Content for this article was originally posted on Law.com/Law Technology News.
In retail, employee theft can be worse than shopper theft. Employees can easily learn the internal operations of a store. In some ways, the same can be said for theft inside a business. Employees have access to equipment and knowledge of which equipment will be missed and which won’t.
As businesses struggle with strained budgets, information technology departments are becoming overworked and understaffed. Important security precautions turn into secondary priorities as employees focus on immediate needs. Some companies run out of time and resources to carefully screen potential hires, allowing questionable characters to become staff members. This combination of factors has led to an alarming vulnerability in the security of company data.
Once a piece of computer equipment has been relegated to the scrap heap, most business owners and CEOs write it off as no longer a part of the company inventory. However, the hard drives inside laptops, PCs, mobile devices, and even multifunction copiers, contain sensitive data about your business and your customers. If an employee steals a piece of equipment and gives it away or sells it, that sensitive data could end up in the hands of someone who will use it.
Before you dispose of one more piece of equipment, consider these possible revisions in policy and procedures that could protect your company against data leakage. Below are a few tips to follow that will help to prevent your disposed equipment from becoming a liability.
- Know the law
- Recognize the consequences
- Create and post policies
- Assign multiple employees
- Control access
- Wipe early
- Verify possession
Know the Law
It is one thing for an inexperienced Internet user to be unaware of public Wi-Fi risks or a trusting Facebook user to be oblivious of privacy risks. It is another thing for an organization to ignore the threat of employee theft of retired equipment. Earlier this year, the Office of Civil Rights stressed that organizations must “have in place meaningful access controls to safeguard hardware.” Effective safeguards must include all equipment, even retired equipment. The OCR also stressed that they “expect organizations to comply with their obligations” – ignorance is no longer a valid excuse for non-compliance.
Recognize the Consequences
It should be no surprise that the OCR has begun to apply unprecedented sanctions for HIPAA security violations. There is no doubt that penalties can be punitive. However, the indirect costs of dealing with a breach and the impact of a privacy class action lawsuit can be much worse.
In May, the OCR fined BlueCross BlueShield of Tennessee (BCBST) $1.5 million for violations following the theft of 57 unencrypted retired hard drives. The cost of the fine was just the tip of the iceberg. In addition to the penalty, BCBST reportedly spent $17 million in investigation, notification and protection efforts.
In July, eight separate privacy lawsuits filed against healthcare benefits provider TRICARE were consolidated into one case to be heard by a U.S District Court. The suits stem from the loss of a backup data tape and allege that TRICARE and its subcontractor were negligent for failing to respond to “recurring, systemic, and fundamental deficiencies in its information security.” One suit was seeking an astounding $4.9 billion in damages.
Historically, privacy class actions fail for inability to prove recoverable damages, but this probably provides little consolation. The cost of defending privacy suits can cost millions. When it comes to protecting retired equipment from theft, an ounce of prevention is worth a ton of cure.
Create and Post Policies
While it should go without saying that theft of company equipment is forbidden, having a written policy makes it easier to enforce the rules. Set clear equipment disposition policies that extend to every type of electronic device in your organization, regardless of age or condition. Have every employee sign that they’ve read the policy and understand it.
Assign Multiple Employees
You are opening up your business to potential theft and fraud if your equipment disposition process is handled by only one employee. Assign at least two employees to work on disposing of equipment. Ideally, the process involves employees from different departments of your company. When your help desk worker determines a PC has reached its end of life, for instance, that employee should be required to input the information into that database. Another employee should then verify information about the asset is accurate and retire it to a secure holding area until it can be properly disposed. Another employee should be tasked with wiping any hard drives. A fourth employee should work with the appropriate parties to transfer the PC to a certified disposal vendor.
Store retired IT equipment in a secure area and allow access only to a few trusted employees. If possible, install cardkey access that tracks the comings and goings of staff in that area. This will keep a log of employee activity in that area should something disappear. If an employee removes a piece of equipment, whether functional or damaged, require a sign-out sheet even if that employee is part of your technical staff. If your building has a security or reception desk, provide employees with a signed equipment sheet that they must show before taking equipment out of the building. Management should also follow these sign-out procedures, both to set a good example and to create an audit trail.
Theft of retired equipment doesn’t have to be a disaster. Theft of retired equipment that contains confidential data can be catastrophic. Assign an employee to ensure all data is removed from a device as soon as it has been identified for disposition using multiple-wipe software that has been proven to fully destroy data on a disk. Non-working drives should be removed and physically destroyed using a hard drive crusher or even drill. Data destruction should be documented. The longer retired equipment is allowed to linger, the greater the chances that valuable data could end up in the wrong hands.
In all cases, it is wise to destroy data before equipment leaves your facility. A driver could steal a computer causing millions of dollars in damage to your organization. Should a computer be stolen or lost during transit, the transportation carrier might accept responsibility. Unfortunately, that would be a hollow victory, as the Carmack Amendment allows carriers to limit their liability for loss or damage to goods, regardless of how valuable it might be.
Ultimately, retired equipment should be handled by a qualified IT asset disposal vendor. You can outsource recycling, but not responsibility. If you think a pretty certificate will protect you, think again. Compliance and indemnification require unimpeachable chain-of-custody evidence. It is important to remember that unless you prove a vendor has your equipment, there is legal exposure. Disposal tags can protect that vulnerability by deterring employee theft and establishing chain-of-custody with a disposal vendor.
So why not ask a vendor, who is handling the equipment anyway, to also wipe data from the hard drives? You should. However, this should not be the primary method of data destruction. A vendor’s data destruction services should be considered a secondary precaution. While it might sound appealing to ask a recycler to destroy data, no vendor can wipe data from a hard drive it never received.
Until a device is completely clear of all company data and verified to be in the custody of a qualified vendor, it is still just as important as it was while the device was in use. Companies spend large sums of money creating firewalls and encryption to protect sensitive business data, so why do companies treat retired equipment so carelessly?
By instituting policies that safeguard all of your equipment, you can ensure your sensitive data is safe from the time a computer is deployed until the day it is retired. With a little guidance, IT staff will likely work with you to keep your data safe.