For organizations with aging or redundant IT equipment – like governments — the risk of a security breach is never higher than during disposal. One 60-gigabyte hard drive is equivalent to approximately 17 million pages of written information, easily searchable for a criminal mining for specific data.
With significant amounts of that data containing privacy-related information, the risks are extremely real.
Data storage devices such as computer hard drives, memory sticks, PDAs and BlackBerrys at their end-of-life-cycle should be handled very differently from CPUs, monitors, keyboards and desks – their security requirements are far greater. This may appear self-evident, but in practice it is difficult to find a government request-for-tender that segregates the special handling requirements of such devices.
The RCMP warned all federal departments in October 2007 that standard disk-erasing software (DSX) previously sanctioned by the Force was no longer reliable and should be used “at your own risk” as it could eventually fail to properly function on newer, larger drives. The RCMP’s technical security branch found that DSX left traces of sensitive data, a sticky problem known as “data reminisce.”
If you consider the risks incurred by a data breach and the relatively low replacement cost of these devices, it is hard not to conclude that their segregation and total destruction by shredding or other means is the only viable option.
As managers contemplate the selection of commercial destruction services, they would be wise to consider the following minimum criteria:
- the security level certification of the facility and its personnel;
- certification in the National Association for Information Destruction;
- controlled goods certification for the handling of controlled items (if applicable);
- environmental protection procedures in the disposal of e-waste;
- company adherence to the Security Evaluation Guidelines in their destruction process;
- security during transport to the destruction facility;
- chain of custody documentation;
- insurance coverage (if the unthinkable happens); and
- certificate of destruction issued complete with serial numbers of the units destroyed.
Changing landscape
There can be no mistaking the backdrop for this issue – privacy. It’s a delicate and essential element of Canadian life, and it needs to be protected. Recent technological advancements are making the application of our privacy laws more difficult, increasing the risk of data security breaches and identity theft.
Recently, the privacy and Internet landscape experienced a major tremor when what was initially dubbed a David and Goliath confrontation returned some startling results. In one corner was California-based Facebook, with over 200 million users, and in the other was Jennifer Stoddart, Canada’s privacy commissioner.
The confrontation was sparked by an eleven-part complaint in May 2008 by the Canadian Internet Policy and Public Interest Clinic at the University of Ottawa alleging that Facebook violated key provisions of Canadian privacy law. At the heart of the complaint was Facebook’s policy of indefinitely keeping user’s personal information (even after accounts were deactivated) and the manner in which it shared this information with third-party companies. Added to this debacle was the confusing manner in which Facebook provides information to users about its privacy practices.
There are over 12 million Canadian users of Facebook, huge in Canadian terms but small relative to Facebook’s overall operation. Furthermore, Canada’s privacy commissioner has no direct legal authority to enforce compliance. Yet, in the end Facebook blinked first and submitted a listing of remedial actions to the Office of the Privacy Commissioner of Canada (OPC).
The victory underscored the ever-increasing global concern that personal information must be kept confidential and shattered the misconception that privacy issues are satisfied if information is collected with the consent of the individual. The collection of personal information does require consent but it also requires a clear statement of the purpose for which the information will be used, that it will be kept safe and that it will be securely disposed of at the end of the stated purpose.
Legislation
Canada has two federal privacy laws: the Privacy Act, and the Personal Information Protection and Electronic Documents Act (PIPEDA). Both are administered and overseen by the OPC.
The Privacy Act, in place since 1983, protects the personal information collected by government institutions. Essentially, the Act is a code of ethics for the government’s handling of our personal information and ensures that Canadians can access information collected about them, and can challenge the accuracy of the information. Under its provisions, such information should be:
- collected by government institutions in relation to operating programs or activities;
- collected from the individual personally;
- accurate and up to date;
- subject to correction by the individual, and
- used only for the purpose for which it was originally collected.
PIPEDA, which has been in force since 2004, addresses the collection, storage and use of personal information by organizations in the private sector. It gives individuals the right to see and correct any personal information about them collected by companies in the course of their commercial activities. These provisions state that businesses must inform consumers of who is collecting the information, why the information is being gathered, and for what purposes it will be used. Under the law’s guidelines, personal information can be collected only as long as it is:
- gathered with the knowledge and consent of the consumer;
- collected for a reasonable purpose;
- used only for the reasons for which it was gathered;
- accurate and up to date;
- open to inspection and correction by the consumer; and
- stored securely.
Canadian legislation does not prohibit the flow of information across international borders, but it does require companies to protect the personal information in their care. Also, there is a requirement to inform customers that their personal information may be sent out of the country, and that while such information is out of the country, it is still subject to Canadian laws.
Security breaches and identity theft
Though electronic technology offers substantial benefits, it has also ushered in new levels of white-collar criminal activity, cyber crime and identity theft. Privacy is increasingly under attack by technology that can follow our every step and track our personal activities and preferences.
The federal government is the nation’s biggest repository of personal information, and 90 percent of the government’s files are held in electronic form. With email, BlackBerrys, home offices and innovations such as “virtual teams,” the majority of public servants today are communicating more by electronic means than ever before. While this might mean greater efficiency, the decentralization of information and more correspondence also creates more records, which need to be managed and securely protected.
In February 2008, Maclean’s quoted Nigel Brown, a managing consultant with IBM Global Technology Services IT Security, as stating that identity fraud is estimated to cost Canadians $2 billion a year, plus time, inconvenience and stress. “At