Donated Computer Equipment Unwittingly Yields Confidential Data
As the year end approaches, donations from corporations and individuals take a major jump in activity. Careless donating practices come with its risks. Each year sensitive corporate data is compromised as companies donate outdated business equipment to charities, non-profits and various community organizations. Large companies are often all too happy to hand over laptops, PCs, cell phones, printers and other outdated electronics in exchange for great PR and possible tax write-offs. If not handled properly, the ramifications of these good deeds could be disastrous and even illegal.
The equipment marked for donation by a company will usually contain files that must be protected at all times. In addition to a company's sensitive information, businesses of all types are collecting large amounts of Personally Identifying Information (PII) such as account numbers, credit card numbers, social security numbers and birth dates related to their customers, employees and business partners.
Almost all devices keep data until it is intentionally and properly destroyed. Simply deleting files or reformatting a computer's hard drive does not prevent data from being recovered. Doing a factory reset on a cell phone or tablet may not remove all the data and contacts. Also, printers and copiers retain data on hard drives, and unless these hard drives are sanitized properly, the data remains at risk.
It's not only dangerous not to protect data properly; and for just about every business entity it's illegal not to do so. Business owners, corporate officers -- even board members -- have the responsibility to be certain data is secure while needing to protect themselves from the consequences of a data breach. There are numerous regulations with acronyms such as GLB, FACTA, HIPAA, SOX, FERPA, FISMA, COPPA and others that affect all organizations. From single person offices to major corporations, failure to protect sensitive information can mean large fines and/or imprisonment. For instance, under the Sarbanes Oxley (SOX) regulation, board members of corporations can be subject to hefty fines and even imprisonment for a data breach.
While most people associate HIPAA with healthcare providers, the reality is that nearly every entity has some HIPAA compliance responsibility. A recent provision of the HITECH Act authorizes the Attorney General (AG) of each state to sue anyone on behalf of residents "In any case in which the attorney general of a State has reason to believe that an interest of one or more of the residents of that State has been or is threatened or adversely affected by any person who violates a provision (of the act)." The AG's of several states have already sued and were successful in collecting fines ranging from tens of thousands of dollars to millions of dollars. Since the state gets to keep the money, there is great incentive for them to pursue legal action.
Read recent article: "Cottage Health Fined $2M By California Attorney General For Two Breaches"
Not only is the financial loss from a data breach fine unhealthy for businesses, but the bad PR, loss of customers and other negative impact would be disastrous. A recent study determined the average cost of a data breach in the US in 2016 was $225.00 per record meaning a breach of just 10,000 records could cost a company close to $2,250,000.
Each of the privacy laws has verbiage requiring establishing policies and procedures to properly protect data. Destroying data beyond forensic reconstruction is not that simple nor is it an arbitrary task. For many levels of data destruction, specialized equipment is required and no matter how good a company's IT department may be they cannot always guarantee absolute data sanitization.
According to Steve Chafitz, President of data security company e-End, "Many companies relegate destroying hard drive data to their IT departments. That task is not their primary mission so it gets done when and if they have time. We routinely receive drives that were said to be free of data and they contained thousands of files." Chafitz added that, "Many companies have become complacent and think it can't happen to them. Whether it's donating equipment, giving it to employees or selling it online, they can't afford not to be concerned about the data remaining on electronic devices before they leave their possession."
When considering donating Chafitz advises, "Breaches are widespread and include every type business. It's imperative to make sure you are not giving away your company secrets, client information, or the keys to the castle."
e-End operates a secure facility in Frederick, MD and specializes in destroying a wide variety of classified data, and various controlled devices. This includes destruction of data containing hard drives, destruction of ITAR controlled devices, IT equipment, and tactical military devices. They routinely destroy body armor that has reached the end of its certified period of use. For further information contact Steve Chafitz, firstname.lastname@example.org.