Author: Paul Falcone

The Poorly Stitched Patchwork of US Data Security Policy

May 9, 2019 at 5:24 pm by Paul Falcone

Every few months it seems like we have a new data breach that exposes hundreds of thousands – if not millions – of individual’s personal and private data. From the Equifax leak in 2017, to Yahoo in 2013, to the Marriott in 2018, customers are losing faith in companies to properly handle their private data. In fact, as of 2017, over 64 percent of Americans have personally experienced a data breach, and with the latest leaks over the last two years, it’s fairly safe to assume that the number has grown even higher.

As the rest of the world continues to move towards a singular, comprehensive, and consumer-focused data security protection plan, the United States continues to fail to pass any meaningful legislation. This lack of forward movement, coupled with the fact the U.S citizens are more concerned for their data than ever, has led to individual states taking the responsibility onto themselves. The problem, however, is this only makes more headaches for both consumers and companies as a whole.

So what laws are in place right now?

Right now, instead of a unified regulation for personally identifiable information (PII), individual industries are given regulations. The healthcare industry and the credit card industry are two examples of this, governed by HIPAA (Health Insurance Portability and Accountability Act) and PCI-DSS (Payment Card Industry Data Security Standard), respectively. While having some sort of regulation can provide clarity for companies and more transparency for citizens, the truth is states can pass their own regulations within these industries, making a state by state case of how a singular company might have to respond. Confusing, right?

To fix this, some states, like California, have decided to try and lay the groundwork for a more uniform consumer-focused, approach. The California Consumer Privacy Act (CCPA) that was passed in 2018 will be going into effect January 1, 2020 and looks a lot like Europe’s General Data Protection Regulation (GDPR) that went into effect in 2018. The Act, which would affect any company who does business with customers who are citizens of California, would provide the following protections to consumers:

    • A consumer must be notified of what personal information is being collected, how it is collected, and whether it will be disclosed or sold.
    • Consumers must have the right to easily opt out of having their personal information sold.
    • Consumers must be informed that they have the right to have their personal information deleted. The process to do so must be easy and straightforward.
    • A consumer exercising these new rights cannot be discriminated against as a customer for opting out of any data sharing or for having their information deleted.

This is a good start for not only consumers in California, but across the U.S. As stated above, this Act would affect any company that does business with consumers in California; meaning that companies that exist in other states, but still sell to California, will be affected.

Other states including Colorado and New York also have their own state laws that they have passed. In Colorado, the Protection for Consumer Data Privacy Act was passed in September 2018, while in New York the Stop Hacks and Improve Electronic Data Security Act was first introduced in 2017. In fact, 35 U.S. states currently have some form of data privacy and disposal regulation in place. And all of these regulations have variations from the California Act, which makes it even more difficult for companies to comply to when doing business across state lines.

 

So why isn’t this happening at the federal level yet? There seems to be bipartisan support with bills being submitted from both sides of the aisle, but progress has been slow. As these data breaches continue to happen, policy at the federal level will have to jump in sooner or later.  Over the last year, five separate bills have been drafted and submitted to Congress with varying takes on the governments roll on regulation. The bills include the following:

    • The Customer Online Notification for Stopping Edge-provider Network Transgressions (CONSENT) Act by Richard Blumenthal (D) and Ed Markey (D).
    • The Social Media and Consumer Rights Act of 2018 introduced by Amy Klobuchar (D) and John Kennedy (D).
    • The Consumer Data Protection Act introduced by Ron Wyden (D).
    • The Data Care Act introduced by Brian Schatz (D).
    • The American Data Dissemination Act (ADD) introduced by Marco Rubio (R).

Each of these bills looks at the issues of data security from a different point of view and has various opinions on the role of government, how much access a customer should have, and what the consequences for responsible parties should be in the result of infractions.

The CONSENT Act by Blumenthal and Markey was proposed in April of 2018 and looks to have the Federal Trade Commission (FTC) draft a set of federal rules around suggested guidelines. These suggestions are for the consumer to have to opt-in to have their data collected and used as opposed to having to opt-out, like so many companies do now. The Act also suggests that the consumer would have the right to know, if they opted in, how their data was used and to whom it was going. It would also prohibit companies from refusing service to consumers who refuse to share their data.

The Social Media and Consumer Rights Act of 2018 was introduced in April of 2018, just two days after the CONSENT Act. The Act was drafted by Klobuchar and Kennedy and shared many similar ideas to the CONSENT Act. This Act aimed to make data collection from companies more transparent and give the consumer the ability to both opt out of data collection and the ability to view what data has been collected. A following key point was that in an event of a data breach, all affected parties must be notified within the first 72 hours of detection. The FTC would be the governing body and individual states attorney generals would act as the civil enforcement.

The Consumer Data Protection Act by Wyden was introduced in late fall 2018 and carries a lot of the same ideas as the previous two. The Act suggests that consumer have the right to opt out instead of opting in to data collection, and that companies be more transparent with how the data is used. He also suggests that the FTC be provided with increased funding to be able to properly oversee these new regulations. However, the big difference in senator Wyden’s Act comes from the penalties companies should face.

In the Act, Wyden suggests that any company that has revenue exceeding one billion dollars or warehouse data on over 50 million customers must submit an “annual data protection report” to the government detailing the steps taken by the company that year to protect customer data. The catch is that if there is any misinformation or attempt to willingly mislead the FTC, there can be a five million dollar fine and up to 20 years in prison for executives. The severity of the penalties make it a strong contrast to the two acts the came before it.

Next was Brian Schatz’s The Data Care Act, which was proposed on December 12 in 2018 and builds on all the bills proposed before it. The Act calls for companies to be more secure in handling their consumers data and states that consumers must be notified in the event of a data breach. The FTC would be given the power to penalize companies that are misusing consumer data, as well as hold them responsible for all information given to third parties that originated within that company. The Data Care Act broke down its mission into these bullet points:

    • Duty of Care – Must reasonably secure individual identifying data and promptly inform users of data breaches that involve sensitive information.
    • Duty of Loyalty – May not use individual identifying data in ways that harm users.
    • Duty of Confidentiality – Must ensure that the duties of care and loyalty extend to third parties when disclosing, selling, or sharing individual identifying data.
    • Federal and State Enforcement – A violation of the duties will be treated as a violation of an FTC rule with fine authority. States may also bring civil enforcement actions, but the FTC can intervene.
    • Rulemaking Authority – FTC is granted rulemaking authority to implement the Act.

The Data Care Act had the largest following, with 14 other Congress members co-sponsoring the proposal.

Rubio’s American Data Dissemination Act takes a different angle. Proposed in February 2019 with no co-sponsors, his bill suggests that the FTC themselves draft up the rules, like the CONSENT and Data Care Act, and send them to Congress for approval. It is stated that the FTC would seek to create rules for the “tech giants” while exempting smaller companies from the same rules, allowing them a chance to be competitive within their industries. The Act would prioritize consumer welfare over corporate welfare and would preempt state law, meaning that this would supersede the state laws that are being drafted and implemented in individual states. Unlike the previous proposals, Rubio’s was more open to the FTC drafting the ruleset with fewer suggestions beforehand from him directly.

So where are we now?

While none of these proposals have gained a lot of traction, they serve as a spark that spreads into a conversation among consumers, politicians, and companies alike. The fact that these proposals keep coming show that it’s not a matter of if, but a matter of when the U.S. will have a federal data privacy policy.

Around the world, Europe, Japan, and Canada are all making uniform approaches to keep data security laws the same across their countries. This makes the guidelines easy to follow for companies and easy to understand for consumers. In Europe, GDPR has seen a launch with increased consumer rights and companies already being penalized for failing to comply. Canada had the Personal Information Protection and Electronic Documents Act (PIPEDA) go into effect November 1, 2018, further protecting the personal information of their citizens and holding companies responsible for breaches. In Japan, a Personal Information Protection Commission was created to enforce a regulation that would be in compliance with GDPR’s new guidelines.

Soon the U.S will have to follow suit, and it will make everyone’s data safer in the process. But it’s not hard to make something that is safer than the poorly stitched together patchwork of polices that we have in place now. A patchwork where we’re one data breach crisis away from it all ripping apart.

Security Engineered Machinery is the Global Leader in High Security Information End-of-Life Solutions. 

 

 

 

 

Credibility Counts, Ask Around

April 9, 2019 at 3:44 pm by Paul Falcone

We’ve all had a point in our lives when we need to purchase something that we know we need but don’t know much about.

Maybe you’re in a store looking for something, with eyes frantically browsing the shelves looking at all the different items. Trying to distinguish the difference between all the various products, versions, and makes. As the choices add up, maybe you decide it’s best to ask for someone’s opinion. Someone who works at the store you’re in happens to be walking down the aisle and you signal for help. It is in this moment that you start deciding if this person has the knowledge to be able to help you or not.

Because after all, they could have just as little knowledge as you about this product.

After having a discussion you discover that it was true, the employee wasn’t as knowledgeable on the product to make you feel comfortable with a purchase. So you head home with empty hands, deciding that you’ll take your questions elsewhere. Somewhere with all the answers in the world.

The internet.

The internet can be an equally overwhelming place when trying to find accurate information about a product. In a world that is becoming more and more connected, the amount of information that is available to us is growing exponentially. How can you sort through all of this information and deduce what is accurate and honest information, especially with people out there trying to scam and get the best of you?

Sites like Amazon and Google try to combat this by showing us user review scores and comments of people who have purchased items. But even these can be manipulated. So when it seems like it’s impossible to find the information, who can you really trust?

How do you know you can trust a product?

Ask around. They say word of mouth is the best kind of marketing and real people who have used the products can give you the most honest answers. Chances are if you’re in the market for a high security destruction device, you know someone who has worked with Security Engineered Machinery, the global leader in high security information end-of-life-solutions for over 50 years.

At Security Engineered Machinery, we have the experience to answer any questions you may have concerning your sensitive to classified destruction needs. Most of our sales team has been in the industry for over 20 years. We have more experience creating destruction solutions than any other company. We were founded in 1967 and have 52 years in the destruction business, granting us an unparalleled depth of experience. Document and media destruction is our ONLY business and we are 100% focused on improvements.

When you purchase a system from SEM, you can feel confident you will receive the quality and support you’ve come to expect from us. The sales team at SEM hold integrity above financial gain and are always willing to go the extra mile. Our clients, many of whom are repeat customers, are among an elite group of security professionals in the government as well as the civilian sectors who have used our machines in various offices and locations worldwide. When moving to a new location and they need a new destruction device, they inevitably contact SEM – and that’s the best testimonial you can have.

Why do we have so many long term relationships? Value: you will get the quality you expect. Convenience: it does what we say it will do. Customer support: we will be here to help you through the life of your machine. Service: our dedicated service department is ready to assist at a moments notice.

Most importantly, SEM has the expertise and the knowledge base to meet or exceed your expectations as well as the most knowledgeable sales team in the business with the highest integrity to solve your destruction problems.

Sarbanes-Oxley and Data Destruction: How to Best Comply 

March 11, 2019 at 4:00 pm by Paul Falcone

If you operate or manage a public company or a non-public company with publicly traded debt securities, you’ve certainly heard of the Sarbanes-Oxley (SOX) Act of 2002. This law is also aptly referred to as the “Corporate and Auditing Accountability and Responsibility Act” or the “Public Company Accounting Reform and Investor Protection Act”. 

The SOX Act was enacted by the US federal government to address the standards by which the management and board of directors of any domestic public company handle the financial information and financial reporting of the organization. The SOX Act also extends to public accounting firms as well as to other companies that do business with publicly traded companies, even if said company is not a publicly traded entity. 

The SOX Act aims to strengthen the audit committees of these US-based public companies as well as hold the management and officers liable to the accuracy of the financial statements for the business. In so doing, this Act works to prevent securities and investment fraud by the organizations covered under SOX.  

SOX Act

General Regulations of the SOX Act 

The Sarbanes-Oxley Act is made up of two main clauses. According to Section 404 under the Management Assessment of Internal Controls, Clause A requires these publicly traded companies to create a commission on behalf of the company that develops and enforces rules for maintaining an internal control report for each annual financial report by section 13(a) or 15(d) of the Securities Exchange Act of 1934 (15 U.S.C. 78m or 78o(d)). This internal control report must include information and policies on how management establishes and maintains an adequate structure for internal control as it pertains to the financial reporting of the company. Clause A also requires the commission to write up an annual report on the effectiveness of the internal control policies and financial reporting procedures at the end of each fiscal year.  

Clause B expands on the regulations for the internal control evaluation and reporting, adding in required responsibility of the commission or registered public accounting firm issuing the audit report to accurately prepare the audit as stated in Clause A. That is, said commission or public accounting firm is also held liable to the reported information claimed about the management of the stated financial information in the internal control report.  

Maintaining compliance with the SOX Act therefore means ensuring all financial information and reporting that pertains to the organization is kept secure and protected from unauthorized personnel and possible theft.  

SOX data destruction

 Data Security Best Practices 

When it comes to financial data end-of-life cycles, it’s therefore extremely important for companies covered under the SOX Act to appropriately destroy their data so that the information contained cannot be accessed or reconstructed. In so doing, the company further maintains SOX compliance and ensures fraud prevention of its financial reporting, even as the data has been slated for decommission.  

This means not only proper disposal of the data, but also of the hard drives or electronic storage media housing the data. Organizations covered under the SOX Act must use the proper channels and procedures for data destruction. Such methods include overwriting non-sensitive information with software or hardware to clear the data (not recommended due to the recoverability of data from “erased” drives),  degaussing the media  and rendering the magnetic field permanently unusable, or  destroying the media by disintegration, pulverization, shredding, melting, or incineration. 

Rather than work with a third party off-site to destroy the data and drives, it’s recommended that the organization create a designated, private space within its premises for the data destruction and drive disposal. The organization should also consider limiting access to the data and drive destruction procedures within the private space to only a select number of authorized personnel. Enforcing restricted access within a private, on-site space further protects and secures the data from theft and misuse.  

Final Considerations for Data Destruction 

Working with a vendor like SEM that provides on-site data destruction machinery is essential to maintaining control and security over your financial data. Allowing your data to leave your premises by a third party can be extremely risky because they are not liable for your data security. For instance, imagine if that third party you hired did not actually destroy your drives but instead sold your financial data to an outside party. 

It’s also a good idea to check that the vendor you are working with has machinery that adheres to NSA and NIST 800-88 guidelines for data destruction and SOX Act compliance.  

Destroying Metal Credit Cards – What’s the Difference?

March 8, 2019 at 6:40 pm by Paul Falcone

Destroying Metal Credit Cards – What’s the Difference?

Metal credit cards are becoming more and more common in today’s high tech environment. Originally reserved for the well-off, these flashy cards have become almost commonplace. Although they often offer the same functionality and benefits as their plastic counterparts, they all come with what’s called the “plunk factor”. Their heavier, sleek design and luxurious feel get you noticed when you plunk them down to pick up the check. However, this plunk factor gives the cards an added density and thickness that means they sometimes need to be destroyed differently than their plastic counterparts.

Metal-Credit-Cards

More Durable. More Information.

Increases in cybersecurity awareness and data breaches have led to a greater demand for better and more secure solutions to control credit information. The need to be able to destroy these heavier more durable cards has become more important than ever, with customers and companies alike looking for the safest and securest way to do so.

Metal cards today can be produced with brass, copper, stainless steel, and even composite mixes of metal and plastic. While data used to just be stored on the print and magnetic strip on a credit card, the push for more security has seen most major card producers add a chip that also stores sensitive information. So we have more durable cards with even more areas with sensitive data on it – data and information that can still be accessed even with the card has expired.

How to Destroy: Shred or Disintegrate?

When it comes time to dispose of metal credit cards either due to expiration or possible fraud, credit card issuers will offer to send customers a pre-paid envelope to send cards back for destruction. Once returned, the credit card company is responsible for recycling or destroying the cards. The PCI Security Standards Council guideline for destruction is to destroy credit cards by “shredding or grinding such that the resulting material cannot be reconstructed”.

One method of destruction is with a heavy duty shredder capable of accepting different types of media including paper, CDs, credit cards, staples, and paper clips. The SEM model F65 cross-cut shredder with a capacity of up to 65 sheets per pass can be used for light volume of metal credit card shredding. It can effectively shred these cards into strips similar to shredded paper strips. Once shredded, there is little chance any of the information on the card can be accessed.

Shredded-Metal-Credit-Card

Another method of destruction for metal credit cards is with a disintegrator.  These machines use rotary knife mill technology to destroy a variety of bulk material.  A disintegrator can shred larger volumes of metal cards at higher capacities and can also be customized to shred to a specific particle size.  Available with larger horsepower motors and customizable particle sizing screens, disintegrators like the SEM Model 1012 are designed to be used in multiple applications where secure destruction at higher capacities is needed.   Disintegrators offer greater assurance that the data bearing elements (magnetic strips and chips) are destroyed so that the information stored on them is no longer accessible.

Deciding between a shredder or a disintegrator can seem challenging.  The proper solution should be based on the needs of the application.  Material being destroyed, desired volume and throughput, particle size, and power requirements are all important factors to consider when selecting a destruction device. SEM has experience working with several different credit card manufacturers and various credit card types. If you would like to send us samples of the cards you need destroyed or want to visit us in person to view our capabilities, SEM is here to work with you to ensure your needs are met.

The True Cost of Data Breaches

March 1, 2019 at 9:14 pm by Paul Falcone

While you may be hearing about them more and more frequently, the truth is data breaches have been occurring since before the digital age. For instance, unauthorized personnel who view a hard copy of medical files without authorization is considered a data breach. But it’s our majority reliance on digital platforms to store data that has brought security issues and, thus, data breaches to a whole new level. In fact, identity theft from exposed data records is the most common type of data breach accident across the globe.

Data Breaches are Rising

According to recent statistics as compiled by Statista, data breaches across the United States have been on the rise for over 10 years, and it’s not a small incline by any measure. In fact, recorded number of breaches in the US have gone from 157 million in 2005 to 1.579 billion in 2017. What’s more, nearly all these 2017 breaches were amassed in the business sector.

In the first half of 2018 alone, there were 668 million breaches recorded, totaling over 22 million data records that were exposed.

The Costs: More than Just Money

The rise in data breaches has also caused a correlated rise in the financial costs of the breaches. In fact, a recent study conducted by IBM Security and the Ponemon Institute reported that in 2018, the average global cost of a breach was up to $3.86 million, and the average cost per exposed data record was $148 per record. These increases are largely due to the increase in data breach sizes. That is, the financial costs of data breaches keep going up because the data breaches themselves are exposing larger amounts of data.

These financial costs extend beyond the money that is paid out by the organization to recover the exposed data. For one, if the organization is publicly traded, it’s stock value could decrease. For another, it’s shareholders or stakeholders could also decrease, furthering the financial loss of the organization. In addition, if the breach includes information on European citizens, fines imposed under GDPR can total up to 20 million Euros or four percent of the company’s global annual revenue, whichever is higher.

Yet, financial is just the tip of the ‘iceberg of cost’ for organizations that become victim to a data breach.

Data breaches involve such private data as Personal Health Information (PHI), Payment Card Information (PCI) as Personally Identifiable Information (PII), as well as trade secrets and intellectual property. When these types of personal data are exposed, it can compromise not only the integrity and reputation of the organization from which it came, but also its consumer base. On an individual level, it could negatively affect everything in that person’s life; from their ability to buy a home and get a job, to that person’s financial standing and even their mental health.

The effects on the consumer level can then have even more adverse effect on the organization, because with a data breach comes a more intangible breach, one of trust between the consumer and the organization. Often, when a consumer loses trust in an organization, it is extremely difficult to build back that relationship.

It’s not an easy fix. It takes a lot of time and persistent effort on the part of the organization to earn that trust back; whether that’s literal time and effort on the part of the organization’s employees, or money and time spent in PR management and in marketing communication to try to change the consumer’s perception of the organization. While some organizations have the business foundation and financial backing to recover from a breach, for others such reputational and consumer damage could be catastrophic to the business. In fact, approximately 60 percent of small businesses that suffer a data breach go out of business within six months.

Of course, one way to ensure this data security within your organization is to protect your data and destroy old drives as soon as they reach their end-of-life cycle. Proper data disposal means destroying both the data stored as well as the device or media on which the data is stored. It’s important to remember that for digital media, the device should first be degaussed before it can be destroyed by means of shredding, pulverization, melting, disintegration, or incineration, rendering both data and device unreadable and unable to be reconstructed.

You can work with a third party vendor who will destroy your data and drives for you; however, the safest and most secure way to dispose of data is to work with a vendor like SEM who provides your organization with the necessary data disposal machinery that can be kept on-site and be used only by your authorized personnel. By keeping the end-of-life destruction on site, you not only have the most secure procedures, but save the most money.

Ultimately, don’t take the chance when it comes to breaches. The real cost is too great – losing money, your business, and your entire company or organization is preventable. Take the steps today to ensure your future is safe and secure.

How to Maintain Data Security in the Secure Printing Industry

February 25, 2019 at 2:12 pm by Paul Falcone

Let’s Get Personal.

When you work in the secure printing industry, you’re working with Personal Identifiable information (PII) every day. Regulations like the Fair and Accurate Credit Transaction Act (FACTA), General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and Intergraf have changed the way that we handle and process paper, credit cards, printing plates, and more. So, with all these rules and regulations, are you taking every step necessary when these prints reach the end of their life and need to be securely destroyed?

The Risks:

You may feel that your company or organization is doing a good job destroying data because you’ve been breech-free and have had no major security problems. But in private data and security, threats are constantly evolving, changing, and adapting to the systems that are in place. If you end up being the victim of a breach and word gets out, the following can happen:

– Loss of customers/clients and confidence in your business
– Fraud losses, legal costs, and fines/penalties
– Ultimately lose jobs and go out of business

In fact, studies show that over 60 percent of small businesses that experience a breach never recover and end up going out of business within one year. To avoid this, you need to have a preemptive plan of how to destroy sensitive data correctly and efficiently.

Destruction Guidelines: What Do I Do?

Paper:

A high quality data destruction shredder can be used to shred all documents that contain any PII. According to FACTA, a shredder needs to make paper unreadable and unable to be recovered. For print, this includes shredding, pulverization, and burning. The NSA standard for print to be unrecoverable is a 1mm by 5mm particle size. A machine like the 244/4 High Security Paper Shredder would do the trick.

In Europe, GDPR not only pushes for just the secure destruction of PII. According to Article 17, the “Right to Erasure”, any consumer can request to have all their personal information wiped from a company at any given time. If a consumer makes the request, the company has 30 days to comply to remove all sensitive information they have on the individual. GDPR standard for paper destruction is a 10mm particle size. This Unclassified shredder list will meet the standard set forth by the GDPR while allowing you to choose a model that fits your workload.

Credit Cards:

credit-card-shred

When creating a new credit card data, PII can be left behind before the card is even shipped out. Within the process of printing information on a new card, a printing plate is used to create the lettering, design, and some of the security features on the card. In the same manner, tipping foil that is used to personalize cards can have the numbers from the card left in the foil after use.

To be properly secured and maintain client security, all parts of the process must be properly destroyed, including the credit cards themselves. Intergraf, the European federation for print and digital communication, is a rising standard that is quickly becoming adopted in the secure printing industry. The most security-focused printers are choosing to become Intergraf certified, as more and more clients begin to request that their information is properly handled and destroyed. The standard for printing plates is DIN 66399 P-1, while for credit cards the standard is a minimum of P-5.

Credit cards shredded to the DIN 66399 P-5 standard.

When you have a large load of cards to destroy, a machine like the 0201 OMD Optical Media Destroyer would be more than enough to securely destroy cards to a size no one could recover. If you need to destroy credit cards, tipping foil, and printing plates, we recommend using a machine like the 1012/5, which not only destroys all the materials listed, but also runs free of oil.

While the world around us likes to say that print is going away, the reality is that it’s not. The steps that you take today to prepare for the destruction of PII could not only save you money, but your entire job and company as a whole. Keep up to date with the latest standards and use high quality shredders to ensure that you maintain data securely and professionally for you and your clients.