Choose your Disposal Contractor with Care

The article below (courtesy of IT-lex Technology Law)  should be a lesson to all those responsible for technology disposal whether is be Computers, Servers, Smart Phones or Tablets.  In fact almost all technology types hold some level of risk.  I remember as a technology buyer for NatWest nearly 20 years ago the bank bought several thousand plain paper fax machines (state of the art at the time!).  What they failed to realise is they used a roll of inked film and a thermal print head.  At the end of the roll, the bank where supposed to throw the old roll away and fit a new one.  What they failed to consider is that the old role had a mirror image of every single piece of paper which had gone through the machine.  A plain readable mirror of every payment request, bank details and signature.  The used roles were worth a fortune in the "wrong hands". 

The wrong hands are your "threat advisory".  It's our duty and legal responsibility to ensure that data doesn't find its way in to the wrong hands. The devil is in the detail.  In the article below Bow Valley Collage made a VERY common mistake.  For now let's forget that they chose a "not-for-profit" although I have some concerns there too.  The first mistake they made was making the decision based on price.  As we see they didn't get the free service they were expecting. They thought they were doing a good thing for the community however the breach cost them £150k and they were very lucky.  In many countries you could easily triple that in addition for a fine and penalty.

They also had no documented Contract, no agreed Procedures, no Certificates confirming the undocumented procedures had been carried out and no confirmation of physical destruction.  In fact Bow Valley Collage made the same mistake which tens of thousands of organisations make every year.  But this is just the tip of a complicated iceberg.

It seem many have a psychological link between the age and value of the equipment and the value of the data.  They are happy to chuck it away. They have made the disposal equivalent of leaving their front door wide open or the equivalent of not having virus protection or a firewall. The data on that old fax machine or old server or your clunky old smart phone is the very same data on which your organisation depends on for its survival. The same data which you meticulously back up and protect in the even of a disaster.  The same data which keeps you employed.

If you would like to see more about the detail of what to do rather than what not to do have a look at the ADISA web site.  ADISA do an excellent and most important job raising critical issues for businesses. Critical reading for Data Controllers.

Remember this; Free might be the most expensive decision of your career. 

College outsources data deletion, suffers huge data breach

• IT-LEX Inc
• USA
• September 30 2013
• 

Here’s a case of an institution that seemed to do everything right, yet still ended up on the wrong side of a data breach. Bow Valley College (in Alberta, Canada), planned to get rid of 12 of its servers. Aware of the environmental and privacy-related concerns that come with such an undertaking, it hired a local nonprofit, the Electronic Recycling Association of Alberta (ERA), to carry out the data wipe, as well as properly dispose of the servers afterwards. In an act of impressive due diligence, the college even “toured ERA’s facilities and was satisfied with the ERA’s processes.” You should be able to see where this is going, and if you can’t, read this old IT-Lex post for a hint. From the snIP/ITs blog: 

Four months later, a purchaser of one of the decommissioned servers booted it up and found personal information (including SIN numbers, credit card numbers, and salaries) of 189,900 students and 3,500 employees of BVC [the college] spanning almost 20 years. Over the next few months, the Commissioner received complaints from 28 individuals affected. … [The college] reviewed all the information on … recovered servers to identify the affected individuals and sent out letters to each of them. It also sent emails, set up a telephone number and an email address for information and in some cases, set up face-to-face meetings. It advised affected individuals of their right to make a complaint to the Commissioner and apologized. BVC estimated that its cost to respond to this incident cost over $247,000.

The “Commissioner” referred to here is the Information and Privacy Commissioner of Alberta, who earlier this summer found that, despite touring the facility and seeking out a specialist third-party to handle the data deletion, the college had not done enough to prevent this data breach. In her opinion, the Portfolio Officer found that: 

BVC had no signed contract or agreement in place with ERA. In addition, although BVC was charged for “pick-up” it received no invoice for data wiping charges, or certificates to confirm that the data was wiped, or written assurance that the devices were physically destroyed.

However, the Officer also found that BVC’s response after learning of the breach was sufficient to let it off the hook from further punishment: it had “made reasonable arrangements to prevent a similar recurrence”, and “apologized to the affected individuals.”

The lesson here is that data security is no joke, and even an entity like BVC, which seemed to be proactive and diligent in its work to appropriately clear its servers, can still be found lacking. Be extra careful when hiring third parties to clear your drives, and, of course, always try to have something in writing.