (Foundations: II.C.b.iii) and “Physical and environmental security” (Foundations: II.C.b.v)
Share

Leave a Reply

 

 

 

You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>