This page contains a Flash digital edition of a book.
PRIVACY MATTERS with Meaghan McCluskey


BUSINESS AS USUAL NOT WORKING


Recent audits by the federal privacy commissioner show too many businesses are improperly destroying data, thus increasing the risk of personal information of too many people falling into the wrong hands


I


n two recent audit reports of disposal practices in selected federal entities, the Office of the Federal Privacy Com- missioner noted the importance of imple- menting controls to ensure personal information (PI) is disposed of securely. It should come to nobody’s surprise that the unauthorized disclosure of PI could have serious consequences for in- dividuals, including financial loss re- sulting from identity theft or fraud, humiliation or damage to the individual’s reputation or risk to personal safety. Under private sector privacy laws, organ- izations have an obligation to implement technical, physical and administrative safeguards to protect the integrity and se- curity of PI in both paper and electronic form, and this includes protecting PI awaiting disposal with the same degree of care provided to PI being actively used. The audits found that in the federal en- tities, computer and wireless devices were being disposed of, sold or donated without their data first being purged; surplus smart and cellular phones were stored in unlocked filing cabinets in areas acces- sible to all staff; shredding standards were not consistently applied; and destruction practices of off-site shredding companies were not systematically monitored. (For example, off-site companies were using staff without the requisite security clear- ance and not disposing of documents within the prescribed timeframe.) The Commissioner discovered that the method of handling documents destined for off-site destruction was adequate, consisting of documents being boxed and segregated in a secure area with re- stricted access, designated employees


12 SECURITY MATTERS • NOVEMBER/DECEMBER 2010


may contain PI. If networked, those de- vices may be vulnerable to hackers, who can access that stored data.


monitor the removal process and verify the vehicle door is padlocked and secu- rity sealed once loading is complete, con- tracts stipulate that records are to be transported to the contractor’s facility without delay, and records are stored by the contractor in a designated, secure room. These procedures are not isolated to government entities, and organizations should ensure that secure destruction policies have been implemented and fol- lowed, and adequate handling practices are in place.


Beyond data stored on surplus cell phones and mobile devices, organizations need to be aware that many other elec- tronic devices used in the ordinary course of business may store PI unknown to the user, and they need to be considered when creating secure destruction policies. Photocopiers, fax machines and printers contain hard drives that can store docu- ments processed by the machine, which


The United States’ Federal Deposit In- surance Corporation recently issued guid- ance on mitigating the risk of unauthorized disclosure these devices pose, which includes identifying the de- vices that store digital images of business documents, and ensuring their hard drive is erased, encrypted or destroyed prior to the device being returned to any leasing company, sold to a third party or other- wise disposed of; if the hard drives are to be encrypted, the method used should be sufficiently robust to render the infor- mation on the disk unrecoverable. Organizations looking to review and up- date their disposal practices can use a pri- vacy maturity model published by the Canadian Institute of Chartered Account- ants to help optimize their practices. Optimal practices involve monitoring and periodically assessing the appropri- ateness of destruction and redaction of PI, conducting verifications of disposal practices, and remediating discrepancies in a timely fashion. To verify disposal practices, a database can be kept, item- izing records for destruction and noting the date, time and by whom they were destroyed; where outside firms are used, obtain a certificate of destruction and conduct periodic on-site audits.


Meaghan McCluskey is a privacy research lawyer with Nymity Inc. (www.nymity.com), a provider of PrivaWorks, a privacy support tool.


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32