The Most Overlooked Part of Your Data Security



Organizations constantly replace outdated computers, servers, laptops, copiers, and countless other types of electronic devices to keep up with technology and enhance worker productivity. This rush to upgrade, however, creates a challenge: large numbers of excess electronics must be managed and disposed of properly.

A Rising Threat

Securing sensitive data is a daunting task for any business. Today more than 550 US laws now affect IT asset disposition. Data security laws mandate that organizations implement “adequate safeguards” to ensure the privacy protection of individuals. And the penalties for data breaches are tough. Under a proposed data protection law, European firms could face fines of up to 2% of their annual turnover for a breach. The HITECH Act enacted in 2009 extended provisions surrounding information handling and increased penalties for HIPAA violations. Today, American companies are subject to unprecedented sanctions following HIPAA security violations.

Governments are not the only ones eager to punish violators. The effect of a punitive privacy class action lawsuit can be far worse than a government fine. Following the loss of a backup data tape in 2011, US healthcare benefits provider TRICARE was hit with eight separate privacy lawsuits, including one seeking an astounding $4.9 billion in damages. The company was accused of “intentional, willful, and reckless disregard of plaintiffs’ privacy,” and for failing to respond to “recurring, systemic, and fundamental deficiencies in its information security.” Similarly, Sutter Health was hit with a billion-dollar suit, and Emory Healthcare faced a $200 million suit.

Historically, privacy class actions have faltered due to the plaintiffs’ inability to prove recoverable damages; however, this provides little consolation for a company being sued. The cost of defending privacy suits can cost millions. The average litigation defense now exceeds $500,000 and the average settlement is over $2 million. Moreover, corporate risk managers should take note of recent decisions in the US Eleventh Circuit Court of Appeals that bring punitive class actions closer to becoming big payoffs for plaintiffs.

Savvy plaintiff attorneys are also shifting legal tactics. In addition to defending themselves against claims for damages, violators must now defend against claims that they unjustly profited by skimping on security safeguards that could have prevented a breach in the first place.

Soft Underbelly of Data Security

Without question, most large organizations take data security seriously. Corporations will spend an estimated $68 billion worldwide this year on IT security measures including firewalls, network monitoring, encryption, and end-point protection. When an organization spends millions of guarding against hackers, it is tempting to feel confident.

But the most overlooked aspect of corporate data security may be simple IT asset disposition — in part, ironically, because so many businesses now rely on expert assistance. The fact that certified electronics recyclers are transporting retired IT assets to vendor facilities to be processed and sanitized can create a false sense of security that blinds executives to the biggest threats. First, there is still the possibility that assets can be lost or stolen in transit. (Increasingly, companies are learning to destroy data in-house, prior to disposal; that way, any loss or theft, while unfortunate, won’t result in the financial disaster that would come from an actual data breach.) Second, there is the threat we saw with our Robin Hood IT director: Trusted insiders can take retired assets any time before the handoff to the outsourcer, and before data is destroyed.

For the past eight years, Retire-IT has been tracking how effective security-conscious organizations are when it comes to accounting for retired assets.

At a high-level, organizations might seem to do an adequate job with chain-of-custody. On average 97.2% of assets were tracked.

Detailed tracking data, however, reveals a troubling fact: four out of five corporate IT asset disposal projects had at least one missing asset. More disturbing is the fact that 15% of these “untracked” assets are devices potentially bearing data such as laptops, computers, and servers.

Chain-of-custody is not a catchphrase: It is the foundation for indemnification and transfer of liability. It only takes a single missing item to cause a breach. Only a careful, objective examination of tracking data can confirm chain-of-custody — or reveal potential liability.

Acknowledging the risks and inherent conflicts-of-interest surrounding retired assets will result in more effective ITAD policies and adequate safeguards. Applying established incident-response procedures to the process of ITAD can help raise awareness of unappreciated vulnerabilities. Educating senior management about the risks will hopefully secure IT, asset managers, the resources needed to prevent an ITAD-related breach.


Author: Data Under Siege