Tag: classified data destruction

Security and Recycling Don’t Have to be at Odds

December 21, 2019 at 3:01 pm by SEM

When people think of information destruction they typically would not associate it with being environmentally responsible. However, this is completely untrue. In today’s society there are many alternative solutions to help become more environmentally friendly.

Paper

When shredded into a cross cut or strip cut particle, paper can be put into the recycling stream and be used to make new paper. In the past, when paper was shredded into a classified particle, the only option was a landfill. This was because paper is extremely hard to handle once it is this size and it has little, if any, recyclable value.

Today we have the option of briquetting. Briquetting is a solution that compacts the confetti like paper into small cylindrical samples which is a 9:1 volume reduction. More importantly, a briquette is something that has recyclable value. These briquettes can be used by Paper Mills as filler for cardboard boxes and manila folders. Also, a study has been performed by Penn University in which they found that a briquette sample has the burn value of soft coal, with half the carbon emission.

Hard Drives

In today’s society we are storing more and more information on hard drives and other forms of media. Because of this, there has been a large demand for hard drive shredding. After being shredded, you may think that the end particle is useless and wonder what to do with it. This shredded hard drive actually has a recyclable value in the aluminum, magnets and PC board. The market for this is always fluctuating, but you will typically see an average recyclable value of $.35-$.40 per pound.

Other Forms of Media

Optical Media – These plastics can be recycled

Floppy Disc – The metal hub and plastic outer casing has recyclable value

Blackberries/PDA’s – Once the Battery is removed, the plastics can be recycled

Computers/Printers – The CPU boards and plastics can be recycled

In the world today it is very important to become environmentally friendly and implement this any way possible. One thing I recommend is when you have something that you plan to destroy, check with a local recycling company because it may actually have a recyclable value.

The Case For Outsourcing Destruction

at 2:58 pm by SEM

Did you know that business espionage professionals consider a company’s trash dumpster to be the most available source of competitive and private information? This is due to people overlooking what they are throwing in the trash can and not taking information security as serious as it truly is. This is a major concern because any one document could contain important company information or employee information that is harmful if it ends up in the wrong hands.

Depending on your application, there are two options that can help increase your information security:

Option 1: Shred Service -Most commonly used for: Unclassified Applications

Questions to ask prior to signing a contract:

  1. Who are the people destroying my information?
  2. Are they a well recognized company?
  3. Do they perform background checks on all of their employees?
  4. What is the shred particle size?
  5. Am I in compliance with my specifications?
  6. Am I satisfied with the particle?
  7. Is this cost efficient Am I overpaying?
  8. Would it be more feasible to make a one time purchase to buy equipment?

Option 2: Purchase Equipment – Most commonly used for: Sensitive or Classified Applications

Questions to ask prior to purchasing equipment:

  1. What is my volume?
  2. Is this a constant volume?
  3. Will I get a constant use of this machine or am I simply taking care of a purge?
  4. Is this the right equipment for my application?
  5. Does this fit my volume?
  6. Does it have the capabilities that I need?

Although these options have been directed towards paper shredding, always consider that information resides on many different forms of media. There is equipment that is capable of destroying hard drives, tapes (all types), CD’s, DVD’s, floppy discs, zip drives, microfilm etc. So whether a shred service or purchasing equipment fits your application best – always make sure you evaluate your options and take the correct steps towards protecting your companies’ information.

PIPEDA: Protecting the Privacy of Canadian Citizens

September 28, 2019 at 8:46 am by Paul Falcone

What is PIPEDA?

Since crafting the original Personal Information Protection and Electronic Documents Act (PIPEDA) in 2000, Canada has been an innovative force in sensitive-data privacy protection. Originally created to foster trust in ecommerce, PIPEDA has evolved to provide more stringent data protection across the digital landscape.

The basic premise of PIPEDA is to prevent Personally Identifiable Information (PII) from being used or disseminated without purposeful consent from the individual. If an organization wants to use PII for more than one explicit purpose, multiple requests or a comprehensive request must be made to secure the individual’s consent. The law also grants individuals the right to access their data and stipulates that organizations must make their compliance policies readily accessible and easily understood.

As of November 1, 2018, a new provision regulating protocol for a PII data breach was added to PIPEDA. All organizations that experience such a breach must report any ramifications that may put individuals at risk to the Privacy Commissioner of Canada. The organization must also notify the individuals affected by the breach and notify any other organizations that may be able to help the individuals avoid data misuse or harm. Detailed records regarding each breach must be kept at least 24 months after the date of the incident.

Organizations Subject to PIPEDA Regulations

PIPEDA applies to any private-sector organization (including those regulated on a federal level by the Canadian government) that collects personal information through commercial activity. Commercial activity excludes donations and fundraising, organizational membership fees, and lists related to communication generated by nonprofit organizations, schools, hospitals and political parties. However, if such lists are sold, bartered, or leased, that activity becomes subject to PIPEDA regulations.

Additionally, if a province has its own private-sector law that is similar to PIPEDA, then any private-sector organization operating solely within that province is not subject to PIPEDA. Currently, Alberta, British Columbia, and Quebec have such laws in effect; however, any business operating in Canada that handles PII is subject to PIPEDA if that information crosses provincial or national borders. Organizations operating solely within Ontario, New Brunswick, Newfoundland, Labrador, and Nova Scotia are also exempt from PIPEDA as concerns health data only. Since PIPEDA is similar to the EU’s General Data Protection Regulation (GDPR), information is allowed to flow freely from compliant organizations within the EU and Canada.

What Information is Covered by PIPEDA?

PII under PIPEDA regulations includes age, name, ID numbers (including Social Insurance and driver’s license numbers), financial information (including credit and loan records and disputes with merchants), race, religion or ethnic origin, marital status, health information (including DNA and blood type), education, and employment history (including employee files such as opinions and comments, evaluations, and disciplinary actions).

The Fair Information Principles

PIPEDA Schedule 1 Section 5 outlines ten stipulations—referred to as the Fair Information Principles—that must be followed:

1. Accountability: PII under an organization’s control is that organization’s responsibility. Organizations must designate a Privacy Officer to ensure compliance.
2. Identifying Purposes: At the time of PII collection, organizations are required to disclose any and all purposes for which the personal data will be used.
3. Consent: Except for cases in which legal, medical, or security reasons render consent impossible or impractical, an individual’s consent is required for collection, use, or disclosure of PII.
4. Limiting Collection: Data collection must be limited to data needed for purposes identified by the organization prior to individuals’ consent.
5. Limiting Use, Disclosure and Retention: PII may only be used for the purposes of its collection as agreed to by the individual. PII may only be retained for as long as is required to serve those purposes; subsequently, it must be disposed of securely (unless the individual consents to further PII retention and use).
6. Accuracy: PII must be as accurate and complete as possible to satisfy the purposes for which it’s used.
7. Safeguards: PII must be safeguarded against theft, loss and unauthorized access, use and modification.
8. Openness: Organizations must ensure that policies and procedures related to their management of personal data are easily accessible to individuals in language that is generally understood.
9. Individual Access: Upon request, individuals shall be informed of the existence, use, and disclosure of their PII and be granted access to it. Individuals may challenge the completeness of the information and have it amended. The only exception to this principle is when the information cannot be disclosed for legal or security reasons.
10. Challenging Compliance: An individual may challenge an organization’s compliance with PIPEDA directly through its Privacy Officer.

PIPEDA and Data Destruction

Fair Information Principle 5 stipulates that PII in any form no longer serving its specifically intended purposes must be disposed of securely, and that any information retained for statistical purposes must be rendered anonymous. Organizations should have a comprehensive plan addressing the PII life cycle that mandates (through proprietary or third-party means) adequately secure data destruction. Should destruction of electronic devices be necessary, one person should be assigned responsibility.

Organizations may use properly credentialed third-party vendors for data destruction and disposal, although the organizations are responsible for verifying results. Organizations must ensure that the third-party vendor used has comprehensive plans for both secure transportation and transmission of sensitive data to/from their facility, as well as comprehensive destruction plans. Ideally, the organization would have the capability to monitor third-party data destruction and conduct periodic reviews and audits. Of course, the most secure method is to utilize in-house data destruction.

Acceptable methods of data destruction are dependent on the media. Hard copies of data must be destroyed to the point of impossible recovery. Acceptable methods include disintegration, incineration, pulverization, melting, and shredding. Electronic copies of data must be destroyed through complete deletion without means of simple recovery, complete overwriting with non-sensitive data, or degaussing (for magnetic media only).

When being completely destroyed, all media containing PII should be disposed of in accordance with the parameters defined in internationally recognized data destruction guidelines from DIN Standard 66399. Materials classified within the DIN Standard are:

• Original-sized physical media (e.g., paper, printing plates—classified as “P”)
• Reduced-sized physical media (e.g., microfilm—classified as “F”)
• Optical media (e.g., CDs or Blu-Ray—classified as “O”)
• Magnetic data devices (e.g., payment cards and floppy disks—classified as “T”)
• Hard disk drives (classified as “H”)
• Electronic data devices (e.g., USB drives and SSDs—classified as “E”)

For each media classification, DIN Standard 66399 outlines security measures from 1 (lowest level: reproduction of destroyed data requires little effort) through 7 (highest level: reproduction of destroyed data is impossible given current state of technology) that have associated data-destruction specifications.

When procuring third-party vendors or machinery for data destruction, it’s imperative you ensure compliance with, and adherence to, the appropriate security ratings and PIPEDA regulations. Companies like SEM provide sophisticated data destruction technology solutions to keep your organization in compliance with PIPEDA and other global security standards.

The NSA EPL: The Policy that Protects Your Data

June 14, 2019 at 6:40 pm by Paul Falcone

In today’s world the amount of personal data that is accessible in your hands continues to grow by the day. As our data grows, so does our security concerns about how our data is accessed and how it should properly be destroyed. Luckily, there is a guideline that continues to update the products that are proven to destroy data to the point of no return: The Evaluated Product List (EPL) by the National Security Agency/Central Security Service.

What is the NSA EPL?

The NSA EPL is a series of lists that breaks down what devices have been tested and approved by the NSA to meet the necessary physical destruction requirements for all types of data bearing media. Some of these final particle sizes for top secret data are a 1mm x 5mm final particle size for paper and a 2mm particle size for DVDs and Blu-ray Discs. There are seven lists total, as well as a guide that cover a variety of devices used to destroy different media that can hold and store sensitive data. The lists are as follows:

  • NSA/CSS Storage Device Sanitization Manual
  • NSA/CSS Evaluated Products List for Hard Disk Drive Destruction Devices
  • NSA/CSS Evaluated Products List for Magnetic Degaussers
  • NSA/CSS Evaluated Products List for Optical Destruction Devices
  • NSA/CSS Evaluated Products List for Paper Disintegrators
  • NSA/CSS Evaluated Products List for Paper Shredders
  • NSA/CSS Evaluated Product List for Punched Tape Disintegrators
  • NSA/CSS Evaluated Product List for Solid State Disintegrators

For links to the latest lists, click here.

Why is the NSA EPL Important?

On January 23, 1968 the U.S.S Pueblo was in international waters aiding South Korea and gathering and intercepting codes and messages from the North Koreans when the ship became under siege. Crew members attempted to destroy the cryptologic materials that were used to decode secret messages, with one man being killed and three wounded. The North Koreans ended up seizing the ship and all of its crew, keeping the 82 surviving members crew members captive for 11 months. The event represented the largest single loss of sensitive data in US history. It was this very event that actually inspired the creation of the very first SEM disintegrator, as SEM founder Leonard Rosen sought to find a solution for the navy to destroy data in case this ever happened again.

uss-pueblo
Original oil painting depicting North Korean attack by artist Richard DeRosset commissioned by SEM. North Korean ship and aircraft numbering is exact for the attacking forces.

On February 1st, 2003, the Columbia space shuttle tragically disintegrated upon reentering the earth’s atmosphere after 17 days in space. As the pieces of the shuttle burst into flame and hurled towards Earth at high speeds, a hard rive that contained data from the exhibition landed in a river bed in Texas. This hard drive stayed in the riverbed for over six months through all forms of weather until it was discovered and sent to Ontrack to attempt to recover the data.

A look inside the drive that fell from the Columbia shuttle

After a team of engineers got to work, they were able to reconstruct the rotational drive and recover over 99% of the data on the drive. A drive that fell from outer space, on fire, into a riverbed for over six months was able to have its data recovered.

What do these stories have to do with the NSA EPL? Without a set of standards, what people would consider destroyed, or how people would think data is protected, would be very, very, different from what is actually needed to ensure complete physical destruction. By having these standards and a push for devices that can meet these standards, data that needs to be protected to keep people safe around the world can be properly disposed of. This ranges from your own  Personally Identifiable Information (PII) to our nation’s and military’s largest secrets that protect millions of lives.

That means whether it’s designing destruction machines that fit specific dimensions of naval ships, or building a shredder that can destroy hard drives better than falling through the atmosphere, the NSA EPL has the specifications that ensure all data has a proper end-of-life solution.

At SEM, we take pride in being the global leader in high security end-of-life solutions. As such, we are constantly ensuring that our machines are meeting the latest standards provided by the NA, and using our expertise to educate the community at large to keep data of both the government and US citizens safe.

 

Credibility Counts, Ask Around

April 9, 2019 at 3:44 pm by Paul Falcone

We’ve all had a point in our lives when we need to purchase something that we know we need but don’t know much about.

Maybe you’re in a store looking for something, with eyes frantically browsing the shelves looking at all the different items. Trying to distinguish the difference between all the various products, versions, and makes. As the choices add up, maybe you decide it’s best to ask for someone’s opinion. Someone who works at the store you’re in happens to be walking down the aisle and you signal for help. It is in this moment that you start deciding if this person has the knowledge to be able to help you or not.

Because after all, they could have just as little knowledge as you about this product.

After having a discussion you discover that it was true, the employee wasn’t as knowledgeable on the product to make you feel comfortable with a purchase. So you head home with empty hands, deciding that you’ll take your questions elsewhere. Somewhere with all the answers in the world.

The internet.

The internet can be an equally overwhelming place when trying to find accurate information about a product. In a world that is becoming more and more connected, the amount of information that is available to us is growing exponentially. How can you sort through all of this information and deduce what is accurate and honest information, especially with people out there trying to scam and get the best of you?

Sites like Amazon and Google try to combat this by showing us user review scores and comments of people who have purchased items. But even these can be manipulated. So when it seems like it’s impossible to find the information, who can you really trust?

How do you know you can trust a product?

Ask around. They say word of mouth is the best kind of marketing and real people who have used the products can give you the most honest answers. Chances are if you’re in the market for a high security destruction device, you know someone who has worked with Security Engineered Machinery, the global leader in high security information end-of-life-solutions for over 50 years.

At Security Engineered Machinery, we have the experience to answer any questions you may have concerning your sensitive to classified destruction needs. Most of our sales team has been in the industry for over 20 years. We have more experience creating destruction solutions than any other company. We were founded in 1967 and have 52 years in the destruction business, granting us an unparalleled depth of experience. Document and media destruction is our ONLY business and we are 100% focused on improvements.

When you purchase a system from SEM, you can feel confident you will receive the quality and support you’ve come to expect from us. The sales team at SEM hold integrity above financial gain and are always willing to go the extra mile. Our clients, many of whom are repeat customers, are among an elite group of security professionals in the government as well as the civilian sectors who have used our machines in various offices and locations worldwide. When moving to a new location and they need a new destruction device, they inevitably contact SEM – and that’s the best testimonial you can have.

Why do we have so many long term relationships? Value: you will get the quality you expect. Convenience: it does what we say it will do. Customer support: we will be here to help you through the life of your machine. Service: our dedicated service department is ready to assist at a moments notice.

Most importantly, SEM has the expertise and the knowledge base to meet or exceed your expectations as well as the most knowledgeable sales team in the business with the highest integrity to solve your destruction problems.

The True Cost of Data Breaches

March 1, 2019 at 9:14 pm by Paul Falcone

While you may be hearing about them more and more frequently, the truth is data breaches have been occurring since before the digital age. For instance, unauthorized personnel who view a hard copy of medical files without authorization is considered a data breach. But it’s our majority reliance on digital platforms to store data that has brought security issues and, thus, data breaches to a whole new level. In fact, identity theft from exposed data records is the most common type of data breach accident across the globe.

Data Breaches are Rising

According to recent statistics as compiled by Statista, data breaches across the United States have been on the rise for over 10 years, and it’s not a small incline by any measure. In fact, recorded number of breaches in the US have gone from 157 million in 2005 to 1.579 billion in 2017. What’s more, nearly all these 2017 breaches were amassed in the business sector.

In the first half of 2018 alone, there were 668 million breaches recorded, totaling over 22 million data records that were exposed.

The Costs: More than Just Money

The rise in data breaches has also caused a correlated rise in the financial costs of the breaches. In fact, a recent study conducted by IBM Security and the Ponemon Institute reported that in 2018, the average global cost of a breach was up to $3.86 million, and the average cost per exposed data record was $148 per record. These increases are largely due to the increase in data breach sizes. That is, the financial costs of data breaches keep going up because the data breaches themselves are exposing larger amounts of data.

These financial costs extend beyond the money that is paid out by the organization to recover the exposed data. For one, if the organization is publicly traded, it’s stock value could decrease. For another, it’s shareholders or stakeholders could also decrease, furthering the financial loss of the organization. In addition, if the breach includes information on European citizens, fines imposed under GDPR can total up to 20 million Euros or four percent of the company’s global annual revenue, whichever is higher.

Yet, financial is just the tip of the ‘iceberg of cost’ for organizations that become victim to a data breach.

Data breaches involve such private data as Personal Health Information (PHI), Payment Card Information (PCI) as Personally Identifiable Information (PII), as well as trade secrets and intellectual property. When these types of personal data are exposed, it can compromise not only the integrity and reputation of the organization from which it came, but also its consumer base. On an individual level, it could negatively affect everything in that person’s life; from their ability to buy a home and get a job, to that person’s financial standing and even their mental health.

The effects on the consumer level can then have even more adverse effect on the organization, because with a data breach comes a more intangible breach, one of trust between the consumer and the organization. Often, when a consumer loses trust in an organization, it is extremely difficult to build back that relationship.

It’s not an easy fix. It takes a lot of time and persistent effort on the part of the organization to earn that trust back; whether that’s literal time and effort on the part of the organization’s employees, or money and time spent in PR management and in marketing communication to try to change the consumer’s perception of the organization. While some organizations have the business foundation and financial backing to recover from a breach, for others such reputational and consumer damage could be catastrophic to the business. In fact, approximately 60 percent of small businesses that suffer a data breach go out of business within six months.

Of course, one way to ensure this data security within your organization is to protect your data and destroy old drives as soon as they reach their end-of-life cycle. Proper data disposal means destroying both the data stored as well as the device or media on which the data is stored. It’s important to remember that for digital media, the device should first be degaussed before it can be destroyed by means of shredding, pulverization, melting, disintegration, or incineration, rendering both data and device unreadable and unable to be reconstructed.

You can work with a third party vendor who will destroy your data and drives for you; however, the safest and most secure way to dispose of data is to work with a vendor like SEM who provides your organization with the necessary data disposal machinery that can be kept on-site and be used only by your authorized personnel. By keeping the end-of-life destruction on site, you not only have the most secure procedures, but save the most money.

Ultimately, don’t take the chance when it comes to breaches. The real cost is too great – losing money, your business, and your entire company or organization is preventable. Take the steps today to ensure your future is safe and secure.

Patch Barracks Classified Data Destruction Facility — A Highly Successful Installation

October 12, 2018 at 8:18 pm by Heidi White

SEM recently installed a classified data destruction facility at Patch Barracks in Stuttgart-Vaihingen, Germany under the direction of EUCOM, AFRICOM, and the 405th Army Field Support Brigade. The centralized facility, in support of local operations, is a green operation  providing for zero landfill and recycle of all materials.  The facility includes an SEM Model DS1436 NSA listed dual stage disintegrator with trio briquettor for bulk paper destruction along with multi-media destruction equipment capable of destroying complete Laptops.  Two SEM Model EMP1000-HS NSA listed high security degaussers, two SEM Model 0304 high volume combo HDD/SSD hard drive shredders, two 0202 Optical Medial destroyers, and an existing SEM Model DS1436 disintegrator provide total redundancy of all destruction capabilities. These devices provide a destruction solution for all levels of classified paper, optical media, and hard drives. SEM’s own Todd Busic, Ricardo Leon, and Don Donahue were on site to finalize the installation and provide systems start-up and training to staff. A ribbon cutting ceremony was held Friday October 12th where Garrison Commander Col. Neal A. Corson officially opened the facility for operations. Special thanks to EUCOM, AFRICOM, DPW, and the 405th for working as a trusted partner with SEM to ensure timely and successful completion of this important project.

Ribbon cutting ceremony for the Classified Destruction Facility

The project was completed with support from EUCOM and AFRICOM.

Patch Barracks main gate

Success! The destruction facility is fully operational. Todd Busic is pictured right.

The disintegrators are high capacity, capable of destroying entire boxes of paper material at once.

SEM Engineer Ricardo Leon worked on the master control panel during the installation.

The team even celebrated with a custom made cake.

Talking Trash

June 13, 2018 at 4:28 pm by SEM
MGMA Connexion,  Mar 2004  by Leonard Rosen

Options for the storage and disposal of medical records

As health care organizations endeavor to comply with privacy and security standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), there is growing interest in effective and efficient ways to manage protected medical records – and how to destroy them once they become obsolete.

Neither HIPAA’s privacy standards for paper documents nor its security standards for electronic records dictate specific means of compliance. However, the preamble to Section 164.530 does cite a few examples of appropriate safeguards, such as locking file cabinets that contain protected documents and shredding such documents prior to disposal. For electronic media, Section 164.310 (“Physical safeguards”) requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.”

Each group’s appointed privacy official must decide which procedures and equipment will best prevent unauthorized, unnecessary and inadvertent disclosure of protected information. For storage, this means locked office doors and cabinets, computer firewalls and passwords, etc. For disposal, it means destroying records. No one should be able to dig trashed records out of the dumpster and misuse them. Discarded medical information often is still confidential.

Destruction equipment abounds The market offers a variety of record destruction equipment. Paper shredders come in all sizes, speeds, horsepowers and capacities, but there are three basic choices:
  • Personal – Desk-side shredders, available on casters for portability, can shred roughly six to 20 sheets at a time. This is convenient for offices with relatively few documents to destroy.
  • Departmental – Larger facilities with more documents to dispose of may install shredders that can handle 20-50 sheets at a time.
  • Centralized – A heavy-duty shredder can handle up to 400 sheets at a time and destroy bound reports and thick stacks of paper.

Whatever shredder models your practice selects, you will need protocols for managing shredded waste. Some companies offer regular pickup, transporting the trash to landfills or recycling facilities. Also on the market are powerful disintegrators that use rotary-knife systems to reduce high volumes of books, binders, paper bundles and other bulk materials to tiny particles. Depending on the model, these machines even pulverize CDs, DVDs, floppy discs, microfilm, credit cards, ID badges, tape cassettes and circuit boards, slicing them into indecipherable fragments at the rate of up to two tons per hour. Other machines, designed specifically for optical media, can completely remove data-bearing surfaces from CDs and DVDs. Because they leave inner disc hubs intact, the hubs serve as proof of destruction, eliminating the need for detailed logs and witnesses where certification of destruction is required. Old computers can tell tales Security may become an issue when a practice donates old computers to a school or some other organization. Most people don’t know that when a digital file is “deleted,” the information actually remains on the computer’s hard drive or a formatted diskette, as do deleted e-mail messages and records of online activity. This information is recoverable with sophisticated tools. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives/disks – or particular sections of them -before these magnetic media are discarded or reused. Overwritten areas should be unreadable, but look for a software brand that meets or exceeds the Department of Defense standard for permanent erasure of digital information. When you require absolute certainty in erasing magnetic media, certain degaussers remove all recorded information in a single pass, allowing hard drives, diskettes, audio and video tapes, and four- and eight-millimeter data cartridges to be reused many times with no interference from previous use. Hand-held degaussing wands erase both floppy and hard computer disks. For both electronic and paper records, the variety of equipment on the market today enables a medical practice to tailor record-disposal to its particular needs.