Security Engineered Machinery Introduces Dual Shredder for Classified and CUI Paper and Optical Media Destruction

August 12, 2019 at 10:15 am by Heidi White

OfficeShredHS satisfies industry need for an all-in-one NSA listed paper and optical media shredder that meets the NSA’s new DVD and Blu-ray Disc destruction requirement

officeshredhsSecurity Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to introduce the OfficeShredHS dual paper and optical media shredder. This sleek, user-friendly device is specifically designed for the destruction of classified and controlled unclassified information (CUI) on paper, CDs, DVDs, or Blu-ray Discs (BDs) in office environments.

“Since the NSA released the new DVD and BD specification in late 2018, the market has lacked an NSA listed combination machine that destroys both paper and optical media in office environments,” said Bryan Cunic, SEM Director of Customer Care. “Being an industry innovator for over 50 years, it is no surprise that SEM engineered the OfficeShredHS to fill that gap.”

Sporting an attractive cabinet that houses SEM’s NSA listed 1324C/3 paper shredder and SEM’s NSA listed 0200-OMD/SSD optical media shredder, the OfficeShredHS quickly and efficiently destroys paper to a 1mmx5mm particle and optical media to a 2mm particle, both NSA requirements for classified data destruction. In addition, the OfficeShredHS meets the Information Security Oversight Office (ISOO) 32 CFR Part 2002 “Controlled Unclassified Information” directive requiring that all Executive Branch agencies destroy CUI paper to a 1mmx5mm particle.

SEM’s 1324C/3 NSA listed paper shredder accepts up to four sheets of paper per pass, with a 1-hour durability rating of five reams. Constructed with rugged steel cutting heads, safety and convenience features, and whisper quiet functionality, the 1324C/3 is a time-tested, low volume, high security paper shredder. SEM’s 0200-OMD/SSD NSA listed optical media shredder provides efficient destruction of low volumes of classified CDs, DVDs, BDs, and solid state devices such as EMV credit cards, magnetic stripe cards, Common Access Cards (CAC) IDs, and SIM cards. These two devices come together in the OfficeShredHS to provide the first NSA listed combination destruction device to meet the NSA’s new DVD/BD requirement. It also uses standard 120V electrical outlets and is TAA compliant.

“SEM’s OfficeShredHS fills the very real need for an NSA listed combination office shredder that destroys classified and CUI paper and optical media,” added Heidi White, SEM Director of Marketing. “This revolutionary device is attractive, compact, clean, portable, and quiet, making it the ideal solution for safeguarding sensitive information in government office environments.”

The OfficeShredHS has a list price of $7,499. For more information, visit www.semshred.com/product/OfficeShredHS.

Security Engineered Machinery Introduces Manual Crusher for Both HDDs and SSDs

July 30, 2019 at 12:22 pm by Heidi White

Model 0100 SSD/HDD quickly and easily destroys both rotational hard drives and solid state boards without electricity

SSD-crusher

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the Model 0100 SSD/HDD manual solid state and rotational hard drive crusher. This new product provides an affordable, efficient solution for organizations with low volumes of hard disk drives (HDDs) and solid state drives (SSDs) requiring physical destruction.

“The 0100 SSD/HDD was designed to be a portable, cost-effective, and eco-friendly option for the efficient destruction of IT media,” said Andrew Kelleher, SEM President and CEO. “This unique device has a low profile, is quiet and clean, and operates by using a simple lever, making it a convenient, safe solution for smaller office environments.”

SEM’s Model 0100 SSD/HDD manual crusher easily destroys both rotational hard drives and solid state boards. The unit includes an SSD kit consisting of a wear plate and press plate for holding solid state boards during the crushing cycle. Manual operation makes crushing drives efficient and versatile, providing ultimate portability and ease of operation. SEM’s Model 0100 SSD/HDD exerts up to three tons of crushing force, and destruction time is five seconds or less. The heavy-duty steel anvil punctures and destroys the drive chassis and platters of HDDs as well as chips found on solid state boards. Quality, solid steel parts ensure smooth and consistent operation.

The 0100 SSD/HDD has a list price of $1,299 and is TAA compliant. An optional stand is available. For more information, click here.

Security Engineered Machinery Introduces Shredder Specifically for Credit/ID Cards and Dog Tags

July 15, 2019 at 6:14 pm by Heidi White

IDShred65 addresses growing need for efficient and effective destruction of cards and dog tags that contain personally identifiable information (PII)

dog-tag-shredder

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the IDShred65 ID and dog tag shredder. This device is specifically designed for the destruction of plastic and metal credit cards, dog tags, and ID cards such as CAC IDs and driver’s licenses.

“The IDShred65 was created to address a growing need to destroy cards and dog tags in both the commercial and federal markets,” said Nicholas Cakounes, SEM Executive Vice President. “Unlike competitor models, SEM’s IDShred65 easily destroys the heavier, thicker credit cards of today including metal cards.”

The all new IDShred65 is enclosed in a compact metal cabinet mounted on casters for portability and ease of use in office environments. It also boasts a rugged, all steel cutting head that is specifically designed for the efficient destruction of thick metal cards and tags. Designed with operator ease of use in mind, the IDShred65 has a customized feed slot for cards and tags, a modern, sleek design, and plugs into a standard 120V outlet. It also comes standard with integrated safety and convenience features including an LED control panel with auto start/stop and reverse and bag full and door open indicators. In addition, the IDShred65 is an eco-friendly product, featuring an Energy Savings Mode that shuts off power when not in use and operating without the use of oil.

“We are thrilled to offer the IDShred65 to satisfy the rapidly growing need for on prem destruction of dog tags and cards, both metal and plastic,” added Bryan Cunic, SEM Director of Customer Care. “SEM has long been an innovator of high security information destruction technology and the new IDShred65 continues that tradition of excellence.”

The IDShred65 has a list price of $5,999 and is TAA compliant. For more information, click here.

Field Service Technician / Industrial Equipment Installer

June 25, 2019 at 3:01 pm by Heidi White

Security Engineered Machinery is in need of a hands on skilled Field Service Technician who can work in a fast paced and varied environment. SEM is a leader in providing, installing, and servicing shredders, rotary knife mills, and other destruction equipment used for destroying paper and electronic media. Visit SEM website at semshred.com for company product and information.

Responsibilities and Duties

  • Install, service,maintain light and heavy duty industrial equipment
  • Troubleshoot and repair industrial equipment
  • Assemble and erect ductwork and other ancillary items to support industrial equipment
  • Assemble and recondition industrial equipment
  • Read mechanical and electrical drawings
  • Communicate verbally and written to customers, all internal levels
  • Write service reports
  • Other duties as assigned
  • MINIMUM 50% travel both domestic and international

Qualifications and Skills

  • Strong electromechanical background with good mechanical skills
  • Service experience and or manufacturing experience, minimum of 2 years
  • Responsiveness to customers’ needs and ability to problem solve at a technical level
  • Ability to work independently and multi-task with attention to detail
  • Current driver license and safe driver record
  • Technical education or higher
  • Computer skills and basic math skills
  • Strong communication and interpersonal skills
  • Security Clearance and valid Passport a plus
  • Must be a US Citizen

Benefits

SEM offers an exciting participatory environment, competitive compensation, attractive benefits including medical, dental, 401K, paid time off, profit sharing, and personal growth opportunities.

Please send resume, cover letter, and salary requirements to m.divirgilio@semshred.com.

Why Data Centers Need to Know About GLBA Compliance

May 14, 2019 at 1:10 pm by Heidi White

Data privacy and data protection rules are hot topics, having prompted us to consider exactly how we share, store, and dispose of our personal information from the individual level to the corporate level. Indeed, most (if not all) businesses must now adhere to some sort of data protection and privacy policy as set forth by industry standards. But what happens if your business interacts with other businesses that have their own policies and regulations to follow? Do you have to adopt those rulings for your business in order to continue working together? In most cases, the answer is yes.

Take data centers. If you operate such a business, you likely have stringent rules in place for securing the data you house on behalf of your clients. But, do you also follow the data regulations and privacy policies set forth by your clients? If your answer is no and your clientele is covered under the GLBA, you’ll need to revisit your information security plan immediately to incorporate GLBA compliance.

What is GLBA?

The Gramm-Leach-Bliley Act (GLBA) of 1999 mandates that financial institutions and any other companies that offer financial products to consumers such as loans, financial or investment advice, and insurance must have safeguards to protect their customers’ sensitive data and must also disclose in full their information-sharing practices and data security policies to their customers.

Check-cashing businesses, payday lenders, real estate appraisers, professional tax preparers, courier services, mortgage brokers, and nonbank lenders are examples of businesses that don’t necessarily fall under the “financial institution” category yet are included in the GLBA. The reason is that these organizations are significantly involved in providing financial products and services and therefore have access to personally identifiable information (PII) and sensitive data like social security numbers, phone numbers, addresses, bank and credit card numbers, and income and credit histories.

shred-laptop

GLBA Compliance: Applicable to More than Just GLBA-Covered Businesses

In accordance with GLBA, organizations covered under this Rule must develop a written information security plan that details the policies put in place at the organization to protect customer information. The security measures must be appropriate to the size of the business and the complexity of the data collected. Moreover, each company must designate an employee or a group of personnel to coordinate and enforce its security measures. Lastly, the organization must continually evaluate the effectiveness of its developed security measures, identifying and assessing risks to improve upon the policy and measures taken as needed.

At this point, you may be asking yourself, “How does this affect my business as a data center?”

The data safeguard rules also apply to any third-party affiliates and service providers employed by the companies covered under GLBA. As such, it is the responsibility of the GLBA-covered company to ensure the same steps are taken by the affiliate third-party to protect the data they interact with or store on behalf of the company. This means companies under GLBA are going to select third-party service providers like yours based on those companies that are also set up operationally with the same steps and policies in place to safeguard sensitive data. Furthermore, organizations under GLBA have the authority to manage the way in which their service provider handles their customer information to ensure compliance with GLBA.

Cloud-based data centers therefore must comply with GLBA rules for security policies and enforcement or risk losing business from those organizations and other potential clients that are covered under GLBA. As the data center operator, you could go about this in one of three ways: 1) Create separate GLBA-compliant policies for each client organization based on their needs, 2) Allow each client organization to delineate the GLBA-compliant policies they’d like your business to follow and adopt those accordingly, or 3) Establish one set of GLBA-compliant policies that cover all aspects of data protection and privacy that can work for all client organizations and potential new business.

shred-ssd
An SSD before and after going through a SEM Model 2SSD solid state disintegrator

GLBA and Data Destruction

Just as there are plans and personnel in place to oversee the safeguarding of data while it’s in use, under the GLBA there must be a plan and personnel in place to oversee data destruction when the data has reached its end-of-life. These policies and plans for the proper disposal of secured data should be incorporated into the organization’s information security plan and should be regularly evaluated for risk as well. While this is a straightforward task for the GLBA-covered company, developing and enforcing GLBA-compliant data destruction policies for a third-party affiliate or service provider like a data center is a different story entirely.

Not only do you need to create a set of protocols around data and drive destruction for your data center, you need to be able to prove to your client organization that you can properly dispose of the drives the data is housed on as well as the data itself. This is because both data and drive disposal must be achieved so that neither the data nor the drive can be recovered or otherwise reconstructed after destruction. Since your data center already provides remote access to the information you store, it’s recommended that you purchase and maintain data destruction machinery at your center. This way, you also control where that sensitive information is handled during the data destruction event.

One of the simplest ways to ensure compliance during data destruction events is to work with the GLBA-covered organization to assign certain personnel to that task within your data center. For instance, assigned personnel within your company as well as the client company’s GLBA task force would be required to be on-site during data destruction events. Both parties would be responsible for enforcing data destruction at the data center, including the documentation of every data destruction event, to ensure compliance and alleviate liability in the event of a breach.

Security Engineered Machinery is the global leader in high security information end-of-life solutions including paper and IT shredders, crushers, disintegrators, and degaussers.

FISMA Requirements: Are You Compliant?

May 2, 2019 at 6:55 pm by Heidi White

All US-based organizations and agencies, whether public or private, must comply with certain information security measures when it comes to data storage and disposal. For government agencies and affiliated organizations, information security is paramount because of the sensitive nature of the information housed within these parties. To ensure the protection of proprietary United States data, legislation to regulate proper data and information security management was passed as part of the Electronic Government Act of 2002.

FISMACalled the Federal Information Security Management Act (FISMA), this law focuses on the importance of data security as it relates to the economic and national security interests of the US. As such, FISMA stipulates that all government agencies, government contractors, and any organization that exchanges data directly with a government system must safeguard all of their information technology (IT) systems, including stored data, by developing, documenting, and implementing an information security program.

In 2014, this law was amended to the Federal Information Security Modernization Act (FISMA 2014) to bolster the authority of the Department of Homeland Security (DHS) to administer, implement, and provide technical assistance with policies for information security for non-national (civilian) security federal Executive Branch systems. FISMA 2014 also updated and clarified the oversight authority of the Office of Management and Budget (OMB) and its ability to eliminate inefficient and wasteful reporting of any organization under FISMA. It also sanctions DHS’ role in assisting OMB with this responsibility.

FISMA: Who It Affects and Why It’s Important

The purpose of FISMA is to protect government information, assets, and operations against natural threats and criminal activity, whether from within the US or outside. Therefore, any US organization directly related to or doing business with the US government, including federal- and state-level government agencies and contractors, state government departments, military subcontractors, and even data clearinghouses fall under FISMA regulations.

FISMA-cybersecurityFISMA, FISMAFailure to pass a FISMA inspection by DHS or OMB can result in unfavorable publicity for your organization and a cut to your IT budget, as well as significant administrative ramifications to your organization. However, failure to comply with FISMA, especially when it comes breach-avoidance and proper data destruction, can have much grander and more catastrophic implications for you and your organization. Should any of your private, secured federal data be compromised and your organization was found to be noncompliant, there are serious civil and criminal federal consequences.

How to Comply with FISMA

C-suite executives like chief information officers, information security officers, senior agency officials, and agency program officials are all responsible and held accountable for ensuring compliance of FISMA within their respective organization.

cybersecurity-governmentAs stated in FISMA, these federal or otherwise federally-affiliated organizations must develop, implement, and accurately manage an information security program to safeguard the IT systems and any ensuing data that is collected stored, and transferred. This includes documentation of both the security systems and access granted to stored federal information.

The National Institute of Standards and Technology (NIST) outlines steps that these individuals should take to comply with FISMA:

  1. Track and categorize all information and media devices that must be protected.
  2. Set baseline security controls. Implement and document their use in the appropriate security system.
  3. Regularly refine these controls using a defined risk-assessment procedure as part of an annual review process.
  4. Authorize the IT system for processing within the selected group of authorized personnel and monitor the systems on a regular basis.

Complying with FISMA also extends into data destruction and device disposal practices. Full data destruction requirements can be found under the Federal Information Processing Standards (FIPS) Publication 200: Minimum Security Requirements for Federal Information and Information Systems. According to FIPS, organizations under FISMA must: i) set and enforce policies for protecting all data and information systems, whether on paper or in digital format, ii) appoint authorized personnel for sole access of the IT systems and federal information and iii) ensure complete and total destruction of both the data and the media in which it is stored upon reaching end-of-life.

When it comes to the disposal of this federally-protected private data, FIPS also states that the organization must develop and enforce a set of policies for how the data and media should be destroyed, and accurately document every data disposal event, most easily accomplished by using an audit-friendly media tracking system such as SEM’s iWitness. It’s recommended to purchase on-site data destruction machinery and limit access to the data and the data destruction machinery to a small group of authorized personnel.

media-tracking
SEM’s iWitness media tracking system provides audit-friendly compliance with FISMA’s documentation requirements

Furthermore, when it comes to the data end-of-life cycle, the device in which the data is housed must also be destroyed via degaussing, incinerating, melting, or pulverizing machinery so that neither device nor data can be read or otherwise reconstructed. And, you want to choose a vendor like SEM that has NIST- and NSA-approved data destruction machinery.

The Top 5 Ways Our Personal Data Gets Compromised

April 30, 2019 at 8:26 pm by Heidi White

It seems like we can’t go a week without hearing about a data breach or a situation in which personal data has been compromised. Unfortunately, cybercriminals are becoming more sophisticated in their antics and there is very little we can do to stop cyber attacks from happening.

We can, however, arm ourselves against hackers and identity thieves by first understanding the main ways in which our personal data can be compromised. Then, we can take necessary steps to safeguard our personal data and prevent criminals from accessing our private information.

Understanding How our Personal Data Gets Compromised

The fact of the matter is that there are many ways in which our personal data can become compromised. Yet, they all seem to boil down to five main reasons, some of which are under our control and some are not. 

The Top 5 Ways Personal Data is Compromised:

data-breach

1. Organizational Data Breach: In order to do business with us, organizations often require our personal information. From financial institutions and credit bureaus to medical groups, email and social media platforms, subscription-based platforms and data-storage cloud companies…the list goes on. We trust that the organization follows its outlined security protocols to keep our private information, private. When that organization fails to deliver on its security measures, as we’ve collectively witnessed with the recent onslaught of big-data and cloud-system security breaches, our personal information is subject to unauthorized access and theft. Be sure you trust the organization and understand its data management policies and procedures for how your personal data will be used, stored, secured and destroyed before sharing personal information.

2. Unsecured Internet Connection: Even though it’s enticing to stop in to your local coffee shop or public library to work remotely from your laptop or portable device, you should always check the security of the internet connection you’re about to use, first. Public or otherwise unsecured connections are the most susceptible to cyber-criminal activity; using an unsecured internet connection is like inviting the hackers to your doorstep. In short, if the internet connection can be accessed without a password, don’t connect to it. 

3. Unsecured Device: The same can be said for any device you use to access the internet. From smartphones to laptops and tablets and now smart home devices like Amazon Echo and Google Home; these devices hold troves of our personal and private data. Maintaining updated security software, firewalls and installing extra security like a two-way authenticator are imperative to ensuring your device is protected from outside penetration. Password strength also falls under device security. Passwords should never be the same, should include characters and numbers as well as letters and should never be something easily guessed about yourself. Even if you are using a secured internet connection, the lack of security or lack of updated security for your device is just another invitation for having your data stolen. 

4. Responding to a Scam: Scams are designed to look, read and feel as authentic a communication as possible. Email phishing, ‘robo’ calls and social engineering tactics like personality quizzes are just a few examples of the ever-growing scams hackers and cyber criminals have developed to steal your personal data—right from the horse’s mouth. We often (mistakenly) place our trust blindly into communication efforts like email, phone and social media because those are places we communicate with people and brands we do trust. Always be vigilant of the type of organization and the way in which they communicate with you before you answer. (The IRS, for instance, will never email you or call you for personal information.)

5. Data Storage and Disposal at Home: Probably one of the most overlooked ways in which our personal data can be compromised is how we manage our data at home. Do you have a safe, secure, and designated location at home for all your personal and private documents? (You should.) And, what do you do with sensitive information that you no longer need, like an expired credit card or an old bank statement? If your answer is to cut it up and throw it out, you’re putting your personal data at risk. This also holds true of old devices you want to get rid of. Consider the personal information amassed on the hard drives of your old laptop, tablet, smartphone or other data-storing device. If you don’t properly destroy the hard drive, the data can still be reconstructed and accessed long after you’ve disposed of the device (say, if you turned it over to a buy-back program or, worse, threw it in the trash for a dumpster-diver to find).

hard-drive-destruction
Security-focused organizations use hard drive shredders to destroy drives at end-of-life

Proper Data Destruction and Disposal

While there’s little you can personally do to protect your information from a data breach at an organization, ensuring that the companies with whom you do business have a comprehensive data security and destruction policy is a good first step. There are also ways for you to better control your own data security. Taking steps like assessing your internet connections and device security and thinking before you respond to any digital or telephoned communication can greatly help you ensure your private data stays secure and remains uncompromised. 

When it comes to home security measures and data disposal, we recommend you maintain a specific and private place for anything that contains your personal information, and that you bring end-of-life devices to a local data destruction day, often held at universities in the spring. Of course, if you are in the area, you are always welcome to bring your device to SEM for physical destruction. As a final note, if your personal data has been compromised and you’ve become a victim of identity theft, you should report the identity theft incident to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338.

Security Engineered Machinery Provides Compliance Solutions for the Destruction of CUI

April 5, 2019 at 3:22 pm by Heidi White

Secure data destruction device manufacturer supplies CUI line of paper shredders to provide compliance solutions for Executive Branch agencies and their affiliates to meet ISOO’s new CUI directive

nsa-listed-paper-shredder
SEM’s entire line of high security paper shredders comply with the new CUI paper destruction requirement

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to offer a complete line of high security paper shredders that meet requirements of the new Controlled Unclassified Information (CUI) Program instituted by the National Archives and Records Administration (NARA) and the Information Security Oversight Office (ISOO). The Program, which affects all Executive Branch agencies within the Federal Government as well as their affiliates that may handle CUI, mandates that paper containing CUI be destroyed to a 1mmx5mm particle, which is the same particle size as required by the National Security Agency (NSA) for classified and top secret information.

“We have been in frequent contact with NARA and ISOO, including presenting at their first CUI Industry Day held at the National Archives in Washington DC,” stated Todd Busic, Vice President of Security and Intelligence Operations at SEM. “As a result of our communication with these organizations and our commitment to the new directive, SEM has pledged to educate government agencies on the paper destruction requirement of the new CUI Program, which is quite different than what was once accepted as standard.”

“SEM has long been an industry leader in providing solutions on the cutting edge of new technology and on educating entities on new and updated data security regulations,” added Andrew Kelleher, President of SEM. “As a solutions provider to the Federal Government, we are fully committed to assisting NARA and ISOO in educating Executive Branch agencies on the new CUI directive and how best to achieve compliance.”

All unclassified information throughout the Executive Branch that requires any safeguarding or dissemination control is characterized as CUI and includes nearly all government agencies. Further, unclassified data such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Personally Identifiable Information (PII), as well as information relating to critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation all fall under this requirement.

Executive Order 13556 “Controlled Unclassified Information” created a program for standardizing the management of CUI across the Executive branch and designated the National Archives and Records Administration (NARA) as Executive Agent. As such, NARA is responsible for the implementation of the CUI program as well as agency oversight to ensure compliance. The Archivist of the United States in turn delegated these responsibilities to the Information Security Oversight Office (ISOO), which issued 32 CFR Part 2002 “Controlled Unclassified Information” to establish a comprehensive policy for managing all aspects of CUI, including disposal and other program-specific requirements. 

The rule affects not only all federal Executive Branch agencies that handle CUI but also all other organizations that in any way interact with CUI or have access to federal information on behalf of an agency. Therefore, these agencies must implement safeguarding or dissemination controls that are consistent with the CUI Program for any and all unclassified information. Prior to the CUI Program, agencies typically utilized agency-specific policies and procedures, of which there were many, resulting in inconsistently managed CUI.

The ISOO CUI directive has very clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. For paper, the NIST 800-88 destruction specification is the same as NSA requirements for classified information: a 1mmx5mm final particle size. Therefore, all CUI paper must be destroyed using a high security shredder that produces a final particle size of 1mmx5mm or less, such as those listed on the NSA/CSS 02-01 EPL for classified paper destruction. All of SEM’s high security shredders meet the new CUI mandate.

In an effort to provide clear communication and simplified purchasing for Federal Government agencies, all of SEM’s compliant paper shredders are now marked as being appropriate for CUI destruction. For more information, visit www.semshred.com/CUI.

The Impact of GDPR on US Companies and Organizations

March 28, 2019 at 4:59 pm by Heidi White

With GDPR (General Data Protection Regulation) in effect for almost a year now, even US-based companies are feeling its impact and the need to comply with stricter data security policies. Indeed, it likely won’t be long before the US creates its own set of national data privacy laws that all organizations will have to follow. In 2018, leading US-based technology companies called on the federal government to pass a law similar to GDPR, and in February of this year, the US Government Accountability Office made the same recommendation.

For those organizations that do business internationally, the European security mandate must be adhered to as if it were already a rule from the US federal government. If you don’t, the cost could be catastrophic.

gdpr-data-center

The Criticality of Following GDPR

Not complying means subjecting your organization to a fine equaling two to four percent of your global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million). But, it’s not enough to simply ensure your current privacy policies comply with GDPR. Breaches happen to even those US organizations whose existing practices meet those compliance requirements.

You should instead look at the bigger picture and take a thoughtful approach to your data security measures using GDPR as your guide. For one, the GDPR looks at data differently and poses that all private data is owned by the customer, not the business in which it was collected. For another, just because you’ve protected the data from breaches from within the US doesn’t mean the data from your global company couldn’t be improperly accessed outside the country.

Using GDPR to improve all your data-related policies can help you to find any gaps in your current security that could be closed, especially as it relates to data destruction and hard drive end-of-life practices. By putting the customer first over your business, as GDPR stipulates, you can better ensure the protection of personal and otherwise private information when it is no longer necessary to your business.

cloud-data-storage

Think about your customer data and how it is stored. If you’re using a cloud system (as almost all of us are), your data isn’t just housed in one data center, but many, and that data is duplicated across multiple drives to prevent against data loss if a drive fails. For businesses operating outside the US, that means data centers housing this private information you are charged with protecting are not just within the US, but across the globe. Your data destruction policies therefore must address practices for drive end-of-life—something that happens on a regular basis since these drives operate for 24 hours a day, seven days a week, all year long.

Even if you don’t house your data across global centers, but you do business with EU customers who share their private information with your company, your business still has access to their data and therefore you must protect it, even upon disposal. More importantly, under the GDPR, any EU citizen has the right to request their information be eradicated and you must comply and delete the data while maintaining protection even after disposal.

So, how do you ensure your data disposal policies comply with GDPR for drives as well as for customers halfway across the world?

GDPR-Compliant Data and Drive Destruction Best Practices

GDPR requires your organization to place someone within the company in charge of overseeing and managing the compliance policies. Dubbed the Data Protection Officer, this person will be your key authority on data disposal and drive destruction as it relates to the GDPR. Along with this person, you’ll want to create a small group of personnel also within the US that will have the authority to access your company’s data.

data-protection-officer

At the very least, your Data Protection Officer should be on-site for drive destruction that occurs outside the US, such as if a drive in one of the data centers where your data is housed reaches end-of-life. It is crucial to have this person on-site to ensure your GDPR-compliant data and drive destruction policies are being followed. For one, this ensures control over who is accessing your data. For another, without this person present, you are blindly trusting that your data and drives have been properly disposed of, and that the person carrying out the disposal is not lying to you when they tell you the proper practices have been completed. What if this person, who reported to you that the data was properly destroyed, instead sold that data to a third party in another country or to a cybercriminal on the dark web? Sure, you can take legal action against this person after the breach has come to light. But the fallout from the breach itself can’t be stopped once it’s begun.

It’s therefore extremely important to require your Data Protection Officer or someone within your authorized personnel group to be on-site for outside-US data and drive destruction, and that this person must provide an audit report for the data and drive destruction event.

For drive destruction within the US, your Data Protection Officer and authorized personnel should manage the disposal process from start to finish. It’s recommended that you create a private space within your organization to house a data and/or drive destruction machine, rather than work with a third party off-site. We have data destruction machinery that is compliant with GDPR stipulations. It may also behoove your organization to keep a record audit of the disposal to prove your company’s compliance to GDPR in the event a breach does occur.

hard-drive-shredder
Hard drive shredders are the most efficient and secure method of destroying rotational hard drives.

Weighing the True Costs of Data Breaches

We already mentioned the massive fine that will be issued by the GDPR Supervisory Authorities for an organization under GDPR that is found to be noncompliant when the breach occurs. Then there’s the typical range of costs associated with data breaches including legal fees for any counselling or action taken by the company in its defense, civil and criminal penalties under US federal regulations and, of course, potential lawsuit payouts. Factor in the non-financial costs to your business, such as a loss to your reputation and integrity, along with a loss in your customer base, and you’re looking at a total cost to your organization that could severely impact its existence.

The irony is that by planning for the worst and investing in a team as well as the necessary on-site data destruction machinery, you can save your company’s standing as well as its revenue. Operating under GDPR rules includes making sure your company has the proper data and drive disposal methods that are deemed GDPR-compliant. SEM has plenty of affordable options, and when all things are considered in the aftermath of a breach, this technology provides protection at a fraction of the price it would cost if you were to experience a breach.

Mechanical Engineer

March 4, 2019 at 4:02 pm by Heidi White

Job Description:

SEM is looking for an experienced Mechanical  Engineer to work in our engineering department. The successful candidate will be responsible for the overall product design, scheduling and time management of the project including external consultants and suppliers, testing and full implementation into production.  This candidate’s focus will primarily be mechanical design, but they will need to specify and integrate electrical components into designs and also interact with and manage electrical design consultants. A good working knowledge of electrical systems and components is strongly desired.  The position will also include other tasks when required. These may include the following: supporting production; supporting and troubleshooting products returned for repair; creating product documentation for new products; certification of products; etc.

Job Requirements:

  • Bachelor’s Degree in Mechanical Engineering or equivalent degree/experience.
  • 3 to 5 years experience in designing electro-mechanical devices or equipment.
  • Proficiency in 3D CAD modeling. SolidWorks is strongly preferred.
  • Must have some electrical experience, preferably with single and 3-phase AC and DC power systems. Some knowledge of PLC and microcontroller based systems, a plus.
  • Ability to read electrical schematics on both system level and PCB level.
  • Must have good knowledge of machining and a full comprehension of mechanical drawings.Machining experience, a plus.
  • Must possess strong writing, communication, analytical skills and attention to detail.
  • Strong mechanical aptitude and conceptualization skills, strongly preferred.
  • Must be able to work both independently and with vendors, consultants and other departments.
  • Must possess good computer skills and proficiency in MSWord, Excel, and Power Point.

SEM is a world leader in providing information destruction equipment to the US Government and Data Centers world-wide.

SEM offers a team oriented business casual work environment, with benefits including medical, dental, 401K, profit sharing and paid time off.  Please send your cover letter with salary requirements and resume to m.divirgilio@semshred.com.