What the SEC’s Cybersecurity Whistleblower Program Means To ITAD
When people think of the concept of whistleblowers, images of Erin Brockovich and Edward Snowden come to mind. But whistleblower programs are far more than EPA violations and headline-grabbing NSA leaks.
In fact, the Security and Exchange Commission (SEC) recently issued a release stating that whistleblowers are one of the commission’s most valuable enforcement tools and that it is doing its utmost to encourage more. And, when one then considers that the total awards to individual SEC whistleblowers last year was a staggering $229 million, it certainly appears they are serious about doing just that.
In this article, we will discuss how and why ITAM and ITAD professionals and the organizations they serve are now squarely in the crosshairs of the whistleblower threat and what can be done to reduce the risk.
ITAD is on the SEC’s Radar
To fully appreciate the risks of the whistleblower threat, one first has to understand that ITAD is something the SEC is concerned about.
By now, most readers are familiar with the SEC’s involvement in the Morgan Stanley case, including multimillion-dollar fines and, more importantly, their public statements about the firm’s “astonishing” IT asset disposition (ITAD) practices. It was clear by those statements that the SEC had determined that common disposition practices were completely inconsistent with regulatory requirements and consumer and investor protections.
In addition to their Morgan Stanley findings, the SEC has also very publicly announced that cybersecurity is among its top priorities. And it doesn’t take much digging to see that ITAD falls into that category.
The NIST’s Framework for Improving Critical Infrastructure Cybersecurity, for instance, mandates that “assets are formally managed throughout removal, transfers, and disposition.” The AICPA’s Cybersecurity Checklist explains that organizations must “document all firm-owned equipment, utilize inventory tags to track firm-owned equipment, document acquisitions, assignments, and dispositions, including procedures to properly dispose of devices that might contain client data.”
In fact, in May of last year, the SEC proposed rules deeming cybersecurity exposures material to investor protections, provided guidelines for incident reports, and suggested boards will be held responsible. Then, in March of this year, the SEC proposed changing both Regulation S-P and the Gramm-Leach- Bliley Act (GLBA) Safeguards Rule by adding a “disposal rule” specifically to address the cybersecurity risks of discarded IT assets.
The point is that the SEC is aware that ITAD belongs to cybersecurity, and, for better or worse, the commission is already itching to take industry whistleblowers seriously.
The SEC will be at Odds with Conventional ITAD Practices
The typical approach during ITAD is for organizations to allocate assets to an ITAD vendor. This approach, while convenient, needs to meet the minimum standards for safeguards required by privacy-protection laws. Only a careful, objective examination of asset tracking data can confirm chain-of-custody or reveal potential data security incidents.
Allocating inventory to an ITAD vendor runs the risk of greenwashing issues and concealing data security incidents. Vendors may be reluctant to alert customers of potential missing assets, fearing that they will disappoint customers. As a result, ITAD service providers may be disinclined to provide information that would increase their exposure.
Given the SEC’s proposals and these clear compliance disincentives, the commission will likely determine that the current ITAD paradigm is compromised.
The Office of the Whistleblower was created in 2010 by the Dodd-Frank Act, creating the SEC Office of the Whistleblower. As a result, whistleblowers get paid up to 30% of a fine, and, whether enticed by large financial rewards or motivated by ill-will, anyone with access to a computer can submit a tip with a couple of clicks of a mouse. The whistleblowers’ confidentiality is protected, and the program also prohibits employer retaliation.
With the SEC paying whistleblowers millions of dollars for tips, the risks to ITAM and ITAD practices are no longer linked to the classic data breach disclosure. This includes anyone who knows of a potential vulnerability like inventory discrepancies, for instance, including current or past employees, current or past service providers, anyone jealous or disgruntled, job applicants, or temporary contractors. Up to now, many organizations simply bank on an employee not knowing enough about risky practices to report them. As they say, “hope is not a strategy,” and with all the attention being put on data protection and breach notification, relying on employee ignorance is, in fact, a very risky roll of the dice.
Opportunity or Peril
IT asset management (ITAM) is responsible for developing policies, processes, and systems to manage the IT asset portfolio concerning cost, compliance, and risk. This responsibility is essential to managing the new SEC requirements and mitigating whistleblower risk.
IT asset managers are unsung heroes of the IT world. ITAM programs need to be more funded and appreciated. It can be hard to justify investing in ITAM when there hasn’t been a breach. Executives are blind because they seldom hear about the incidents.
The SEC is taking cybersecurity seriously, and now we are just two clicks away from exposure.
ITAM is not responsible for the predictable problems with conventional ITAD practices. We can’t change the past, but we can shape the future. ITAM has a professional duty to share sobering facts with executives. We have the opportunity to elevate our profession.
The change will happen because of the SEC’s emphasis on cybersecurity, whether we want it to or not. The status quo is not a viable option. We will be perceived as part of the problem or incompetent if executives discover “astonishing” practices within our organization. Misstating facts is professional misconduct and potentially illegal. We face worse jeopardy if we conceal it.
ITAM professionals are the only ones who can ultimately transform ITAD practices to meet new challenges, and here are steps that can be taken:
- Track IT Assets From the Moment They’re Acquired – ITAM is expected to account for every asset from acquisition. ITAD is inevitable. All IT assets will be disposed of eventually. It is, therefore, logical to track the asset closely from the moment it is acquired. Assets missing before the disposition phase should not be considered part of the disposition phase.
- Treat ITAD Discrepancies with Due Regard – Whenever an incident occurs, such as an inventory discrepancy, there is a regulatory obligation to investigate and potentially notify. Failure to recognize and act on this is a whistleblower complaint waiting to be made…and there is no statute of limitations.
- Recognize That Encryption Is Not a Silver Bullet – While encryption can prevent an incident from becoming a breach, it cannot prevent an incident from occurring and does not eliminate the requirement to detect and investigate incidents.
- Use Disposal Tags – Serial number tracking is fallible. On average, 40% of inventories reported by disposal vendors contain errors (e.g., duplicates, missing identifiers, etc.). Barcoded disposal tags increase tracking to 99% or higher. Disposal tags deter theft and are an effective way to track assets and prove chain-of-custody.
- Secure or Destroy Data Before Devices are Moved – 99% of ITAD problems happen before a disposal vendor touches the equipment. No vendor can protect an asset it doesn’t receive. Working with a certified electronics recycler is essential but not a guarantee.
- Take Control of Disposition Inventory Reconciliation – Segregation of duties is critical to privacy regulations. ITAD service providers should not be reconciling device inventories, rather they should be reporting what is received and the data controller should be doing the reconciliation. That way, discrepancies can’t be swept under the rug.
- Automate and Outsource Inventory Reconciliation – Spreadsheet reconciliation is time-consuming and tedious. Moreover, the results of manual reconciliation can be subjective and impossible for someone else to verify without redoing the entire thing. Automating and outsourcing reconciliation ensures a consistent, objective approach and allows IT asset managers to spend valuable time-solving problems.
- Test Security Controls – Compliance requires an organization to implement and test safeguards. Detecting a missing asset requires a robust reconciliation process. An effective test of this control is to include a fictitious asset on every disposal inventory. This imaginary asset should get flagged as missing. If the ITAD vendor reports receiving the pretend asset, there is a problem.
To be sure, there are other things that can help mitigate the whistleblower risks, but they should only be used to support good disposition practices cited above. For instance, all employees should be encouraged to raise non-compliant practices to management. This simple act of providing an outlet can short-circuit a whistleblower, with the caveat that the issue cannot be ignored afterward. Frankly, ignoring a potential whistleblower issue only makes it worse.
It remains to be seen how this will all shake out. All that is known for sure is that the SEC has made cybersecurity reform a top priority and that they are publicly encouraging whistleblower complaints with large sums of money.
That sounds to us like an opportunity for ITAM and ITAD professionals to demonstrate their value to their organization.
Robert (Bob) Johnson, CSDS, CIPP/US, is the Principal Advocate at Privata Vox, LLC. Prior to his current position he served for 27 years as founder and CEO of NAID, the world’s largest data disposition trade organization, also boasting the world’s most recognized media disposition certification program. Among the many highlights of his career are being invited by the FTC to assist in the rulemaking phase of the FACTA Final Disposal Rule and participating in the Senate Finance Committee in hearings following the ChoicePoint data breach. Bob also authored what is widely considered the seminal textbook on data and media disposition. He can be reached at firstname.lastname@example.org
Kyle Marks is an ITAD enthusiast and CEO of Retire-IT, a consulting firm specializing in IT asset disposition management. Over the past 18 years, Retire-IT has managed over 15,000 ITAD projects for companies of all industries. Kyle served Arrow Electronics as President of US Micro to lead post-acquisition integration efforts. Ages ago, Kyle was a consultant with Bain & Company, a marketing manager with Maybelline L’Oréal, and an executive with WEGO Systems. Kyle has an MBA from Harvard Business School and a bachelor’s in economics from Rhodes College. Kyle is also an IAITAM CHAMP and proud father of two wonderfully inexhaustible kids. He can be reached at email@example.com
Bob and Kyle also co-wrote an article for IAITAM that was referenced in a plaintiff brief in the lawsuit resulting from the Morgan Stanley breach incident (link below).
Content for this article was originally published in ITAK, the abbreviation for IT Asset Knowledgebase. ITAK is the magazine of IAITAM, The International Association of Information Technology Asset Managers. IAITAM is a much-needed educational source for IT Asset Managers, CIOs, and CEOs.