Data breaches or the loss of IT assets can be an institution's worst nightmare. That's why so many companies invest in security controls that protect against attacks, theft and misuse of data and IT assets. Regulations are also increasingly requiring firms to implement training and controls that help to protect customer, employee, student and patient data.
There is also a risk of being found non-compliant with various data security regulatory requirements, which can cost firms significant penalties even if there never is a loss of data.
Cascade customers know the value of investing in security controls throughout an asset's lifecycle, including through the point at which the data are finally destroyed on the devices. To help you demonstrate the value of your efforts, Cascade compiled a list of security issues and incidents related to improper IT asset disposition
Recent examples and reports of security incidents
- The highest profile example of data security risks in the ITAD process occurred at Coca-Cola, where an employee tasked with dealing with computers coming out of service stole laptops containing records for 74,000 current and former employees. In addition to embarrassment and loss of goodwill, Coca-Cola is now dealing with a class action lawsuit by the current and former employees. The Coca-Cola breach highlights the need for reliable and secure ITAD services.
- "Disposal issues resulted in more than 5% of the data security incidents, globally. When combined with theft/physical loss, which frequently happens when decommissioned equipment is stockpiled at various company locations, disposal/physical loss issues account for more than 20% of data security incidents." Verizon 2014 Data Breach Investigations Report pp. 27, 29-30, available at www.verizonenterprise.com/DBIR/2014/
- “Any disposal or sale of information assets should be coordinated by the IT department. Educate users to think of disposing of a computer the same way they think of disposing of hazardous materials. ‘You can’t just throw that in the trash (or sell it on eBay)! Send it to IT for proper handling.’ Test the disposal process by sampling devices to verify they’ve been sanitized properly. If a third-party handles this, ensure that contracts stipulate how to transfer, store, and dispose of data, along with roles, responsibilities, verification, and penalties for non-compliance.” Verizon 2014 Data Breach Investigations Report p. 31, available at www.verizonenterprise.com/DBIR/2014/.
- "In 2013, the average cost of a data breach in the United States rose to $5.8 million—an 8 percent increase over 2012." Ponemon Institute, 2014 Cost of Data Breach Study: Global Analysis, pp. 5-6, available at http://www.ponemon.org/blog/ponemon-institute-releases-2014-cost-of-data-breach-global-analysis.
- Idaho Power Co. (Boise, ID): Four hard drives sold on eBay in 2006 contained hundreds of thousands of confidential documents, employee names and SSNs, and confidential memos to the CEO. The drives were recycled through a scrap vendor, Grant Korth, which was supposed to recycle the drives. Instead, the unwiped drives were sold on eBay. Company policy was to destroy or wipe the drives before disposition. This highlights the need for a reliable ITAD provider and a solid data security policy.
- A computer at Loyola University containing names, Social Security numbers, and some financial aid information for 5,800 students was disposed of before the hard drive was wiped. University standards required wiping before disposition. This was a case of sloppy ITAD practices.
Regulators are increasing focus on industry through compliance audits
Event without a data breach incident, organizations may open themselves up to penalties for not following various consumer and patient protection laws by not implementing a robust and comprehenisive data loss prevention program. Regulators are cracking down more than ever before.
- Federal Trade Commission: Perhaps the most active federal agency addressing data security, the FTC has brought nearly 60 enforcement actions for data security issues since 2002, with 20% of those actions coming since June 2013. Jessica Rich, From Health Claims to Big Data: FTC Adverting and Privacy Priorities for Today’s Marketplace -- Brand Activation Association Keynote, Nov. 7, 2014, available at http://www.ftc.gov/public-statements/2014/11/health-claims-big-data-ftc-advertising-privacy-priorities-todays. See Commission Statement Marking the FTC’s 50th Data Security Settlement, Jan. 31, 2014, available at http://www.ftc.gov/system/files/documents/cases/140131gmrstatement.pdf.
- Securities and Exchange Commission: On April 15, 2014, the SEC issued a National Exam Program Risk Alert entitled "Cybersecurity Initiative" (“Risk Alert”), increasing the data and cyber security focus of regulatory examinations. OCIE Cybersecurity Initiative, National Exam Program Risk Alert Vol. 4 Issue 2, p. 1 (Apr. 15, 2014), available at http://www.sec.gov/ocie/announcement/Cybersecurity+Risk+Alert++%2526+Appendix+-+4.15.14.pdf.
- Department of Health and Human Services: Federal fiscal year 2014 brought a permanent HIPAA audit program under the guidance of the US Department of Health and Human Services (“HHS”) Office of Civil Rights (“OCR”), the agency charged with enforcing HIPAA. According to the OCR Director Leon Rodriguez, OCR wants “to hit more entities and be more focused on parts of the privacy and security rules for which breaches are at high risk.” The permanent HIPAA audit program, coupled with the increased fines under the Omnibus Rule, is having a very real impact on Covered Entities. “What HHS/OCR Will Look for in HIPAA Compliance Audits,” Health Data Management, Mar. 21, 2013. Over the past 12 months, HHS has collected more than $10 million in settlements from Covered Entities. “What HHS/OCR Will Look for in HIPAA Compliance Audits,” Health Data Management, Mar. 21, 2013.
For more stories about the problems of data breaches and security incidents, as well as resources to help prevent the loss of data, see the following resources:
How Cascade protects its customers and their data:
Cascade's NAID Certified IT Asset Disposition process provides the best assurance that our customers' data is sanitized or physically destroyed effectively and that their data won't end up in the wrong hands or lead to an embarrassing news headline.
Our NAID certified process includes annual inspections and unannounced audits by security professionals who verify our controls related to employee training and background checks, building security, the effectiveness of our data sanitization tools, and our overall inventory management controls. See more information about our security programs and NAID certification on our web site.