Author: Flora Knolton

International Women’s Day

March 6, 2020 at 7:00 am by Flora Knolton
From left to right: Cindy Haskell (Customer Care Representative), Eva Marie DiVirgilo (Corporate Controller), Heidi White (Director of Marketing), Kristin Olson (Materials Supervisor), Haley McGrath (Purchasing/Planning Clerk), Jen Bodnar (GSA Contract Administrator), Jenn Doyle (Service Coordinator), and Flora Knolton (Marketing & Sales Associate).

International women’s day is a time to reflect on the progress made by women who have played an astonishing role in the history of equality. Legal restrictions have kept 2.7 billion women from accessing the same choices of jobs as men. On average, women receive between 30 and 40 percent less pay than men for the same work. Much progress has been made in an effort to protect and promote equality in recent times. Days like International Women’s Day are a time to celebrate the gains that have been made and so we can measure how far we’ve come each year. SEM is committed to finding talent based on what they can offer to the company, rather than hiring based on gender stereotypes. We know that women can offer equally as much as men and promote gender equality in every department of our organization. At SEM we fully support our female employees and celebrate International Women’s Day alongside them. We wanted to extend our support and thanks to all the women in the world continuing to make a difference with equality. Happy International Women’s Day!

Data Breach From End-of-Life IT Media: Not “If” But “When”

February 19, 2020 at 1:09 pm by Flora Knolton



A Reactionary Approach is Not Going to Cut it

While the age of Big Data has improved our lives in countless ways, there is seemingly an equal number of potential downsides. As we all know too well, the exponential rate at which data volume is growing has spawned nonstop cyber activity intent on using this data for illegal purposes. The danger couldn’t be more extreme—or more real: in today’s Internet-dominated world, someone seeking to steal sensitive, confidential, or proprietary data (e.g., personally identifiable information, or PII) no longer has to physically breach a facility.

It’s important to remember, however, that data theft isn’t limited to online, or cyber, activity. IT assets (i.e., electronic storage devices containing data) constitute physical hardware that is likewise vulnerable to theft. Consequently, it’s critical that companies safeguard IT assets throughout the entire lifecycle, including physical destruction to the point of irreversibility. End-of-life data destruction processes must be formalized and precisely followed; far too much is at stake should IT assets fall into the wrong hands.

A dedicated, internal security team is necessary to prevent breaches. A reactionary approach is unacceptable; the potentially catastrophic consequences of compromised or stolen data outright negate the luxury of taking a passive approach. The literal costs of stolen data can involve monetary fines in the millions of dollars—while the intangible costs associated with reputation damage, identity theft and disclosure of confidential/sensitive information can easily exceed all measurement.

Cases in point: Cyber-Related Data Breaches are Becoming More Destructive … and More Expensive

In mid-2019, the UK’s Information Commissioner’s Office (ICO) set a then-record by fining British Airways $230 million for violating the European Union’s General Data Protection Regulation (GDPR). The infamous Magecart group of cyber criminals hacked into the British Airways system and used just 22 lines of code to harvest personal and payment data for approximately 500,000 customers over a two-week period.

Only days later, the ICO slapped Marriott International with a $124 million fine after it experienced a breach that compromised over 339 million guest records worldwide during its acquisition of Starwood Hotels & Resorts Worldwide. Marriott reported the breach shortly after its discovery in November 2018—at which time the attackers had already been in the system for four years.

In 2015, U.S. health insurance giant Anthem, Inc., suffered a breach due to spear phishing emails that launched an attack on its system, thereby compromising nearly 79 million people. Data harvested by a still-unknown party included full names, birthdates, employment information, addresses, Social Security numbers and medical identification numbers. In 2017, a class-action lawsuit against Anthem cost the company $115 million, which was to pay for identity-theft protection for all affected individuals for two years. One year later, the U.S. Department of Health and Human Services Office for Civil Rights (OCR) also fined Anthem a record $16 million for violations of the Health Insurance Portability and Accountability Act (HIPAA).

Perhaps the largest cyber-related theft thus far occurred in 2017, when an unpatched bit of framework in one of Equifax’s databases allowed data associated with approximately 147 million people to be stolen. After discovering the breach, Equifax waited more than a month to report it. The company’s negligence will cost it a penalty in the range of $575 million to $700 million, after a record settlement in July 2019 with the Federal Trade Commission (FTC), the Consumer Financial Protection Bureau (CFPB), and all U.S. states and territories.

Waiting for the Inevitable: Physical IT Assets and the Failure to Destroy End-of-Life Data


Given the carelessness with which many organizations, governments, individuals and third-party companies discard IT assets, it’s amazing that catastrophic end-of-life data breaches have not yet occurred. We have previously discussed why a comprehensive in-house destruction plan for end-of-life data is essential, since you simply do not know what happens to data unless your organization has supervised firsthand the entire data life cycle.

Ensuring chain of command for all IT hardware involved in the infrastructure of an organization that stores personal, sensitive or classified data from beginning to end of its life cycle will go a long way to preventing a costly breach. Just ask the U.S. Department of Defense (DoD), which banned all USB thumb drives after a 2008 incident in which a thumb drive found in the parking lot of a Mid-East military installation was inserted into a DoD computer network and launched a worm into the system that took 14 months to eradicate.

There have been several studies conducted over the last several years that highlight how often personal and classified information is found on used hard drives and USB drives—such as this 2019 study from Ontrack and Blancco Technology Group that estimates sensitive data is left on about 42% of used hard drives sold on eBay. Earlier in 2019, researchers at the University of Hertfordshire purchased 100 used USB flash drives in the U.K. and 100 in the U.S. from eBay; sixty-eight percent in the U.S. and 67% in the U.K. contained recoverable data from their previous owners—and more than half of those drives contained sensitive business and personal data.

In 2017, the Channel NewsAsia documentary The Trash Trail tracked the purchase of nine hard drives from various shops at Sim Lim Square in Singapore. The buyers were assured by the shop owners that all drives had been wiped clean and reformatted. The reality was that five of those drives contained sensitive personal information—and one of them contained complete medical records and passport details. Two additional hard drives contained sensitive corporate information.

Also in 2009, University of British Columbia journalism students shooting a documentary about e-waste in Ghana purchased seven hard drives from a market in Tema. One of the hard drives contained sensitive information regarding multi-million-dollar U.S. defense contracts between the Pentagon, Department of Homeland Security and contractor Northrop Grumman. The contractor believes the hard drive was stolen from a third-party asset-disposal company.

Also in 2009, a study conducted by British Telecommunications’ Security Research Centre, the University of Glamorgan in Wales, Edith Cowan University in Australia and Longwood University in the U.S. examined 300 secondhand hard drives. On those drives was a variety of sensitive information, including trading performance and budget documents of a fashion company, corporate data from a motor-manufacturing company and—incredibly—test launch procedures for the U.S. Terminals High Altitude Area Defense (THAAD) ground-to-air missile system.In all these examples, imagine what could have happened if that data had fallen into the hands of criminals rather than those of individuals conducting investigative studies. Catastrophic end-of-life data breaches will happen—it’s just a matter of time—so no one handling sensitive data should become complacent or take a lax approach to the security of sensitive data.

Bottom line: Any used IT storage device that has not been directly in your organization’s chain of custody for its entire life or has reached its end-of-life should be thoroughly destroyed in-house—to the point of irreversibility— with equipment that meets or exceeds industry standards. Companies like SEM provide a variety of equipment capable of completely and securely destroying data contained on any IT hardware, including the industry’s only equipment capable of destroying enterprise-class drives.

Who is Responsible for End-of-Life Data Destruction?

February 3, 2020 at 6:55 pm by Flora Knolton

end-of-life-data-destructionIsn’t the IT Department Responsible?
The short answer is no. End-of-life data destruction shouldn’t be an additional responsibility heaped on an IT team that, more than likely, doesn’t have the proper training.

Let’s start with some quick background. By 2020, it is estimated that there will be approximately 40 zettabytes (40 trillion gigabytes) of electronic data and that every user will create 1.7 megabytes per second. To put that into perspective, even with the technological advancements we’re continually making in data transfer, it would take a single user with an average download speed of 44 megabits per second three million years to download and compile all that data!

Given the amount of data being generated and the dissemination of data being increasingly regulated to safeguard individual privacy, expecting an IT team already tasked with maintaining a technological infrastructure to handle data destruction is not only unreasonable and impractical but virtually impossible. Furthermore, proper destruction of private information is so critical (and, quite often, so complex), that in-house protocols need to be rigidly defined and precisely followed to avoid the potentially catastrophic risks of noncompliance.

In short, there’s no place for simply “leaving it up to the IT department” — and certainly no room for relying on misguided assumptions about where data destruction responsibility falls.

Particularly for organizations and businesses that deal with personally identifiable information (PII), classified data, controlled unclassified information (CUI), or other sensitive information, it is crucial to have dedicated and trained technology-security professionals in charge of end-of-life data destruction. Ideally, a team of security experts should formulate, implement, and manage a comprehensive end-of-life data destruction process that ensures all data is destroyed at the proper time and in accordance with the proper security specifications.

But doesn’t data destruction merely involve obliterating hard drives and shredding papers?
Physical destruction is just a portion of the end-of-life data destruction process — and overlooking the rest of it can have extremely severe ramifications. When you’re dealing with personal, sensitive, or classified data, you’re likely under the jurisdiction of laws such as Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), the European Union’s General Data Protection Regulation (GDPR), or either the National Security Agency’s (NSA) regulations regarding classified and sensitive materials or the Payment Card Industry Data Security Standard (PCI DSS) in the United States, to name just a few.

Depending on which regulations apply to your organization, there are different sets of standards regarding how thoroughly data must be destroyed and how long data may be held before being destroyed. There are also varying financial penalties for not adhering to those standards, many of which can be quite steep. For example, Equifax recently had to pay $575 million as part of a settlement related to a data breach in 2017, and British Airways was recently fined the equivalent of $230 million for a breach in 2018.

Bottom line: If you work with personal, sensitive, or classified data, the onus is on you to be aware of all applicable end-of-life data destruction and privacy-protection regulations. In today’s digital age, this issue is such an urgent one that data privacy policies exist in over 80 countries. It is imperative that all sensitive data residing at a company, whether pertaining to the company or to an external partner/third party, be assigned a proper timeline for destruction at end-of-life, and that the data be thoroughly obliterated to the point that it is irreversibly destroyed.

The only way to guarantee that this will happen is to designate the responsibility, oversight, and ongoing supervision to an in-house professional security team (headed by a Chief Security Officer) that is well-versed in data privacy laws and maintains an organized end-of-life data destruction plan and process.

What about assigning responsibility for data destruction to a third party?
Using third-party destruction companies is a risky proposition. Even in instances when you’re issued a certificate of destruction, you can’t be certain data is irreversibly destroyed unless you have actually witnessed the destruction process and unerringly monitored all facets of data transfer. In fact, the internet is rife with studies documenting how often discarded—and supposedly destroyed—hard drives are found containing PII, sensitive, or classified data.

As examples, Blancco Technology Group recently purchased hard drives on eBay from the United States, the United Kingdom, Germany, and Finland. It was discovered that a whopping 42% contained sensitive data and 15% contained PII. In July 2019, the Federal Bureau of Investigation found over one thousand classified Air Force documents in a contractor’s Fairborn, OH, home. (We’ve also touched on similar incidences in previous discussions.)
The lesson is clear: If proper end-of-life data destruction plans and adequately strict supervision protocols were in place, these incidents most likely would have been avoided.

So what do you need to stay compliant?
Simply put, designating professional, in-house security personnel to curate and monitor end-of-life data destruction plans is the strongest defense against data breaches. Furthermore, be sure this security team has the proper equipment to thoroughly destroy data across various media in compliance with all regulations. Companies like SEM sell destruction devices that not only meet but exceed many government standards. If you are unsure of whether your equipment suffices, you can check the NSA’s evaluated products list.

Data Privacy Day in a Consumer Driven Economy

January 22, 2020 at 7:47 pm by Flora Knolton

Data Privacy Day is an international effort celebrated every year on January 28th to generate awareness about the importance of respecting privacy, guarding data, and aiding trust. Data Privacy Day was established in 2008 in the USA and Canada as an extension of Data Protection Day in Europe.  Data Privacy/Protection Day honors the signing of Convention 108 in 1981, which is the first legally binding international treaty to acknowledge data privacy concerns.

data-privacy-day

Consumers are becoming more and more aware each year on an international level about how much value their personal data is worth. Research conducted by the Lares Institute shows that 40% of consumers, particularly those possessing higher incomes, made buying decisions based upon privacy. In addition, 51% of consumers say in the past two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or several data breaches. The results of this study show how data loss can mitigate shareholder value as well as customer loyalty.

data-responsibility

Businesses are wise to be just as cautious as their consumer counterparts. Big organizations like Facebook and Amazon may be making the headlines when it comes to data breaches; however, 60% of small and mid-sized companies go out of business within six months of a cyber-attack. Attacks and breaches have increased exponentially within the last decade, and, as a result, we have seen an influx of data protection regulations around the world that require businesses to implement concrete data protection methods. In short, our rising digital economy has forced businesses to rethink their data security priorities and practices. Practicing data privacy is just as important as customer service, and, since the implementation of GDPR, is typically also a regulatory requirement. Below are a few ways companies can pursue data privacy preparation further.

data-loss-prevention

If corporations are people too, they should empathize with consumers. Companies may gain advantages relating to customer retention if they focus on the needs of the individuals entrusting them with their data. Privacy is a hot topic of marketing for the technology industry. However, marketing new privacy tactics is no longer only a concern for tech companies in this digital economy. Companies that take precautionary efforts to protect their consumers’ data will ascend those competitors who may have taken a passive approach.

Educate the consumer. Whether that be an employee or a customer, the end user is the best line of defense against an attack. Many federal statutes are already in place in industry-specific contexts such as HIPAA, FCRA, FACTA, PCI DSS, The Privacy Act of 1974, etc. These laws attempt to protect an individual’s personally identifiable information (PII) by restricting a company from sharing information. Employees must know the proper data destruction method for specific PII to guarantee data won’t end up in the wrong hands. Outlining to the customer how their data will be destroyed from the organization post-use will retain their loyalty. Whether it’s a solid-state drive (SSD) or hard disk drive (HDD); failed, erased, or overwritten drives can still contain recoverable data. Regardless, advancements in computing create the ability to process vast amounts of information, and new challenges have emerged as our technology evolves.

Adopting an Acceptable Use Policy (AUP). Acceptable use policies outline when and how employees can use the business’ internet access. They set the stage for concerning questions employees might have regarding the use of PII. These policies cover who needs access to PII, which regulations the company must follow, where are the vulnerabilities in the company’s use of PII, and rules and permissions company personnel have must follow. Regardless of how the data is compromised or lost, or how small the company may be, fines are one of the largest — and most effective — known consequences for mishandling personal data. And let’s not forget that a breach in personal data can also result in severely damaging the brand’s reputation, loss of customer trust, employee dissatisfaction, and increased costs after the breach to recover from the aftermath. As an example, Health Net of the Northeast Inc. agreed to pay for two years of credit-monitoring for 1.5 million members whose details were on a single lost hard drive.

Overall, by empathizing with the individuals at risk, organizations can gain perspective in regard to their client’s privacy, thus strengthening the bond to maintain that level of trust. It’s necessary to educate employees and users how PII is controlled using a layer of technology that exhibits practical data privacy practices. By enforcing Acceptable Use Policies within the company, they can lay the groundwork for how this layer of technology is used with respect to PII and who is permitted to handle it. While there are many other protective elements companies can use to reinforce data privacy, being mindful of these few can differentiate your business from competitors.