Shredding Security Levels

January 20, 2022 at 8:17 pm by Amanda Canale

When it comes to the destruction of end-of-life media in the US market, there are very strict guidelines and laws that address how classified, top secret, and controlled unclassified information (CUI) should be disposed and securely destroyed, determined by the National Security Agency (NSA) and the National Institute of Standards and Technology (NIST). For example, the NSA mandates specific particle sizes for top secret and/or classified data that resides on all forms of media, and evaluates and lists end-of-life information destruction solutions for this purpose. For a list of media destructions solutions evaluated and listed by the NSA, click here.

However, most other guidelines and laws that apply to other types of government and commercial information do not provide specific destruction particle sizes to insure the most effective solution. Most simply indicate that media should be destroyed with the use of a shredder or other destruction solution. In industries like healthcare, finance, banking, education, and more, the importance of the proper disposal of end-of life media is better defined; however, the particle size specifics tend to be left open to interpretation. 

DIN Standards, otherwise known as Deutsches Institut für Normung, originated at the German Institute for Standardization, a non-government organization that serves as the national standard when it comes to improving the rationalization, safety, environmental protection, and quality assurance between the government and the public. While often not mandated, DIN guidelines serve as a widely accepted global standard that also provides clarity to vague end-of-life information destruction requirements.

Enter DIN 66399. These standards provide destruction particle size guidelines for information that resides on a wide range of media and that specifies protection categories. 

Q: What is the DIN Standard 66399?

A: DIN 66399 has become a globally accepted security standard for the shredding or destruction of all types of data media.

Q: Who is it for?

A: Sets out responsibilities regarding the protective security required for commercial organizations, government departments, and individuals to help make an informed choice of the correct equipment to guarantee all levels of secure destruction.

Introducing the Three Protection Categories

Class 1: for the normal protection required for internal data where disclosure would have a negative impact on a company or a risk of identity theft of an individual.

Class 2: for the higher protection of confidential data where disclosure would have a considerably negative effect or could breach legal obligations of a company; or offer a risk of adverse social or financial standing of an individual.

Class 3: for very high protection for confidential and top secret data which if disclosed could have terminal consequences for a company or government entity, and have a health and safety or personal freedom risk to individuals.

However, at the end of the day these regulations and protection categories are guidelines. Businesses and organizations should always err on the side of caution when it comes to the destruction of end-of-life data. It’s important to remember that a data breach is a data breach no matter the level of impact…and no matter when it takes place. There are no statute of limitations when it comes to compromised data: just because the information wasn’t misused then, doesn’t mean it won’t happen in the future. Therefore it is always best practice to adhere to the above regulations when it comes to your data destruction.

Six Media Categories

The DIN Association also defines six media format categories on where information may reside. They are as follows:

  • P: Paper based products
  • F: Film based products including micro-film, microfiche, slides, etc.
  • O: Optical media including CDs, DVDs, and Blu-ray Disks 
  • T: Magnetic data media like floppy discs, ID cards, magnetic tapes and cassettes, etc.
  • H: Hard drives from computers, laptops, and external devices
  • E: Electronic data media like memory sticks, cards, solid state drives, mobile phones

Seven Specific Security Levels 

Example: P = Paper media requirements

Protection Category

Media Paper

Security Level

Security Level Particle Size Requirement

Class 1

P

1

12mm strips or maximum particle surface area of 2,000mm²

Class 1

P

2

6mm strips or maximum particle surface area of 800mm²

Class 1

P

3

2mm strips or maximum particle surface area of 320mm²

Class 2

P

4

Maximum cross-cut particle surface area of 160mm² with a maximum strip width of 6mm = 6 x 25mm

Class 2

P

5

Maximum cross-cut particle surface area of 30mm² with a maximum strip width of 2mm = 2 x 15mm

Class 3

P

6

Maximum cross-cut particle surface area of 10mm² with a maximum strip width of 1mm = 1 x 10mm

Class 3

P

7

Maximum cross-cut particle surface area of 5mm² with a maximum strip width of 1mm = 1 x 5mm

Maximum Shred Size for Other Media

Class

Film

Max

Optical

Max

Tape

Max

Magnetic

Max

Electronic

Max

Class 1

F-1

160mm²

O-1

2000mm²

T-1

Inoperable

H-1

Inoperable

E-1

Inoperable

F-2

30mm²

O-2

800mm²

T-2

Split

H-2

Damaged

E-2

Split

F-3

10mm²

0-3

160mm²

T-3

2000mm²

H-3

Deformed

E-3

160mm²

Class 2

F-4

2.5mm²

0-4

30mm²

T-4

320mm²

H-4

2000mm²

E-4

30mm²

F-5

1mm²

0-5

10mm²

T-5

160mm²

H-5

320mm²

E-5

10mm²

Class 3

F-6

0.5mm²

O-6

5mm²

T-6

10mm²

H-6

160mm²

E-6

1mm²

F-7

0.2mm²

O-7

0.2mm²

T-7

2.5mm²

H-7

10mm²

E-7

0.5mm²

Q: How does SEM meet these requirements?

A: As a supplier of information destruction systems for the past 50 years, SEM is a leader in providing solutions to meet all destruction levels outlined in the DIN 66399 guidelines. From machines that can shred paper and optical disks to hard drives and data tapes (and more!), SEM has the answer.

Data Privacy Day 2022

January 18, 2022 at 1:59 pm by Amanda Canale

Every year on 28 January, the National Cybersecurity Alliance (NCA) creates an informative and engaging social media campaign in an effort to bring awareness to the general public about data security and protection best practices. The international campaign is called Data Privacy Day (DPD), and heavily encourages people to comply with privacy laws and regulations, but also serves to educate people on how to protect and manage their personally identifiable information (PII).

Even in the age of Big Media, millions of people are unaware of the various ways their PII is being used, collected, shared, and even sold.  The annual campaign is targeted towards anyone with any sort of online presence. This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns. 

In 2022, the NCA has expanded Data Privacy Day into a week-long initiative called Data Privacy Week. The week, lasting from 24-28 January, is filled with various steps, goals, and webinars individuals and organizations alike can make and attend as a way of encouraging transparency about how their customer data is being used. 

You can find a full list of Data Privacy Week events here on the NCA’s website. Below, we break down the major takeaways both individuals and organizations should take from the week-long event.

Individual Level: Keep It Private

When it comes to keeping our PII and personal health information (PHI) safe, it is crucial that we follow data security and privacy best practices as that information is extremely valuable to hackers and thieves. Certain information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live. Remember, identity theft is not a joke!

If it helps to understand the criticality of keeping your information safe, imagine each piece of identifying information (whether it be your IP address or your credit card statements) as having a monetary value. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is approximately $3.86 million. While most of these costs are from business reputation maintenance and regulatory fines, the costs can still add up when it’s your PII on the line. (Read more in our blog here.) You wouldn’t willingly give up money from your personal wallet, so be sure not to do the same with your information.

NSC Recommended Steps to Take:

Understand the privacy/convenience tradeoff

Today, before you can even use most apps, they will ask you for access to personal information ranging from geographic location to contacts and photo albums. By allowing access to these very personal and private forms of information, you may be offering up much more than necessary. For example, why does a mindless gaming app need access to my contacts and location in order for me to play? It is best to make informed decisions on what you should do: weigh whether or not the information they are asking for is really necessary, how the benefits weigh against the tradeoff, and if you really need the app at all. 

Manage your privacy

Once you deem an app worthy of your time and phone storage, take an extra moment or two to review the app’s privacy and security settings, and adjust them to your comfort level as necessary. You can use the NCA’s Manage Your Privacy Settings page as a guideline on how you can check your favorite app’s settings. 

Protect your data

While data privacy and data security are not interchangeable, they are in fact a packaged deal. Use best practices such as creating long and intricate passwords, utilizing multi-factor authentication when possible, and using a password manager to keep your passwords secure and up to date. 

Organization Level: Respect Privacy

According to a recent Pew Research Center study, approximately 79% of adults in the US are concerned about how companies use their personal data. As an organization, the privacy of your consumers’ and customers’ data should be your utmost concern. By respecting their data and being transparent, an organization instills trust which will in turn enhance reputations and company growth. 

NSC Recommended Steps to Take:

Conduct an assessment

Regardless of if your company operates locally, nationally, or globally, it is important to understand the privacy laws and regulations of the area in which your business operates and to ensure they are being followed. In addition, evaluate your security measures, access to individuals’ personal information, and screen any outside partners and vendors as well to ensure they are not misusing your consumers’ information. 

Adopt a privacy framework

Find a privacy framework that works best for you, your organization, and your consumers to help mitigate potential risk and implement a privacy culture within your organization. The NCA recommends reviewing the following frameworks to start: NIST Privacy Framework, AICPA Privacy Management Framework, and ISO/IEC 27701 – International Standard for Privacy Information Management.

Educate employees

By creating an office culture surrounded by data privacy and data security, you are educating your employees on not only how to keep their personal information safe but how to better serve your consumers and their information. Engage staff by asking them how they view your current privacy culture, implement mandatory training and webinars, and consistently assess your current standards. 

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And lastly, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — securely destroy it to prevent leaks and data breaches down the road.

 

Data Privacy Day 2021

January 27, 2021 at 8:00 am by Amanda Canale

It may seem contradictory, but, even in the age of Big Media, millions of people are still uneducated on how to keep their information safe and uninformed about how it is being used or shared. This is where Data Privacy Day comes in. Data Privacy Day (DPD) is part of an international effort to heavily encourage people to not only comply with privacy laws and regulations, but to also educate people on how to protect and manage their personally identifiable information (PII).

Every year on 28 January, the National Cyber Security Alliance (NCSA) creates an engaging and informative campaign in order to raise awareness about data security and protection best practices, especially in regard to social networking. The campaign is targeted towards anyone with an online presence of some sort, whether it be business or personal, and offers collaborative opportunities for various industries, such as government, academia, privacy experts, and nonprofit organizations. This internationally recognized day was initially established in 2008 in North America as an extension of Data Protection Day in Europe, which has been in effect since 1981. It is the first legally binding international treaty to recognize data privacy concerns.

In 2020, the world experienced what felt like an onslaught of events that directly disturbed people’s lives – environmental disasters, social justice movements, an economic downfall, a pandemic, and much more. Technology has astronomically advanced over the past year in order to keep up with the world as it changes, but what about data privacy? Have best practices been left behind for the sake of keeping up the pace?

This year’s theme for Data Privacy Day is Own Your Privacy. A 2019 Pew Research Center report stated that 84% of consumers want more control over how their data is being used.

Shredded paper with text.

Protect Your Data: At Home

When it comes to keeping our PII safe, it is crucial that we follow data security and privacy best practices as that information is extremely valuable to hackers and thieves. Information such as your IP address, purchase history, and location can offer hackers a wealth of knowledge as to your income, spending habits, card information, and where you live, for starters.

It helps to think of your personal information as being as valuable as the money in your bank account and wallet, simply because it really is. According to the IBM and Ponemon Institute report, the cost of an average data breach in 2020 is approximately $3.86 million. While most of these costs are from business reputation maintenance and regulatory fines, the costs can still add up when it’s your PII on the line. On an individual level, people can experience identity theft, monetary theft, changes in credit score, and much more, all of which can cost money and time to rectify. You wouldn’t willingly give up money from your personal wallet, so be sure not to do the same with your information.

As important as keeping that mentality is, it is just as crucial to keep track of where you find yourself willingly offering up your information; every time you are asked for your information (whether in a webform, email, mailing list, etc.), think about whether you can really trust the inquiry. While nobody thoroughly enjoys reading the terms and conditions’ fine print, if data protection is your goal, as it should be, it is highly recommended that you do so.  According to a 2019 Pew Research Center report, 74% of people rarely or never read a company’s policy before accepting it. By reading a company’s policy, people will have a much better understanding on whether the information in question is required or even relevant for the services they are offering.

In addition to reading the fine print, it’s suggested that people routinely delete accounts and apps that they no longer utilize, update their applications, and manage their privacy settings. In just a few moments, you can completely update your privacy and security settings to your comfort levels. The NCSA offers great resources on how to locate your privacy settings for online services and popular devices. This way, you are mindful of your information’s worth, what information you willingly give out, and are aware of a company policy and what information is necessary to give out.

For tips on how to keep your data safe while working from home, refer back to our previous blog, How to Properly Handle Information While Working From Home.

Hacked data concept. Data unsafe, computer crime, security breach. Words and binary code, depth of field effect

Protect Your Data: At Work

Data privacy and security best practices may vary between businesses and individuals, but they are just as important. As we get further and further into the digital age, hackers and thieves no longer just need to breach a facility’s physical barrier in order to steal information. They can access all of your confidential information remotely through methods of phishing, hacking the cloud, and other more advanced virtual methods. (Don’t forget about dumpster diving for hard drives, USB drives, and paper too!)

From January to June 2019 alone, there were over 3,800 publicly disclosed data breaches that resulted in 4.1 billion compromised records. Yes, four billion records compromised within a short, six-month time window. As discussed above, data breaches can cost upwards of millions of dollars in reputation maintenance and fees. The most expensive type of record is client PII, which can average out to about $146.00 per compromised record. Multiply that amount by the number of compromised records (keeping in mind that one single hard drive can store a LOT of data) and your company now has a burning hole in its pocket.

Businesses can keep their clients’ information safe by instilling secure processes for collecting and maintaining relevant information for legitimate purposes. The motto should always be, “if you collect it, protect it.” One of these processes can be researching and designing a privacy framework your company can use to help manage risk assessment, along with conducting routine assessments of your data collection practices. Keep up to date on privacy laws and records retention schedules so you know when your client and employee information will expire, and what laws and regulations apply to your specific business. Train and educate current and future employees of their and your business’ obligations to protect personal or confidential information.

In addition to these methods, transparency about how your collect, use, and share consumer information is crucial. Be up front and honest with your clients, users, or consumers about what they can expect their information to be used for and offer them other settings to protect their information by default.

And last but not least, when your information-bearing media reaches end-of-life — whether hard drives, portable IT storage, or even paper — destroy it to prevent leaks that could happen for many years down the road.

You can find more information about the costs of data breaches by visiting our previous blog, Cost of a Data Breach vs. Hard Drive Crusher: How You Can Save Millions.

Data Privacy Day in a Consumer Driven Economy

January 22, 2020 at 7:47 pm by Flora Knolton

Data Privacy Day is an international effort celebrated every year on January 28th to generate awareness about the importance of respecting privacy, guarding data, and aiding trust. Data Privacy Day was established in 2008 in the USA and Canada as an extension of Data Protection Day in Europe.  Data Privacy/Protection Day honors the signing of Convention 108 in 1981, which is the first legally binding international treaty to acknowledge data privacy concerns.

data-privacy-day

Consumers are becoming more and more aware each year on an international level about how much value their personal data is worth. Research conducted by the Lares Institute shows that 40% of consumers, particularly those possessing higher incomes, made buying decisions based upon privacy. In addition, 51% of consumers say in the past two years they have been notified by a company or government agency that their personal information was lost or stolen as a result of one or several data breaches. The results of this study show how data loss can mitigate shareholder value as well as customer loyalty.

data-responsibility

Businesses are wise to be just as cautious as their consumer counterparts. Big organizations like Facebook and Amazon may be making the headlines when it comes to data breaches; however, 60% of small and mid-sized companies go out of business within six months of a cyber-attack. Attacks and breaches have increased exponentially within the last decade, and, as a result, we have seen an influx of data protection regulations around the world that require businesses to implement concrete data protection methods. In short, our rising digital economy has forced businesses to rethink their data security priorities and practices. Practicing data privacy is just as important as customer service, and, since the implementation of GDPR, is typically also a regulatory requirement. Below are a few ways companies can pursue data privacy preparation further.

data-loss-prevention

If corporations are people too, they should empathize with consumers. Companies may gain advantages relating to customer retention if they focus on the needs of the individuals entrusting them with their data. Privacy is a hot topic of marketing for the technology industry. However, marketing new privacy tactics is no longer only a concern for tech companies in this digital economy. Companies that take precautionary efforts to protect their consumers’ data will ascend those competitors who may have taken a passive approach.

Educate the consumer. Whether that be an employee or a customer, the end user is the best line of defense against an attack. Many federal statutes are already in place in industry-specific contexts such as HIPAA, FCRA, FACTA, PCI DSS, The Privacy Act of 1974, etc. These laws attempt to protect an individual’s personally identifiable information (PII) by restricting a company from sharing information. Employees must know the proper data destruction method for specific PII to guarantee data won’t end up in the wrong hands. Outlining to the customer how their data will be destroyed from the organization post-use will retain their loyalty. Whether it’s a solid-state drive (SSD) or hard disk drive (HDD); failed, erased, or overwritten drives can still contain recoverable data. Regardless, advancements in computing create the ability to process vast amounts of information, and new challenges have emerged as our technology evolves.

Adopting an Acceptable Use Policy (AUP). Acceptable use policies outline when and how employees can use the business’ internet access. They set the stage for concerning questions employees might have regarding the use of PII. These policies cover who needs access to PII, which regulations the company must follow, where are the vulnerabilities in the company’s use of PII, and rules and permissions company personnel have must follow. Regardless of how the data is compromised or lost, or how small the company may be, fines are one of the largest — and most effective — known consequences for mishandling personal data. And let’s not forget that a breach in personal data can also result in severely damaging the brand’s reputation, loss of customer trust, employee dissatisfaction, and increased costs after the breach to recover from the aftermath. As an example, Health Net of the Northeast Inc. agreed to pay for two years of credit-monitoring for 1.5 million members whose details were on a single lost hard drive.

Overall, by empathizing with the individuals at risk, organizations can gain perspective in regard to their client’s privacy, thus strengthening the bond to maintain that level of trust. It’s necessary to educate employees and users how PII is controlled using a layer of technology that exhibits practical data privacy practices. By enforcing Acceptable Use Policies within the company, they can lay the groundwork for how this layer of technology is used with respect to PII and who is permitted to handle it. While there are many other protective elements companies can use to reinforce data privacy, being mindful of these few can differentiate your business from competitors.