classified data destruction Archives

Centralized vs. Decentralized Destruction: What’s the Difference?

April 17, 2023 at 2:36 pm by Amanda Canale

As with most new technology, ideas, and solutions, there are pros and cons. In this month’s blog, we’re breaking down the main similarities and differences between centralized and decentralized destruction environments.

Centralized Environment

A centralized environment is, essentially, one space where all of the magic happens. Whether it is a centralized record center or destruction environment, everything that happens and everything being stored are in one location.

For example, let’s refer back to our Level 6 Data Centers: Best Practices in Security blog. The sixth level of the Google data center is known as a centralized destruction environment because all the destruction occurs in one, central space. At this level, security is at an all-time high, with very few personnel having access.

Another example of a centralized environment, but in this case a record center, is a single space where all records are kept. It could be a doctor’s office where all patient files are kept or a cloud-based system where all files and documentation are stored. Since centralized environments hold a substantial amount of information, they are typically organized by separate teams or personnel with a very high level of clearance.

CENTRALIZED ENVIRONMENT PROS:

One main pro when it comes to a centralized environment, in this case destruction, is that all of your destruction occurs in one place. There isn’t a concern for whether a drive was left on someone’s desk or an end-of-life document was misfiled since there is a system in place that requires all end-of-life drives and documentation to be in one place at the same time. This allows for a highly organized destruction plan and seamless organization system.

With a centralized environment typically comes extra security (remember, all your eggs are in one basket!), which just adds an additional level of protection. This can be in the form of more security cameras, keypads and ID badges, physical security guards, and more. Not only do centralized environments come more protected, they also allow for more opportunities for control.

CENTRALIZED ENVIRONMENT CONS:

By putting one’s eggs all in one basket, while it offers a sense of control and safety, it can also have its drawbacks. Hypothetically speaking, if someone was able to breach that centralized location, they have the world at their fingertips since everything is in one place. Servers can be hacked into, destruction solutions can be tampered with, and precious information can easily be stolen. However, this is also why extra security measures are taken, whether the environment is centralized or not.

Decentralized Environment

On the contrary, a decentralized environment is where all of the records or destruction occurs across multiple rooms, spaces, or even floors. A decentralized environment could be the same doctor’s office mentioned earlier, but where patient personal health information (PHI) is kept spread out among various storage locations, workstations, multiple servers, etc.

DECENTRALIZED ENVIRONMENT PROS:

Decentralized environments allow for data to be stored in more than one place offering more accessibility, and allowing those who need to access the data to be closer to it. By having their data in multiple and closer locations, there’s no need for long walks across the data center or building, or extra physical layers of security.

Depending on how sensitive the information is, a decentralized record center can sometimes offer more protection since there are multiple points of access and entry, which mean more opportunities for a hacker to fail.

DECENTRALIZED ENVIRONMENT CONS:

With multiple points of entry and access, also come…more money. Decentralized networks, destruction, or record environments require more upkeep, more maintenance, more storage, and more security.

The consequences of improper data destruction are endless. By opting for in-house, centralized destruction, companies have complete oversight and can be certain that your information has been securely destroyed. At SEM, we offer an array of various high-quality NSA listed/CUI and unclassified data destruction solutions, and are experts in designing and creating, implementing, installing, and servicing centralized destruction facilities across the globe. Whether it’s for the federal government, one of their agencies, or a commercial data center, we do it all. Learn more about our scalable and customizable solutions here.

Classification Breakdown: Match Your Data to Its Destruction Method

December 11, 2020 at 8:15 am by Amanda Canale

In the age of social media, it’s quite normal for many people to put their entire lives online. Whether it’s someone spilling all of their secrets in forms of podcasts, vlogs, and blogs or sharing too much about their assets and wealth in an Instagram post, it doesn’t seem like there is much that isn’t shared with the world wide web.

However, there are many types of information that not only just shouldn’t be shared but cannot be shared, especially when it pertains to our National Security. Let’s break down all of the different levels of information out there and the varying security classifications applied in order to properly identify and safeguard this information.

Top Secret information (TS)

Top Secret (TS) information is also known as classified information. Access to this level of information is highly restricted and is upheld by law or regulations to particular groups of people. It is sensitive enough to matters of national security that it must be protected at all times. Information of this nature can range from nuclear weapon launch codes to government secrets.

When it comes to the destruction of these types of information, best practices can vary. The question you should always ask yourself is as follows: is my end-of-life data destruction equipment designed to securely destroy this information? To ensure the highest security data destruction, the federal government requires that classified data only be destroyed with devices listed on the NSA Evaluated Products List (EPL). This equipment is suitable for TS information and utilizes stringent destruction criteria determined by the NSA. You can find more information about NSA-mandated destruction of storage devices here.

Regardless of the classification level and type of data you are looking to destroy, any one of SEM’s NSA listed paper shredders, disintegrators, degaussers, and IT crushers are fully equipped to securely destroy all of your end-of-life data.

Sensitive Compartmented Information (SCI) and Special Access Program (SAP)

Sensitive Compartmented Information (SCI) and Special Access Program (SAP) are considered highly classified information that is controlled and designated by the National Intelligence Agencies and shared within certain Department of Defense branches. SCI and SAP access levels are only granted to those who already hold a Top Secret (TS) clearance. This information ranges from intelligence sources and methods to analytical processing and targeting, as well as information unique to a specialized program or project. This information is only accessible by those granted “a need-to-know basis” and thus safeguarded at the highest levels due to the nature of the classified information. Therefore, this information should only be destroyed with NSA EPL listed devices.

Communication Security (COMSEC)

Communication Security (COMSEC) is used to deny unauthorized persons access to information obtained from telecommunications of the U.S. Government concerning issues such as national security. This information is handled and protected by the U.S. Department of Labor (DOL). Since COMSEC material is considered sensitive, it should be destroyed to the same standard as classified information, meaning using NSA EPL listed equipment. COMSEC typically includes cryptographic security, emissions security, transmission security, and the physical security of COMSEC material.

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is all of the different kinds of unclassified information throughout the Executive Branch of the United States government that requires safeguarding or circulation control that is consistent with applicable laws, government policies, and regulations.

On November 4, 2010, the Executive Order 13556 “Controlled Unclassified Information” was established to create transparency throughout the federal government and non-government stakeholders as previous characterizations of sensitive but unclassified information (SBU) was not always consistent. This classification process standardizes these practices across over 100 different government departments and agencies, ranging from state and local, to tribal and private sectors. The Order also mandated that end-of-life media must be destroyed to NIST 800-88 specifications. For paper, this specification is a 1mm x 5mm particle size, which is the same as for classified information.

Typically, CUI information can consist of technical information with a military or space focus, legal material and law enforcement, federal healthcare, technical drawings and blueprints, immigration, and more. All of SEM’s IT destruction devices are NIST 800-88 and therefore CUI compliant. In addition, all paper shredders listed on the NSA EPL are also CUI compliant.

Personally Identifiable Information (PII)

Personally Identifiable information (PII) is any kind of information that can identify a specific individual. PII can be tricky as it is not anchored to any one category of technology or information.

The range of what kind of information qualifies as PII is quite vast: social security numbers, IP addresses, passport and license numbers, mailing and email addresses, login IDs, and other specific information are all personally identifiable.

While data breaches should always be taken seriously, a breach of this kind of information can put the exposed people at an extremely high risk of identity theft and fraud. Take for example, the recent security breach at financial institution, Morgan Stanley. The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ PII. You can read more about our thoughts on this breach here.

Personal Health Information (PHI)

Personal Health Information (PHI) is similar to PII in that it is identifiable information that can be linked to a specific individual.

PHI is an umbrella term given to any kind of health information that is dated, received, transmitted, or stored by the Health Insurance Portability and Accountability Act (HIPAA) and their entities and business associates in relation to healthcare operations and payment. This information ranges from Social Security numbers and medical record numbers to test results and insurance information. Both PII and PHI are sensitive information, so should be destroyed to completely prevent reconstruction or recovery using the same standards that apply to CUI.

Whether you’re looking to destroy personally identifiable, controlled unclassified, or top secret information, it is always best practice to follow data sanitization mandates. At SEM, we have wide array of high-quality end-of-life data destruction devices that not only meet NSA/CSS specifications, but are on the NSA/CSS Evaluated Products List, and follow the Controlled Unclassified Information (CUI) Executive Order.

Any one of our exceptional sales team members are more than happy to help answer any questions you may have about your data classification and help determine which machine will best meet your company and federally regulated destruction needs.

DARPA Shredder Challenge

December 1, 2020 at 8:15 am by Amanda Canale

In late 2011, Defense Advance Research Projects Agency (DARPA), a research and development agency of the U.S. Department of Defense, invited computer scientists and puzzle enthusiasts alike to take part in an interesting challenge: reconstruct pieces of paper for a grand prize of $50,000. Sounds fairly simple, right? Well, what if those pieces of paper had previously gone through an industrial shredder? Doesn’t seem as easy now, does it?

The goal of the five-puzzle challenge was for participants to develop software that could be used to identify and assess various document reconstruction tactics. The hope was for the U.S. national security community to utilize these new tactics in war zones and use them to identify vulnerabilities to sensitive information within our own country. Participants started their developments on 27 October 2011 and concluded just 33 days later after all five puzzles were successfully solved by a trio of San Franciscan computer programmers.

The winning team, who went by the name, “All Your Shreds Belong to US”, created an algorithm that automatically reconstructed the 10,000 pieces of paper (yes, you read that right: 10,000) based on various physical aspects of the shred, such as shred angle, shred size, and paper marks. Other teams’ strategies ranged from crowdsourced-style methods to relying heavily on manual reconstruction. While the majority of us would rather do anything else than spend approximately 600 hours putting pieces of paper back together, the same cannot be said for hackers and thieves; if it’s going to grant them access to your most sensitive information and confidential data or government defense secrets, then chances are they will rise to the occasion!

There are currently several different secure shredder types ranging from DIN levels P-1 to P-7, with level seven being the most secure particle size. However, there is a lot to be said about modern document destruction if a challenge such as this was so successfully completed, especially within such a small timeframe. If this challenge used level P-7 particles and the winning team not only won the challenge but succeeded two days early, what does that say about the safety of our end-of-life data? Is it safe to assume that there is always the possibility that someone could turn your trash into their own personal treasure? While there currently is no level P-8, we have the next best thing here at SEM (and yes, it is exclusive to us!).

The SEM Model 344 is the next greatest paper shredder as it is offers an even more secure shred size that we like to call P-7+! The Model 344 is the only high security paper shredder on the market that offers a particle size of 0.8mm x 2.5mm, making it 50% smaller than the current National Security Agency (NSA) requirement. This compact, portable, energy saving option is listed on the NSA/CSS Evaluated Products List and has a throughput of 12 reams of paper per hour when feeding five sheets at a time.

When it comes to end-of-life data destruction, it is always best to err on the side of caution. That’s why at SEM, we want you to future proof the destruction of your most sensitive and confidential data with our Model 344. By opting for in-house data destruction methods, you and your company or agency are making the most cost-effective, safe, and secure decision. Still don’t have you fully convinced? Think about it like this: if a group of scientists and puzzle enthusiasts can piece back together your data in their free time, imagine what a full-time hacker could do.

At SEM we have an array of high-quality NSA listed/CUI and unclassified paper shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

The Growing Size of Media: Just How Much Information Can Be Stored on 1TB?

November 3, 2020 at 9:00 am by Amanda Canale

When it comes to data storage, it’s difficult for many of us to fathom just how much information can fit on a portable hard drive or basic USB thumb drive. Many of us probably haven’t even filled up our own personal hard drives or come close to it. In the age of Big Data, USBs and portable hard drives have become the technological highways that bridge data between devices.

Now let’s think about how much information and data can be stored on a one terabyte (1TB) hard drive. For reference, a 1TB hard drive is equivalent to 1,000 gigabytes (GB). Maybe a couple thousand photos? A hundred movies or so? Well, the answer may shock you so let’s break it down by media type.

Photos
Depending on the file type and size, a 1TB hard drive can hold anywhere between 250,000 and 310,000 photos. Just imagine how many family photo albums you can fill with 250,000 photos. It’s incomprehensible! Some of you may be thinking, “what would a thief want with my personal photos?” While the data stored in personal photos may not be always be confidential, it’s still private and personally identifiable. This means that if a thief were to steal your 1TB drive filled with family photos, the risks of the breach can still be high as whatever information that is offered in the photographs is now fair game. The thief could find out about what kind of material possessions you own, such as cars, jewelry, and furniture, where you like to vacation, where you live, and what you look like, making future theft and targeting that much easier.

Photographs may seem low on the ladder as far as sensitive information, but they can offer up more information than you’re probably willing to give up. Take for instance last year’s U.S. Customs and Border Protection (CBP) data breach. In June 2019, the CBP released a statement that photographs and video recordings of fewer than 100,000 people and their vehicles were stolen as part of an attack on a federal subcontractor. The photographs and video recordings were used in a growing facial-recognition program to assist the CBP in tracking the identity of people entering and exiting the United States. The photographs and footage were originally taken at various American airports and land border crossings where vehicle license plates and faces were captured over a short period of time. While the thieves were not able to capture other identifying information such as passports or travel documents, this type of breach isn’t to be downplayed as the victims are now at major risk for identity theft.

Circuit board futuristic server code processing. Orange, green, blue technology background with bokeh. 3d rendering

Video and Audio
Home video enthusiasts can rejoice because storing all of your family videos in one place has become so much easier. A 1TB hard drive can hold up to 500 hours of high-definition 1080p video – that’s just over 20 full days! To put that into perspective, the total runtime of all the Marvel Cinematic Universe films (23 total) is approximately 50 hours – one-tenth the amount of storage.

Have a large music library? You’re in luck, too! A 1TB hard drive can hold up to 17,000 hours of audio files, totaling approximately 708 days’ worth. Still can’t fathom that much music? Imagine listening to the entire U2 studio album discography 24 times. Or listening to the entire Rolling Stones discography 15 times. Now that’s quite the road trip playlist!

Documents
Here comes the truly mind-boggling part. If we’re talking strictly Microsoft Word documents, a 1TB hard drive can hold (…wait for it…) 85 million documents. Take that in for a moment. Eighty-five million documents. A person’s entire life can fit onto a drive and still have plenty of room to spare. Bills, social security numbers, bank account information, deeds, birth certificates, and more can be stored on 1TB which makes them a gold mine for hackers and thieves.

Leslie Johnston, Chief of Repository Development for the Library of Congress, noted that a 1TB hard drive can hold as much information as one-tenth of the Library of Congress. Now that comparison makes our heads spin! It can be scary thinking about the irreparable damage hackers and thieves can cause with that much information at their fingertips.

In the United States, the average cost of a data breach can cause an organization to pay upwards of $8.9 million, averaging out approximately $146 to $250 per compromised record. Now imagine how much a breach of 85 million documents would cost. The risks of a data breach can be immeasurable, and the consequences are not always immediate. You can read more about how the purchase of in-house end-of-life data destruction equipment can save you and your organization millions of dollars here.

Clearly, a single 1TB hard drive can easily hold a lifetime’s worth of information (and then some), which is why having a secure end-of-life destruction plan is crucial in protecting that data. Protect yourself, your employees, and your company against future data breaches with one of our various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your destruction needs.

Level 6 Data Centers: Best Practices in Security

September 22, 2020 at 9:00 am by Amanda Canale

Over time, data center infrastructures have evolved from mainframes to cloud applications and can now take on various forms. The type of data center depends on the facility’s primary functions, how it is supported, and size. Based on these criteria, there are four main types of data centers: enterprise data centers, managed services data centers, colocation data centers, and cloud data centers. In addition to storing, managing, and circulating data, data centers also manage physical security systems, network and IT systems, power resources, environmental control, and performance and operational management.

Depending on the size and function of the data centers, some companies are known to have multiple centers in various locations that can store different data or serve as a centralized backup site. This helps to prevent the data from being destroyed due to natural or man-made disasters or in the instance of an outage. There are several levels to data center security, the highest level being Level 6. SEM devices are often part of a robust Level 6 data security program, as seen in this Google data center video.

Natural disasters aside, Level 6 data centers offer the utmost advances in modern data security to ensure that none of the data they store and manage gets into the wrong hands. Below we have broken down each security level within a Level 6 data center and offer an inside peek at just how difficult they can be to hack.

Level 1
Regardless of the kind of data center, the first level of security is the physical property boundaries surrounding the facility. These property boundaries typically include signage, fencing, and other significant forms of perimeter defenses.

Level 2
Once the physical property boundaries have been bypassed, the next level of security is a secure perimeter. Here, someone can enter through the main entrance gate and be met by 24/7 security guard staff, comprehensive camera coverage, smart fencing, and other perimeter defense systems. Once someone has entered the second level, the company’s security personnel have eyes on their every move.

Level 3
Level 3 finally allows physical entry to the data center…well, kind of. Even though someone may have been granted building access, they are still nowhere near the data center floor. This level requires a security search of each individual entering the data center. Employees entering the facility must provide a company-issued identification badge and be subjected to an iris or facial scan to confirm identity. In addition, most data centers only allow one person to badge in through doors at a time. All of these combined layers are to ensure that only approved personnel may enter.

Level 4
Level 4 houses the security operations center (SOC). The SOC is often referred to as the brains of the security system as it monitors the data center 24 hours a day, seven days a week, 365 days a year. All of the previous layers of security discussed above (from camera footage, ID readings, to iris scans) are connected to the SOC and monitored by a select group of security personnel. Think of this level also as the eyes and ears of the facility.

Level 5
Level 5 is the data center floor – finally! This is where all of the company’s data and information is stored. When at this level, security is much stricter when it comes to access and only a small percentage of staff members have access to this level; typically, only the technicians and engineers so they can repair, maintain, or upgrade equipment. Even when on the data center floor, technicians and engineers only have access to the devices, but not the data itself, as all of the stored data is encrypted (another layer of security!).

Level 6
This is where all of the fun happens. And by fun, we mean data destruction. Security at this level is at an all-time high with even fewer personnel having access. It is at this level where end-of-life of all storage media happens. If a device needs to be destroyed, there is usually some sort of secure two-way access system in place, which can vary depending on the facility. This means that one person drops off the device to a locker or room and another person takes the device away to be destroyed. This step is crucial to maintaining data security protocols so only technicians assigned to the destruction room have access to the devices. It is the role of the technicians in this room to scan, degauss (magnetic media only), and destroy the retired devices.

Leaving the data center is a process just as intensive and secure as entering. Every person leaving the data center floor is subjected to a full-body metal detector and makes his or her way back through each of the previous levels. This is to ensure that no one is able to leave with any devices and each person that has entered can be accounted for when leaving.

In the destruction phase, it is NSA best practice to first degauss the device if it is magnetic media. This practice offers companies the most secure method of sanitization. SEM degaussers use powerful magnetic fields that sanitize magnetic tapes and magnetic hard disk drives. It is this act alone that renders the drive completely inoperable – which is always the goal. Not even the most skilled of hackers will be able to get any information off of the drive, simply because there’s nothing left on it to hack!

The next step is the physical destruction of the drive or device. This can be done by act of crushing and/or shredding. Combined, degaussing and destroying ensure that no information is susceptible to getting stolen and offer the best security in the destruction of your end-of-life data.

One of the most common data destruction misconceptions is that erasing or overwriting a drive and degaussing are the same thing. They’re not. Erasing data isn’t completely foolproof as it’s possible that trace amounts of encrypted and unencrypted data can still get left behind. This becomes a gold mine for hackers and thieves, who then have complete freedom to do whatever they want with your most sensitive and classified information. But remember, degaussing is only effective for magnetic media, such as rotational hard disk drives (HDDs). Deguassing is completely ineffective on solid state drives (SSDs) and optical media; therefore, physical destruction (crushing or shredding) to a very small particle size is best practice for these devices.

Regardless of the type and size of data center, implementing security layers like the ones listed above and destroying end-of-life data in-house are always best practice. By doing so, companies can be confident that their data has been successfully destroyed. Some companies make the mistake of opting for a third-party data sanitization vendor. When going the third-party route, individuals and companies forfeit any and all oversight, which leaves plenty of room for drives to be stolen, misplaced, and mishandled. It is this level of negligence, whether at the hand of the company or vendor, that can cause catastrophic damages to the company, its brand, and its customers.

Hackers do not discriminate. So regardless of the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment simply because it is impossible to be certain that all data has been destroyed otherwise. This can in turn potentially save the company more time and money in the long run by preventing breach early on.

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation – including Level 6! Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.

Debunking Hard Drive Destruction Misconceptions

September 9, 2020 at 2:18 pm by Amanda Canale

In October 2019, Blancco, an international data security company, released an article discussing various end-of-life data destruction methods and comparing drive destruction to data erasure. While we agree with some of what was written, we’d like to clear up a few things.

In the article, Blancco recommends weighing the level of impact certain end-of-life data can have in the case of a data breach combined with how quickly the data may age out. They then suggested basing the method of sanitization off of that assessment. We want to stress that there should never be an assessment of this nature when handling sensitive, confidential, or personally identifiable information (PII). It is always best practice to treat all end-of-life data as never aging out and having a potentially high level of harm if breached as both can be impossible to predetermine. Remember, there is no statute of limitations when it comes to data breach, meaning that an end-of-life drive can cause a breach years after it was discarded.

While some companies argue that drives should be reused as a more economical option, we disagree. By reusing devices, a company risks that leftover unencrypted or encrypted data getting into the wrong hands. Companies should future-proof their end-of-life data destruction procedures to ensure the prevention of future data breaches. This will not only save them time and money in the long run but prevents any damages to their customer base and reputation. (It’s better to be safe now than sorry in the long run!)

Blancco also notes that using a third-party vendor to sanitize and destroy end-of-life data and devices is an option. Morgan Stanley recently came under fire for the alleged data breach of their clients’ financial information after an ITAD (IT asset disposition) vendor misplaced a number of various computer equipment that were storing customers’ personally identifiable information (PII). Even though Blancco suggests carefully researching and vetting the vendors to ensure they are properly destroying your devices, introducing a third party significantly increases the chain of custody and companies face a far higher risk of data breach every step of the way when opting for this route.

While there are some reputable data sanitization vendors out there, it can be far too easy for ITAD vendors to misuse, mishandle, and misplace drives when in transportation, and in the actual acts of destruction and disposal. There have even been reports of some vendors selling end-of-life devices and their sensitive information to online third parties. We suggest getting rid of ITADs altogether if they’re part of your device destruction procedure simply because the security risks can be unpredictable and potentially catastrophic. Instead, we suggest purchasing one of our NSA listed devices, keeping the chain of custody within the company, and conducting all destruction in-house. You can read more of our thoughts on Morgan Stanley’s data breach here.

A common data destruction misconception is that erasing or overwriting a drive and degaussing are synonymous with one another. Unfortunately, that kind of thinking can quickly become dangerous depending on the kind of information you are looking to destroy. While methods such as cryptographic erasure and data erasure would allow the drive to be used again, as Blancco suggests, you run the high risk of leaving behind sensitive data which can become a gold mine for hackers and thieves.

While degaussing is not possible for the destruction of end-of-life data on solid state drives (SSDs), SEM always recommends following NSA standards and degaussing all magnetic media, including hard disk drives (HDDs), prior to destruction. Solid state drives (SSDs) and optical media do not require it as part of the destruction process but crushing and/or shredding is recommended. By degaussing HDDs, companies are choosing the most secure method of data sanitization per NSA guidelines as this is the only way companies can be certain that their data has been properly destroyed. When magnetic media is degaussed, the machines use powerful magnetic fields to sanitize the magnetic tapes and drive, wiping all sensitive information from the device. This act renders the drive completely inoperable, which should always be the goal.

Once the device has been degaussed, it should be physically destroyed. The combination of degaussing and physical destruction for HDDs is without a doubt the most secure method of ensuring your end-of-life data stays at the end of its life. Not even the most skilled of hackers will be able to get any information off of the drive, simply because there’s nothing left on it to hack!

Regardless of the catalyst for end-of-life drive destruction, it is always best practice to conduct destruction and degaussing in-house. It is also important to remember that a data breach is a data breach, no matter the level of impact. Blancco writes that, “not all degaussing machines are adequate to the task of demagnetizing all HDDs.” They’re right.

At SEM we have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your company or federally regulated destruction needs.

Think Your End-of-Life Data is Destroyed? Think Again!

August 25, 2020 at 9:00 am by Amanda Canale

When it comes to our personal data, some companies will go above and beyond to obtain it. Unfortunately, some companies don’t always take the same time and care when it comes to the destruction of that data. Recently, Morgan Stanley has come under fire for the possible data breach of their clients’ information. On July 10, the financial institution issued a statement to their clients that there were, “potential data security incidents” related to their personal information.

The incidents, which have occurred over a span of four years, were caused by an ITAD (IT asset disposition) vendor misplacing a number of various computer equipment that were being used to store customers’ personally identifiable information (PII).

A company like Morgan Stanley risks data security breaches every step of the way when opting for a third-party route; this can not only cause irreparable damage to their clients but to their brand as well. The belief that recycling hard disk drives (HDDs) and solid state drives (SSDs) is best practice, can, unfortunately, lead to major consequences.

While there are some reputable data sanitization companies in existence, if a company chooses to utilize an ITAD vendor instead of conducting end-of-life destruction in-house, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle or misuse drives when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. Some contracted salvage vendors have even been known to sell the equipment they are given to online third parties.

It is a scary but common misbelief that simply erasing drives clean is enough to keep your information safe. When erasing data off of a drive, it’s possible that unencrypted and encrypted information can linger and be easily accessible by hackers. Morgan Stanley chief information security officer, Gerard Brady, wrote, “The manufacturer subsequently informed us of a software flaw that could have resulted in small amounts of previously deleted data remaining on the disks in unencrypted form.”

While Morgan Stanley has issued a statement promising that they will pay for two years of credit monitoring for their customers whose data may have been breached, it frankly isn’t enough for some clients as this possible breach may not affect them until much later.

“There is no statute of limitations on future data breaches,” writes Bob Johnson of the National Association for Information Destruction (NAID). “If a hard drive turns up five or 10 years down the road with personal information on it, it is still a data breach plain and simple. Ignoring missing or improperly wiped electronic media today simply means there are a bunch of time bombs floating around.”

It is this particular reason why we at SEM stress that all hard disk drives be degaussed and destroyed and done so in-house. When destroying data in-house, companies can be positive that the data is successfully destroyed whereas when given over to a vendor, the company forfeits any and all oversight. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. No matter what the industry, purchasing in-house, end-of-life data destruction equipment is well worth the investment simply because it is impossible to be certain that all data has been destroyed otherwise. This can in turn potentially save the company more time and money in the long run by preventing breach early on.

While Morgan Stanley was unaware of the dangers that come with hiring third party data sanitization companies, they, along with their clients, are unfortunately the ones who are left to suffer the consequences of the vendor’s negligence.

(To read more about how one’s trash can easily become another’s treasure, read one of our previous blog posts here.)

Shredding Through Time

July 28, 2020 at 10:00 am by Flora Knolton

Paper shredding can first be accredited to Abbot Augustus Low of New York, who filed a patent for an improved wastepaper receptacle in 1909, sparking the first idea for a paper shredder. Low’s invention was intended for use in banks and counting houses, but unfortunately was never manufactured.

The first known mechanical paper shredder actually was created in Germany in 1935. A man, Adolf Ehinger, was inspired by a hand-crank pasta maker to create a machine to shred sensitive material after being questioned about anti-Nazi literature in his garbage. The machine was cranked inside of a wooden frame that was large enough to handle one sheet of paper. Later in the 1940s, he added a motor to power the shredder and sold the shredders to a host of government entities.

During the cold war, Ehinger’s shredder increased in popularity. In 1959, his company, EBA Maschinenfabrik, created the first cross-cut shredder that cut paper into tiny bits for an increased security level. To this day, EBA Maschinenfabrik continues to design and produce shredders under the name of Krug & Priester, who purchased the business in 1998.

Since Ehinger’s invention, shredders have played a role in many important times in history. Before the 1980s, shredders were nearly exclusively used by the government, military, and banking industry. But in 1987, the U.S Supreme Court that ruled that your garbage, once brought to the curb outside, is considered public property. Come the 1990s, statistics proved how corporate and personal identity theft had skyrocketed. Most of the public wasn’t even aware of the existence of paper shredders until they began to surface in connection with scandals such as Watergate in the 1970s, Iran-Contra in the 1980s, and Enron in 2002. The increase in identity theft and scandals caused concern which led to businesses and individuals burning their paper waste. Because it is so detrimental to the environment, this increase in burning led to laws prohibiting the incineration of trash, which had the effect of businesses and regular citizens turning to paper shredders for secure document disposal. Despite the negative stories and unfair reputation from the media about how they are used to cover the tracks of the guilty, Ehinger’s purpose was to protect the innocent. Throughout the 20^th century, paper shredders have become more secure by using cross-cut methodology and creating smaller shreds.

Privacy laws such as the Health Insurance Portability & Accountability Act (HIPAA), The Fair and Accurate Credit Transaction Act (FACTA), The Family Educational Right and Privacy Act (FERPA) to name a few, render organizations responsible for protecting customer/consumer information. It’s important for businesses to legally comply with these regulations and it is also a best practice for business to routinely destroy data that has outlived retention periods. Shredding paper opens up many environmentally-friendly disposal alternatives that are better than tossing it all in the dumpster.

In 1968, in what is now known as “The Pueblo Incident”, Navy intelligence vessel USS Pueblo was captured by North Korean patrol boats. According to U.S. reports, the Americans tried their best to destroy all the classified information aboard the ship. Unfortunately, with the volume of material on board it was impossible to destroy it all prior to capture. Korean War Veteran and founder of SEM Leonard Rosen was struck with the idea that there has to be a better way to destroy classified information. Within weeks of hearing this news, he had developed the concept for the world’s first paper disintegrator and the SEM legacy of destruction devices had begun. It’s fascinating that Ehinger and Rosen were both motivated by protecting their countries’ intelligence for the greater good of humanity at the time to produce such ideas.

SEM may have coined the term “disintegrator”, but every device from SEM is always quality. SEM’s high security paper shredders are NSA/CSS listed and reduce waste to particles no larger than 1mmx 5mm. All SEM NSA listed paper shredders meet the requirements of the new CUI security regulation that requires CUI documents to be shredded and meet . The Model 344 paper shredder produces particles of 0.8mm X 2.5mm, which is half the size of the current NSA requirements, for those looking for the highest security. Many of SEM’s paper shredders are factory installed with an automatic oiler, but for those looking to reduce their carbon footprint, the Model 1201CC paper shredder may be what’s necessary. The Model 1201CC was the first high security paper shredder tested oil-free by the NSA and listed on the NSA EPL for classified document destruction. Oil free shredders save money on oil refills and are perfect for the eco-conscious consumer.

Buying a paper shredder is an insurance policy that helps protect sensitive information. Our trash is not “our” trash once it’s outside, and its vital to be conscientious about what is being thrown away. Paper shredders have been around for over 100 years now and will continue to be necessary even as more offices vow to go paperless. Paper will still be around, and SEM has all the Classified and Unclassified paper shredders to meet your media destruction needs.

One Person’s Trash Really is Another’s Treasure

June 15, 2020 at 9:02 pm by Flora Knolton

It is typical for companies to focus more on the security of their digital network than on physical protection of documents and data. Physical security tends to fall by the wayside even though it’s fairly easy for criminals to go dumpster diving. If the organization doesn’t end up losing all important assets in a breach, it’s common it could still suffer from irreversible brand damage. In 2007, Radio Shack dumped more than 20 boxes containing personally identifiable information (PII) for thousands of customers. A man found rummaging through the dumpster found the boxes and reported it. Shortly following, the State of Texas filed a civil lawsuit against Radio Shack for exposing its customers to identity theft. The state’s lawsuit claims the company “failed to safeguard the information by shredding, erasing, or other means, to make it unreadable or undecipherable before disposing of its business records.” Cases like this are common, and identity theft has become a major problem worldwide.

The Recycling Myth

Many believe that recycling is a very different process from trash processing and somewhat safer in terms of data security. This understanding is far from the truth. People mostly understand that trash ends up in landfills where anyone could find sensitive material. At the same time, many people often think that recycling is safer for confidential documents since they will be destroyed and repurposed instead of being shipped to a landfill. In actuality, recycling is not transported securely. In fact, recycling trucks look like every other garbage truck, where documents and other personally identifiable information (PII) will be blowing around in the truck before being dropped off at the recycling facility. On average, recyclables sit on sorting floors from anywhere from 2-4 weeks before being destroyed. The remnants don’t sort themselves either; dozens of employees’ sort what the machines cannot and will have access to documents before they are destroyed. As opposed to destroying the documents yourself, there is absolutely no way of proving sensitive information has been destroyed when you send it to the recycler.

Protect the Customers and Employees, Protect the Business

Consumer privacy legislation has been increasing around the United States within the last few years. Recent laws such as the NY SHIELD Act and the California Consumer Privacy Act (CCPA) are giving consumers more rights relating to their access and deletion of sharing personal information that is collected by businesses. These laws give consumers a large amount of freedom over their personal information, which could open up a host of severe penalties and lawsuits for companies that fail to comply with these regulations. This trend is also being seen in other nations such as the European Union’s General Data Protection Regulation (GDPR) and India’s Personal Protection Bill, and it is expected to continue on this uptick everywhere in the near future. Knowing this, there is a heavier weight on organizations to protect customers’ personal and secure information or the company will be at risk for mishandling said information and could be subject to harsh monetary penalties. Employees have the same legal right to privacy as customers and expect their employer to keep their information secure as well. At the end of the day, the stakeholders will pull the most weight, and it’s important to treat their information the same as how you’d want your own sensitive information dealt with/disposed of.

Secure Your Disposal of Records

Businesses have a choice when it comes to how they want to dispose of their paper records, usually weighing the convenience, cost, and legal risks involved with complying to their industries’ standards or regulations. In U.S. government law, secure disposal is required when a record contains classified, controlled unclassified (CUI), or personally identifiable information (PII) such as address, phone number, names, emails, social security numbers, and more that can be used to identify an individual. It’s easy to consider the cost when opting for a third-party shredding company, but can you really be certain that all the documents are being shredded? It’s impossible to tell. Despite widespread adoption of electronic health record systems, most hospitals still use both paper and electronic documents for patient care. Healthcare cyberattacks overall are on the rise, with nearly 32 million patient records breached in 2019. It’s crucial to find a balance between digital security and physical destruction in the workplace. Increasing communication between colleagues so they are informed of appropriate processes can help mitigate potential breaches in regard to disposing of information no longer retained by the institution.

No matter what the industry, at SEM we have many high-quality NSA Listed/CUI and unclassified paper shredders to meet any regulation. For those looking for an eco-friendly device that’s also listed on the NSA EPL for Paper Shredders, we recommend the Model 1201CC High Security Shredder. It was tested oil-free by the NSA for classified document destruction due to its specially designed cutting head that is also fully replaceable, lowering total cost of ownership. Destroying physical data in-house may seem like a costly purchase in the short term but could send up saving a company exponentially in the long run by preventing breach. With regular maintenance, a quality shredder such as the 1201CC can last a lifetime. We’re happy to help answer any questions concerning personal or regulated shredding needs.

New CUI Directive Defines Latest Targets and Final Implementation Dates for all Executive Branches

May 27, 2020 at 8:46 pm by Flora Knolton

The Latest ISOO announcement details new target dates for policy, training, and implementation.

WESTBOROUGH, MA, May 26, 2020 —On 14 May 2020, the Information Security Oversight Office (ISOO) released CUI Notice 2020-01: CUI Program Implementation Deadlines (the “Notice”), which includes specific dates of implementation and deadlines for affected government agencies that handle or store Controlled Unclassified Information (CUI). The Notice applies to all Executive Branch agencies.

The Notice references 30 June 2020 as the deadline for the initialization of an awareness campaign for workforces within agencies that have access to CUI. By this date it is expected that relevant agencies will be able to define and identify potential CUI within an office as well as summarize the actionable plan the office will follow to properly store, dispose, and in the case of legacy material, re-mark and reuse said CUI information.

The deadline for agencies to draft their policies detailing CUI guidelines moving forward is 31 December 2020. By this date, now current policies must be rescinded or modified with a policy that satisfies the new mandates set by ISOO for individual agencies to follow, and these policies will be implemented over the course of the following calendar year. The use of any Classification Marking Tools (CMTs) in the labeling and marking of CUI materials must also be updated by the 31 December 2020 date.

“The CUI implementation timeline is a critical step towards data security in the U.S.,” said Andrew Kelleher, President and CEO of Security Engineered Machinery (SEM). “We applaud ISOO for their tireless efforts in safeguarding CUI. By ensuring all agencies are storing, labeling, and destroying CUI data appropriately, we can help protect government agencies and the citizens of our country as a whole.”

All physical safeguards must be in place by 31 December 2021, including how an agency ensures CUI is kept out of sight and out of reach from those who do not have access. All agencies that store CUI information in Federal Information Systems must additionally have those systems updated and configured to no lower than Moderate Confidentiality impact value, as outlined in 32 CFR 2002.14.

In addition, training on the policy for an agency’s workforce including sub-agencies must be implemented and completed by 31 December 2021. This includes detailing CUI’s purpose, individual responsibility, and destruction requirements. Destruction requirements for end-of-life CUI should be as detailed as possible and, at a minimum, follow specifications outlined by the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization. It should be noted that NIST 800-88 specifically states that paper containing sensitive information such as CUI must be destroyed to a 1mmx5mm final particle size at end-of-life, which is the same final particle specification as classified information destruction.

“Technology advancements have made it easier for criminals to reconstruct data, whether on digital or traditional media,” added Heidi White, SEM’s Director of Marketing. “Ensuring that end-of-life media is destroyed to the appropriate specifications, which for CUI is NIST 800-88 standards, cannot be overstated.”

The Notice can be read in its entirety here.

SEM Shred

Tag: classified data destruction