The True Cost of Data Breaches

March 1, 2019 at 9:14 pm by Paul Falcone

While you may be hearing about them more and more frequently, the truth is data breaches have been occurring since before the digital age. For instance, unauthorized personnel who view a hard copy of medical files without authorization is considered a data breach. But it’s our majority reliance on digital platforms to store data that has brought security issues and, thus, data breaches to a whole new level. In fact, identity theft from exposed data records is the most common type of data breach accident across the globe.

Data Breaches are Rising

According to recent statistics as compiled by Statista, data breaches across the United States have been on the rise for over 10 years, and it’s not a small incline by any measure. In fact, recorded number of breaches in the US have gone from 157 million in 2005 to 1.579 billion in 2017. What’s more, nearly all these 2017 breaches were amassed in the business sector.

In the first half of 2018 alone, there were 668 million breaches recorded, totaling over 22 million data records that were exposed.

The Costs: More than Just Money

The rise in data breaches has also caused a correlated rise in the financial costs of the breaches. In fact, a recent study conducted by IBM Security and the Ponemon Institute reported that in 2018, the average global cost of a breach was up to $3.86 million, and the average cost per exposed data record was $148 per record. These increases are largely due to the increase in data breach sizes. That is, the financial costs of data breaches keep going up because the data breaches themselves are exposing larger amounts of data.

These financial costs extend beyond the money that is paid out by the organization to recover the exposed data. For one, if the organization is publicly traded, it’s stock value could decrease. For another, it’s shareholders or stakeholders could also decrease, furthering the financial loss of the organization. In addition, if the breach includes information on European citizens, fines imposed under GDPR can total up to 20 million Euros or four percent of the company’s global annual revenue, whichever is higher.

Yet, financial is just the tip of the ‘iceberg of cost’ for organizations that become victim to a data breach.

Data breaches involve such private data as Personal Health Information (PHI), Payment Card Information (PCI) as Personally Identifiable Information (PII), as well as trade secrets and intellectual property. When these types of personal data are exposed, it can compromise not only the integrity and reputation of the organization from which it came, but also its consumer base. On an individual level, it could negatively affect everything in that person’s life; from their ability to buy a home and get a job, to that person’s financial standing and even their mental health.

The effects on the consumer level can then have even more adverse effect on the organization, because with a data breach comes a more intangible breach, one of trust between the consumer and the organization. Often, when a consumer loses trust in an organization, it is extremely difficult to build back that relationship.

It’s not an easy fix. It takes a lot of time and persistent effort on the part of the organization to earn that trust back; whether that’s literal time and effort on the part of the organization’s employees, or money and time spent in PR management and in marketing communication to try to change the consumer’s perception of the organization. While some organizations have the business foundation and financial backing to recover from a breach, for others such reputational and consumer damage could be catastrophic to the business. In fact, approximately 60 percent of small businesses that suffer a data breach go out of business within six months.

Of course, one way to ensure this data security within your organization is to protect your data and destroy old drives as soon as they reach their end-of-life cycle. Proper data disposal means destroying both the data stored as well as the device or media on which the data is stored. It’s important to remember that for digital media, the device should first be degaussed before it can be destroyed by means of shredding, pulverization, melting, disintegration, or incineration, rendering both data and device unreadable and unable to be reconstructed.

You can work with a third party vendor who will destroy your data and drives for you; however, the safest and most secure way to dispose of data is to work with a vendor like SEM who provides your organization with the necessary data disposal machinery that can be kept on-site and be used only by your authorized personnel. By keeping the end-of-life destruction on site, you not only have the most secure procedures, but save the most money.

Ultimately, don’t take the chance when it comes to breaches. The real cost is too great – losing money, your business, and your entire company or organization is preventable. Take the steps today to ensure your future is safe and secure.

The Importance of the NIST 800-88 Standard for Media Sanitization in Secure Data Destruction

November 21, 2018 at 4:00 pm by Heidi White

pii-securityTrends in data storage are changing at an exponential rate. The past few years alone have seen the progression of data storage from large servers with magnetic media to cloud-based infrastructure with increasingly dense solid state media. Along with every technological advancement in data storage has come the inexorable advancement of data theft. As a result, the scope and level of responsibility for protecting sensitive and Personally Identifiable Information (PII) has expanded to include not only the originators of data, but also all of the intermediaries involved in the processing, storage, and disposal of data. To address these critical issues and to protect organizations and citizens of the United States, the Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) has developed NIST 800-88 “Guidelines for Media Sanitization” to promote information system security for all other applications outside of national security, including industry, government, academia, and healthcare. NIST 800-88 has become the predominant standard for the US Government, being referenced in all federal data privacy laws, and has now been overwhelmingly adopted by the private sector as well.

NIST 800-88 assumes that organizations have already identified the appropriate information categories, confidentiality impact levels, and location of the information at the earliest phase of the system life cycle as per NIST SP 800-64 “Security Considerations in the Systems Development Life Cycle.” Failing to initially identify security considerations as part of the data lifecycle opens up the strong potential that the organization will fail to appropriately maintain control of and protect some media that contains sensitive information.

Confidentiality and Media Types

data-theftConfidentiality is defined by the Title 44 US Code as “preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.” FIPS 199 — NIST’s Federal Information Processing Standard Publication 199, Standards for Security Categorization of Federal Information and Information Systems — adds that “a loss of confidentiality is the unauthorized disclosure of information.” Bearing these definitions in mind, organizations must establish policies and procedures to safeguard data on used media. Common methodologies of illicit data recovery include basic acquisition of clumsily sanitized media either through third party sale or old-fashioned dumpster diving, or the more sophisticated laboratory reconstruction of inadequately sanitized media.

data-securityCurrently, two types of basic media exist: hard copy and electronic. Commonly associated with paper printouts, hard copy actually encompasses a lot more. In fact, all of the materials used in the printing of all types of media, including printer and fax ribbons for paper and foils and ribbons for credit cards, are considered hard copy. Electronic media consists of any devices containing bits and bytes, including but not limited to rotational and solid state hard drives, RAM, boards, thumb drives, cell phones, tablets, office equipment including printer and fax drives, server devices, flash memory, and disks. It is expected that, considering the rate at which technology is progressing, additional media types will be developed. NIST 800-88 was developed in such a way that sanitization and disposal best practices pertain to the information housed on media rather than the media itself, allowing the guideline to more successfully stay current with future innovations.

Media Sanitization – Methodologies, Responsibilities, and Challenges

Three methodologies of media sanitization are defined by NIST 800-88 as follows:

  • Clear applies logical techniques to sanitize data in all user-addressable storage locations for protection against simple non-invasive data recovery techniques; typically applied through the standard Read and Write commands to the storage device, such as by rewriting with a new value or using a menu option to reset the device to the factory state (where rewriting is not supported).
  • Purge applies physical or logical techniques that render Target Data recovery infeasible using state of the art laboratory
  • Destroy renders Target Data recovery infeasible using state of the art laboratory techniques and results in the subsequent inability to use the media for storage of

Clear

One of the most commonly used clearing methodologies for data sanitization on magnetic media has traditionally been overwriting using dedicated sanitize commands. Note that basic read/write overwriting is never recommended as it does not address all blocks on the media. Drawbacks to overwriting using sanitize commands are two-fold: 1) it is only effective for magnetic media, not solid state or flash, and 2) this methodology is wide open to operator error and theft, as well as undetected failure.

Purge

SEM’s high security degausser can be used to purge data

A common form of purging used for magnetic media sanitization is electromagnetic degaussing, whereby a dedicated degaussing device produces a build-up of electrical energy to create a magnetic field that removes the data from the device when discharged. Degaussing has long been an acceptable form of media sanitization for top secret government information when used in tandem with a hard drive destruction device such as a crusher or shredder. Degaussing alone poses the same concerns as overwriting in that operator error or deceit remains a possibility. In addition, the strength of the degausser is critical when eliminating sensitive information from magnetic media. Typically, degaussers evaluated and listed by the National Security Agency (NSA) are considered the golden standard.

Destroy

While clearing and purging provide adequate media sanitization involving less sensitive data, destroying is the most effective and permanent solution for secure data applications. Organizations should take into account the classification of information and the medium on which it was recorded, as well as the risk to confidentiality. As the internet continues to expand and the switch from physical to digital document-keeping becomes the industry standard, more and more data holds PII information such as financials, health records, and other personal information such as that collected for databases or human resources. As a result, security-focused organizations are becoming more cognizant of the fact that comprehensive data sanitization — including destruction — must become a top priority.

ssd-2mm
SEM disintegrators shred particles to a nominal 2mm size

Industry-tested and accepted methodologies of secure data destruction include crushing, shredding, and disintegration, but even these secure end-of-life solutions require thoughtful security considerations. For example, shredding rotational hard drives to a 19mm x random shred size provides exceptional security for sensitive information. However, a 19mm shred size would not even be an option for solid state media, which store vast amounts of data on very small chips. Instead, sensitive solid state media should be shredded to a maximum size of only 9.5mm x random, while best practices for the destruction of highly sensitive or secret information is to disintegrate the media to a nominal shred size of 2mm2. In addition, some destruction devices such as disintegrators are capable of destroying not only electronic media, but also hard copy media such as printer ribbons and employee ID cards, providing a cost-effective sanitization method for all of an organization’s media.

Responsibilities and Verification

IT security officerWhile NIST 800-88 has become the industry standard for secure data sanitization, the guidelines do not provide definitive policies for organizations. Rather, NIST 800-88 leaves the onus of appropriate data sanitization to organizations’ responsible parties including chief information officers, information security officers, system security managers, as well as engineers and system architects who are involved in the acquisition, installation, and disposal of storage media. NIST 800-88 provides a decision flow that asks key stakeholders questions regarding security categorization, media chain of custody including internal and external considerations, and potential for reuse.

Regardless of the sanitization method chosen, verification is considered an essential step in the process of maintaining confidentiality. It should be noted that verification applies not only to equipment and sanitization results, but also to personnel competencies. Sanitization equipment verification includes testing and certification of the equipment, such as NSA evaluation and listing, as well as strict adherence to scheduled maintenance. Organizations should fully train personnel responsible for sanitization processes and continue to train with personnel turnover. Lastly, the sanitization result itself must be verified through third party testing if the media is going to be reused. When media is destroyed, no such verification is necessary, as the pulverized material itself is verification enough. Because third party testing can be impractical, time consuming, and costly, many organizations choose to destroy media to ensure full sanitization of data and in doing so, to greatly mitigate risk.

Conclusion

NIST-800-88NIST 800-88 was developed in an effort to protect the privacy and interests of organizations and individuals in the United States. Adopted by nearly all federal and private organizations, NIST 800-88 provides an outline of appropriate procedures for secure data sanitization that both protects PII and confidential information while reducing organizational liability. Determining proper policies is realized by fully understanding the guidelines, following the sanitization and disposition decision flow, implementing data sanitization best practices, and engaging in ongoing training and scheduled maintenance. Because NIST 800-88 guidelines do not provide a definitive one-size-fits-all solution and are admittedly extensive, working with a knowledgeable data sanitization partner is key to a successful sanitization policy.

The Ticking Timebomb: Data Breach from Hardware End-Of-Life

November 20, 2018 at 3:54 pm by Heidi White

data-securityAs everyone in the industry knows, cybersecurity is a hot commodity these days. According to a definition by Techopedia, cybersecurity refers to preventative methods used to protect information from being stolen, compromised, or attacked. There are any number of ways to protect networks and data storage facilities from cyberattacks, and these methodologies are constantly evolving. Just as the flu virus mutates in reaction to vaccines, so do cybercriminals modify their nefarious behaviors in response to cybersecurity enhancements. Therefore, cybersecurity must constantly evolve, becoming more sophisticated and invasive. However, an often-overlooked area of cybersecurity leaves organizations susceptible to data breaches: hardware end-of-life.

Google-data-denter
Google Data Center, The Dalles, Oregon. Google data centers utilize SEM data destruction devices. Photo courtesy of Tony Webster.

As cloud storage continues to expand at an exponential rate, data centers are popping up all over the globe, and these gargantuan facilities are expected to safeguard the vast amount of data they store. It is now commonplace for data storage facilities to employ a Chief Security Officer (CSO) or a Chief Information Security Officer (CISO) in an effort to stay ahead of hackers and criminals. CSOs and CISOs ensure that data centers are secure and protected by implementing sophisticated products and services including password protection, anti-virus/anti-malware software, software patches, firewalls, two-factor authentication, and encryption methods, all of which come at an extremely high economic cost. According to the 2017 Official Annual Cybercrime Report sponsored by Herjavec Group, it is predicted that global spending on cybersecurity products and services will exceed $1 trillion over the five-year period of 2017 to 2021. Clearly, organizations understand the criticality of a comprehensive data security plan. So why is hardware end-of-life, which is relatively inexpensive in comparison to other cybersecurity spending, not part of this plan?

The answer is simple: a devastating breach has not yet occurred through drive recovery. But it’s only a matter of time.

Airmen from the 341st Communications Squadron at Malmstrom Air Force Base replace worn computer parts, destroy used hard drives, and check system functions as part of their daily operations. The US Air Force utilizes SEM IT destroyers. Photo courtesy Malmstrom Air Force Base.

While it is well understood that recovering files from failed and erased hard drives is relatively simple, much of the evidence in hard drive recovery is anecdotal. Students from various higher learning institutions including MIT and University of Vancouver have conducted studies that found drives sold on eBay to contain sensitive data. Criminals in Africa are well known to salvage old drives from landfills and mine the data for identity theft. Even NAID has conducted a study that found sensitive information on eBay drives. Even more alarming is Idaho Power Company learning that over one third of the drives they had contracted to be destroyed and recycled actually ended up on eBay – along with the sensitive, confidential company and employee data they contained. And there are myriad similar studies and evidence of data recovery from failed or erased drives.

So where is the public outrage and demand for more secure drive disposal? The reality is that there has not yet been a truly significant breach as a result of hardware end-of-life recovery. The NSA has long understood that hardware end-of-life leaves sensitive information vulnerable, and they have strict regulations in place for dealing with information disposal, from paper to optical media to hard drives. But many organizations seem to think that erasure, overwriting, or a quick drill to the drive is “good enough” — dangerous thinking that could not be more erroneous.

SEM’s line of hard drive destroyers eliminate data and meet regulatory requirements.

Truly security-minded organizations understand that the only way to ensure data security and privacy at hardware end-of-life is on-site drive destruction. And while some forward-thinking CSOs and CISOs have already implemented such measures, most have not. It is only a matter of time before a major (read: expensive) breach occurs as a result of end-of-life drive recovery, at which time the masses will demand an explanation as to why drive destruction had not been addressed in the first place. To which I will say, “I told you so.”

Data Security and Third Party IT Asset Disposition – a Paradox

November 17, 2018 at 4:29 pm by Heidi White

Data security is a hot topic these days, and for good reason. In 2017 alone, 1,579 data breaches occurred in the United States with an average cost of $7.35 million per breach. According to the 2017 Data Breach Year-End Review released by the Identity Theft Resource Center (ITRC) and CyberScout, the 2017 breaches represent an unprecedented 44.7 percent increase over the record breaking number of breaches in 2016, and the number is only expected to grow. In fact, it is anticipated that the global cost of cybercrime will exceed $2 trillion by 2019, which is three times the 2015 estimate of $500 billion.

financial-dataThe top five categories of organizations affected by data breaches include general business, medical/healthcare, banking/credit/financial, education, and government/military, in that order. These categories certainly make sense since they are the organizations that house the most sensitive, and therefore illicitly valuable, data. It should come as no surprise that of these organizations, government/military rounds out the bottom with less than five percent of total breaches. After all, the federal government understands the need for secrecy, and has set the bar for data security and privacy. Even commercial organizations are now trying to implement best practices originally dictated and instituted by government agencies, including the Department of Defense (DoD), the National Security Agency (NSA), Homeland Security, and the Department of Securities and Exchange.

Data breaches affect the privacy and security of individuals, businesses, and governments while costing the breached organization extensively. Costs include everything from covering credit monitoring for affected individuals to settling lawsuits to lost business and reputation. Cost per record of a U.S. data breach is an astounding $245, while the average number of exposed records is over 28,000. Add to that the fact that, according to Soha Systems Survey on Third Party Risk Management, 63 percent of all data breaches are linked to third parties such as vendors, contractors, or suppliers, while only two percent of IT professionals consider third party security a top concern. Clearly, the criticality of data security throughout its lifecycle, including end-of-life which is typically either controlled by a third party IT asset disposition company or ignored altogether, cannot be overstated. The grim reality is that businesses are fully responsible for the data that they collect and store, and a breach resulting from third-party culpability does not deflect liability.

digital-dumping-ground
Agbogbloshie, Ghana – Many young men are developing cancer in their 20s as a result of the toxicity of the environment from discarded electronics

It is easy to illustrate the severity of data insecurity resulting from third parties. Ghana, well known to be one of the top sources of cybercrime globally, is home to Agbogbloshie, a digital graveyard in the slums on the bank of the exceedingly polluted Korle Lagoon. This area, known as Sodom and Gomorrah by outsiders, is one of many computer and electronics landfills around the globe. Not only is this area an environmental disaster due to the antimony, arsenic, lead, mercury, and other toxic metals leaching into the water and soil from the electronic devices, it is also a hotbed of sensitive data waiting to be exposed. The discarded computers and electronic devices found in Agbogbloshie come from developed nations around the globe including the United States. Originally pitched to the locals as a means to help with the digital divide, these electronic “donations” actually contain less than 50 percent working computers with the rest being simply electronic trash. The residents have learned to salvage the devices or their parts to turn a small profit, but the real threat comes from the organized crime in the area that scours the drives for personal or sensitive information to use in scams or blackmail.

used-hard-drive
Used hard drives being sold on Lamington Road in Mumbai, India

As part of an investigation into this digital dumping ground, journalism students from the University of Vancouver, British Columbia purchased seven hard drives at a cost of $35 from an Agbogbloshie e-waste dealer. What they found was shocking: credit card numbers, social security numbers, bank statements, as well as personal information and photos. They also retrieved a sensitive $22 million dollar U.S. defense contract from U.S. military contractor Northrop Grumman’s hard drive, which also contained sensitive contracts with NASA, the Transportation Security Administration (TSA), and Homeland Security. And all of this came from just seven hard drives.

In 2003, two Massachusetts Institute of Technology (MIT) graduate students published a study regarding their purchase of 158 hard drives from places such as eBay and small salvage companies. Of these, 49 contained sensitive information including PII, corporate financials, medical data, and over 5,000 credit card numbers. One of the students, Simson Garfinkel, is now the US Census Bureau’s Senior Computer Scientist for Confidentiality and Data Access and the Chair of the Bureau’s Disclosure Review Board. Prior to that, he was a computer scientist at the National Institute of Standards and Technology (NIST).

old-hard-driveIn yet another 2003 study, Tom Spring from PC World Magazine acquired ten used hard drives in the Boston, MA area from thrift stores and salvage yards. Nine of these ten drives contained sensitive data including social security numbers, credit card numbers, and banking statements, as well as tax, medical, and legal records. Using the information found on the drives, Spring contacted the original owners of the drives, some of whom had contracted electronics disposal or recycling companies to erase their hard drives.

In 2006, Idaho Power Company learned that 84 of the 230 hard drives they had contracted salvage vendor Grant Korth to sanitize and recycle had actually been sold to third parties on eBay. These drives contained sensitive information including proprietary company information, confidential correspondence, and employee data including social security numbers.

In 2009, Kessler International, a New York based computer forensic firm, purchased 100 drives from eBay over a period of six months. 40 of these drives were found to contain sensitive, confidential, and personally identifiable information as well as corporate financials, personal photos and emails, and even one company’s secret French fry recipe.

NAIDIn 2014, the National Association for Information Destruction ANZ (NAID-ANZ) published a study regarding their purchase of 52 used hard drives from eBay and other third parties. The recovered drives came from law firms, accountants, medical facilities, educational institutions, and numerous individuals. Data recovered included medical records, social security numbers, tax and financial information, sensitive court case documents, personal photos and videos, bank statements, confidential client information, disability insurance applications including highly sensitive personal financial and medical information, profit and loss statements, employee HR files, company invoices, and spreadsheets including name, address, phone number, salary, DOB, and occupation. Of the drives with recoverable information, over 90 percent of them had deleted or formatted partitions, a clear indicator that the owner had made an attempt to sanitize the data prior to disposal.

We could go on and on.

When disposing of end-of-life data, many companies turn to data disposal or recycling vendors and assume that their drives — and the data they contain — are being handled responsibly and safely. The reality is far different. While there are certainly many reputable data sanitization companies, it is just too risky to entrust sensitive information to any third party, simply because of the unknown. In addition to sloppy or greedy third party IT asset disposition companies, there are a growing number of sham recyclers in operation – companies that offer to pick up and recycle PCs for free, then actually sell them to cyber criminals specifically so they can mine the data they contain for illicit activity.

SSD-shredder
Hard drive being destroyed in a SEM combo shredder

The only truly secure method of IT asset disposition is drive destruction. While it is tempting to make a few dollars per drive by sending to a recycler or attempting to wipe and resell, the potential cost of a data breach far outweighs any financial gain from reselling. The National Security Agency has long known this truth and requires rotational platter based hard drives to be both degaussed (erased) AND physically destroyed prior to disposal. Not only does drive destruction through crushing, shredding, or disintegration ensure data privacy and security, it also is environmentally responsible. Shredded hard drive scraps are more easily sorted for metals recycling, leaving a smaller quantity of true waste and less likely to end up in Agbogbloshie.

Masters of Destruction – Electronic Media Shredding

June 13, 2018 at 4:29 pm by SEM

Tuesday, November 28, 2006

Masters of Destruction

Westboro company specialist in sensitive data

By Martin Luttrell TELEGRAM & GAZETTE STAFF

For decades, the federal government and private businesses have used Security Engineered Machinery equipment to shred paper records, and more recently, computer drives, CDs and other electronic records.

And with sensitive information remaining on old computer hard drives, cell phones and BlackBerries, the Walkup Drive company is expanding into full-service data destruction for clients that want secure handling and destruction of their electronic devices.

Founded in Millbury in the late 1960s, SEM employs 44 and is the largest manufacturer of document- and electronic-disintegration equipment, with its shredding and disintegration machines in use by the Departments of Defense and Homeland Security, in State Department embassies around the world and by the U.S. Postal Service. More than 400 central banks worldwide use the company’s equipment for shredding old currency.

The federal government has been the biggest customer, but private industry is catching up as accidental releases of sensitive data make headlines.

SEM showed a reporter a room the company renovated from warehouse space that now houses machines for shredding computers and other electronic data storage devices. Computer hard drives, keyboards and towers moved up an inclined conveyer about 12 feet, where they were dropped into a hopper and ground into pieces an inch or two in size.

“The federal government is light years ahead of the private sector in security,” Mr. Dempsey said. “A lot of companies have paper shredders. But what happens to a CD or diskette? The government has been doing this for years.

“There is not a piece of equipment here that has not been cleared by the NSA (National Security Agency) for classified destruction,” he said. “Not all companies will spend $25,000 for a machine like this. That’s where this service comes into play. We have people that walk in with one hard drive, and we’ll destroy it and let them witness it.”

Clients who ship their items to SEM can even watch over a designated Web site as their computers or other items are destroyed; some 17 video cameras mounted in the ceiling, and more in the hoppers of the machines, beam images of the process.

“We send it premium freight so it can be tracked door to door,” he said. “Some clients put GPS (global positioning system) inside so they know where it is all the time.”

SEM puts bar codes on the hard drives slated for destruction so the customer can document the process, he said.

Inside a locked cage along one wall were several cases and military transport containers holding computer components slated for destruction.

“We look at ourselves as being in the security business,” Mr. Dempsey said. “We approach our shredding as a security division. We’re interested in hard drives, cell phones, DVDs, CD-ROMs and unconventional items,” including X-rays, he said.

Mr. Dempsey held pieces of a computer that had gone through a disintegrator, noting that they were a couple of inches in length. Some clients require that their magnetic data items be in smaller pieces, and those go into another machine, which tears them into pieces an eighth of an inch in diameter.

He pointed out that a piece of a CD that goes through an office shredder contains much more information than would be printed on a piece of office paper. Sophisticated equipment could be used to retrieve that information, along with data thought to be deleted from hard drives, cell phones and other electronic devices, he said.

In addition to tearing electronic data equipment into small pieces, SEM can also use a method known as degaussing, or erasing electronic data, before destroying it, he said.

“From a private-industry point of view, degaussing is all you need to do,” Mr. Dempsey said. “What we’re now seeing in Fortune 500 companies is that they’re defaulting to the federal government’s standards that are NSA-approved.”

He said that when companies consider the damage that could result from sensitive information being compromised, data security is increasingly in demand.

“We bring credibility to the table,” he said. “We’re in the security business. Quite a few of our employees have obtained clearances. They get a background check. We do DOD work. Anyone in this room would need a clearance,” he said, referring to those working in the company’s destruction service.

All employees are drug-screened and go through background and criminal checks, he said.

Mr. Dempsey would not talk about the private company’s finances, but said it made $20,000 from its destruction services two years ago and $300,000 this year. The demand is growing, he said.

“We’ve seen an explosion from companies with financial and health care” records. “With some of the information compromises that have been in the press, they’re adapting. We know how to deal with those issues. …Crisis management is not proactive. That happens after data has been compromised.”

He said the company spent 13 months renovating the area now used for destruction services. Now, he wants the operation to be deemed a secure facility so that it can take on the federal government as a client. That could take another year, he said.

“So far, we’ve been under the radar, doing this as a favor for our clients.”

Talking Trash

at 4:28 pm by SEM
MGMA Connexion,  Mar 2004  by Leonard Rosen

Options for the storage and disposal of medical records

As health care organizations endeavor to comply with privacy and security standards mandated by the Health Insurance Portability and Accountability Act (HIPAA), there is growing interest in effective and efficient ways to manage protected medical records – and how to destroy them once they become obsolete.

Neither HIPAA’s privacy standards for paper documents nor its security standards for electronic records dictate specific means of compliance. However, the preamble to Section 164.530 does cite a few examples of appropriate safeguards, such as locking file cabinets that contain protected documents and shredding such documents prior to disposal. For electronic media, Section 164.310 (“Physical safeguards”) requires covered entities to address the “final disposition of electronic protected health information and/or the hardware or electronic media on which it is stored” and to implement procedures for “removal of electronic protected health information from electronic media before the media are made available for re-use.”

Each group’s appointed privacy official must decide which procedures and equipment will best prevent unauthorized, unnecessary and inadvertent disclosure of protected information. For storage, this means locked office doors and cabinets, computer firewalls and passwords, etc. For disposal, it means destroying records. No one should be able to dig trashed records out of the dumpster and misuse them. Discarded medical information often is still confidential.

Destruction equipment abounds The market offers a variety of record destruction equipment. Paper shredders come in all sizes, speeds, horsepowers and capacities, but there are three basic choices:
  • Personal – Desk-side shredders, available on casters for portability, can shred roughly six to 20 sheets at a time. This is convenient for offices with relatively few documents to destroy.
  • Departmental – Larger facilities with more documents to dispose of may install shredders that can handle 20-50 sheets at a time.
  • Centralized – A heavy-duty shredder can handle up to 400 sheets at a time and destroy bound reports and thick stacks of paper.

Whatever shredder models your practice selects, you will need protocols for managing shredded waste. Some companies offer regular pickup, transporting the trash to landfills or recycling facilities. Also on the market are powerful disintegrators that use rotary-knife systems to reduce high volumes of books, binders, paper bundles and other bulk materials to tiny particles. Depending on the model, these machines even pulverize CDs, DVDs, floppy discs, microfilm, credit cards, ID badges, tape cassettes and circuit boards, slicing them into indecipherable fragments at the rate of up to two tons per hour. Other machines, designed specifically for optical media, can completely remove data-bearing surfaces from CDs and DVDs. Because they leave inner disc hubs intact, the hubs serve as proof of destruction, eliminating the need for detailed logs and witnesses where certification of destruction is required. Old computers can tell tales Security may become an issue when a practice donates old computers to a school or some other organization. Most people don’t know that when a digital file is “deleted,” the information actually remains on the computer’s hard drive or a formatted diskette, as do deleted e-mail messages and records of online activity. This information is recoverable with sophisticated tools. Disk-wiping software can prevent unauthorized recovery by overwriting entire drives/disks – or particular sections of them -before these magnetic media are discarded or reused. Overwritten areas should be unreadable, but look for a software brand that meets or exceeds the Department of Defense standard for permanent erasure of digital information. When you require absolute certainty in erasing magnetic media, certain degaussers remove all recorded information in a single pass, allowing hard drives, diskettes, audio and video tapes, and four- and eight-millimeter data cartridges to be reused many times with no interference from previous use. Hand-held degaussing wands erase both floppy and hard computer disks. For both electronic and paper records, the variety of equipment on the market today enables a medical practice to tailor record-disposal to its particular needs.

How to Ensure Information Security in Your Workplace

September 25, 2017 at 2:44 pm by SEM

When running any commercial business, department or government organization today, the last thing that you likely want to impact your organization with is a data breach. According to a recent study on the cost of data breaches in the past year, U.S. companies paid an average of $ 5.4 million to cope with the repercussions of data breaches. Don’t allow your organization to become a victim of a data breach. Here are 5 ways to ensure information security in your workplace:

1. MAKE DATA SECURITY A TOP CONCERN

Through simple, easy to follow security policies, you can train your employees on information security best practices. Additionally, you could appoint a safety committee to help keep security issues a focus.

2. KEEP PHYSICAL INFORMATION SECURE

Keep all physical information your company has secured by only allowing certain personnel to handle it. Give keys or passes to only those who need to have access to that information. Keep tabs on who has handled any sensitive documents and when.

3. CREATE A SECURE DOCUMENT MANAGEMENT POLICY

Keep track of all sensitive documents throughout their life cycle and dispose of them based on compliance regulations. Create a data security checklist and make sure all employees adhere to it.

4. DESTROY HARD DRIVES

The only way to be completely sure that your sensitive data will not fall into the wrong hands is to destroy data from hard drives permanently through hard drive sanitization (otherwise known as degaussing), destruction or in some cases both. Be aware that many office electronics, such as copiers and multi-purpose machines, now contain hard drives that store data, not just computers. If you lease office equipment, check with the vendor to make sure that they dispose of media containing data using secure, environmentally sound processes.

5. BRING IN A PROFESSIONAL

At SEM, your business’ information security and well-being is important to us. If your company is required to be in compliance with certain privacy laws or meet even higher secure compliance levels, you probably want to minimize that huge risk of a data breach. At SEM we offer solutions to all of these information security concerns by offering expertise with both a certificate of destruction for data destruction and sanitization of every media type or provide you equipment solutions that will allow you to control your secure destruction program to erase or destroy your organizations data under your own roof.

At SEM, we help businesses and government organizations find real solutions for addressing real information security needs that will reduce their waste disposal costs and improve their environmental footprints, with shredding and recycling service programs that are convenient and secure.

For 50 years SEM has been the largest direct supplier of information destruction and sanitization equipment in the US – where our reputation speaks for itself.

For more information contact us at 800-225-9293.

Shredder Training is the Key to Maximizing the Performance and Life of your Destruction Equipment

July 11, 2017 at 1:59 pm by SEM

Shredders, disintegrators, briquettors, optical media destroyers, HDD/SSD shredders, HDD crushers and degaussers are critical components of your overall information security program. Keeping these systems in good working order is extremely important, and easy to do with proper user training.

Probably the biggest factor in the longevity of any equipment is tied to proper training in the operation, daily maintenance and preventative maintenance. Depending on your equipment and site there are programs that can train your people to operate, maintain and troubleshoot so you avoid problems and keep the equipment up and running well.

Training can be done at your site with your equipment during a scheduled PM call, on a specific scheduled visit to your site, or at a training facility where factory service reps will go over all aspects of operation, daily maintenance, preventative maintenance as well as, tips and tricks to get the most of your systems and avoid the pitfalls. At the beginning of the training there will be a Q & A to help identify the issues of greatest concern to the group. During the training all participants are encouraged to ask questions and will have the opportunity to get “hands on” so they thoroughly understand the material being taught. After the training and a final Q & A each participant will be given a certificate of completion designating which equipment they were trained on. This is a great way for users to add additional value to their skill sets and company capabilities.

The training can be specialized to cover any and all the issues you may be having with your specific equipment, and discuss in detail how to fix and mitigate these in the future.

Some of the things your users will learn from attending training:

Changing knives, clearing and preventing jams, servicing dust filters, proper lubrication, testing belt tension, aligning conveyor belts, swapping out shredder heads-(depending on equipment) among many others.

The goal is maximizing machine availability for the organization and imparting the skills to help users diagnose and recognize potential issues before they become bigger problems.

And investment in a proper training program will pay dividends in equipment up time and save your organization money in the long run.

Click here for more information on SEM’s Preventative Maintenance and Service plans or call 800-225-9293.

If You Don’t Shred It, You Might Regret It!

December 10, 2013 at 3:45 pm by SEM

This kind of story has replayed thousands of time across our country,
and many people are rightly concerned about their online security.
However, many overlook securing their paperwork. Shredding is a simple, but vital step to safeguarding sensitive paperwork before it ends up in a dumpster. Dumpster diving
is still a major way that identity thieves get the information that can ruin
your life! Simply make sure it is shredded properly with a cross-cut
shredder- shred anything that has a name or an address on it-no
exceptions-even junk mail!

The story below is a classic case of what happens when your discarded
papers give access to an identity thief. This particular story was reported
by the local ABC News affiliate in Tampa, FL about a year ago.

With all the warnings these days to protect your identity when you’re online, John Champion never thought the old tried-and-true method of what police say was dumpster diving by a convicted identity thief could still cause so much trouble.

“There were 12 accounts opened in my name,” Champion recalls. It was a phone call from a detective at the St. Petersburg Police Department that tipped him off, but by that time, it was too late.

In the world of credit, Champion had a good name with an excellent
credit score. Until St. Petersburg Police say 49-year-old Brian Katacinski
found Champion’s vital information in the trash and went to town.

They claim he not only wrecked Champion’s credit, but 12 other victims by opening credit cards and bank accounts in their names. “My credit score went from 748 to 522 in five month’s time,” he says with a look of disbelief on his face.

St. Pete police say when Katacinski didn’t want to get his hands dirty, he cased home mailboxes in the city’s Old Northeast section, looking for outgoing mail stuffed with bills that he knew would be rich with checks and credit card numbers he could duplicate.

Police say Katacinski had plenty of practice. He was busted by federal postal inspectors in 2006 for the same thing. When they arrested him inside his St. Pete motel room this time, investigators say they found several credit cards and check-making materials. Then there were the multiple duplicate drivers’ licenses of his alleged victims.

“Unfortunately, our criminals have the ability to drive around all day and look for those particular signs. Whether your flag is up at a curbside mailbox or your letters are stacking up out of your mailbox,” says St. Pete Sgt. Kevin Smith.

Champion says he was able to recoup some of his lost credit. But all of this was a lesson for him. And he hopes for others. “Shred your paperwork. Don’t put anything out there that’s got your name on it,” he says. And detectives say when it comes to your bills, never put them in your outgoing mail. And better yet, pay them online.

SEM-paper-shredders
A wide variety of SEM NSA rated paper shredders

Another victim that that could have easily been prevented! John Champion would agree that a good offense is shredding your paper before anyone ever has the chance to see any of your personal data. It is far better than dealing with the ongoing effects of identity theft after it occurs.

Check out some of SEM’s cross cut paper shredders now.

Remember: Shred It; So You Won’t Regret It!