End of Life Compliance
by Charles Robbins
Unsecured Physical Security of Data Bearing Devices (DBDs) that hold thousands to millions of protected records for Health information (PHI), Personally Identifiable Information (PII), or Sensitive Personal Information (SPI) leaves many companies non-compliant.
In a three-year study with hundreds of companies from 2014 to 2017, TechR2 has observed the following trends:
Many companies error in disregarding risks involved from use of offsite shredding services for data destruction.
The use of offsite shredding services:
- Could result in enormous cost liabilities for hard drives lost en route from a processing site or stolen by a single driver.
- Fails to meet special requirements needed to uphold legal compliance such as performing Risk Assessments. *Risk Assessments involving the implementation of shredding services often ignore the enormous cost for potential loss or theft of hard drives.
- Adds additional risk to brand and enterprise such as: Shredding locations established by shredding companies are not always in crime-free or secure areas as shown on their own site map. To make matters worse, standard data-breach liability insurance ($2 million dollar policy) can only help recover less than 1% of the cost of a data breach involving the loss or theft of one bin of 250 hard drives.
Companies using Hard Drive Retention programs send failed data-bearing devices to the OEM manufacturer, neglecting the program’s requirement for companies to retain their own data.
OEM manufacturers whom TechR2 has researched states they are not responsible for any loss of data, nor resulting costs associated from relevant data breaches. NIST regulations also declare that downstream data eradication must take responsibility for moving any data offsite.
Many industry-certified companies have hired single operators in the handling of their client data.
In some cases, shredding company employees have left bins open and exposed in parking lots or sidewalks, walking away from the lot into adjacent buildings. Drivers also carry keys to the DBD bins, further leaving them vulnerable to theft. In addition, TechR2 has captured live data from devices mismanaged by shredding companies.
Data eradication companies often ignore information security rules using a single employee instead of a required two-person team while performing critical functions or handling company data.
PCI, NIST, SOC, Financial and HIPAA regulations refer to at least one sanitizer plus one verifier from the data eradication company performing the work.
Companies that TechR2 has investigated do not consistently track, nor consistently contain, nor consistently destroy DBDs properly.
TechR2 has determined these responsible security personnel to be unaware of all current regulations, lacked sufficient training and did not perform proper management control.
Interviews with power industry representatives has revealed their standard protocol for hard drive destruction involves drilling of up to three holes, erroneously believing its circuit board and data would be destroyed.
TechR2 explained to these representatives that, similar to working with a damaged hard drive, a recovery laboratory technician could lift the platter, remove any burrs and read unaffected data when put into another hard drive cavity of the same model.
Local data eradication companies have neglected to follow well-documented, federally published procedures for their NSA certified machines, most notably in performing the second process (deforming the platter), and have attempted to convince clients that they are following all proper procedures.
R2 auditors permit data eradication companies to develop and incorporate their own questionable procedures (Section 8.a) with the requirement that each procedure is documented and that another organization approves it.
Many data eradication companies use a third-party company to perform their work. In these cases, TechR2 has observed that each company has not fully complied with all information security rules required by compliance regulations.
NIST SP 800-88 R1, which covers government data, SOX, HIPAA and PCI, require capturing much more than the serial number of each device for the constitution of a legal Certificate of Destruction. The shredding industry as well as R2 standards have, on their own, decided that attributed data for DBDs can be waived with a lower manager’s signature.
The most common response when questioned about the proper tracking, containing and destroying of DBDs, is the responsible managers do not have the money to perform these data security standards. However, TechR2 finds they continue to report to senior staff as meeting sufficient data security regulations.
TechR2 has asked for, but not shown specific training documents for IT professionals performing data eradication.
TechR2 has found large cooperate entities using data eradication machines not containing UL, and CSA certification.