Applying to College: What Happens to Your PII Once You’re Accepted?

April 27, 2021 at 1:50 pm by SEM

College applications. For a lot of people, just reading those two words can bring back a swarm of flashbacks of awkward college essays, endless SAT prep, and countless hours spent anxiously awaiting that giant envelope announcing your acceptance into your dream school. While this time can be exciting for many people, it’s also a time spent filling out application after application detailing all your personally identifiable information (PII). But what happens to those applications, and that information once you’ve been accepted?

Colleges and universities are bound by a federal law called “The Family Educational Rights and Privacy Act” (FERPA), which ensures that the information provided by and in relation to students is kept private. The law also states that if the information provided is no longer needed, that it must be discarded in a manner that securely protects the information.

For context, FERPA is administered by the Family Compliance Office in the US Department of Education and applies to all educational agencies and institutions that receive funding under any program administered by the department. Private schools at the elementary and secondary levels generally do not receive funding and are therefore not subject to FERPA. Private post-secondary institutions, however, generally do receive funding and are therefore subject to follow all FERPA guidelines and regulations.

While FERPA accounts for a variety of issues such as access to education records, amendments to and disclosure of records, it also makes provisions and guidance on the protection of the information. It is within this segment of the law that institutions are obligated to protect the privacy of the data and to effectively destroy or eliminate data that is no longer needed in a controlled and secure manner.

How is this data destroyed?

Personal data resides on many forms of media, including but not limited to paper, hard drives, data tapes, optical disks, and more. Paper documents can easily be destroyed by feeding the end-of-life documents into a paper shredder. Many institutions use in-house cross-cut paper shredders for this purpose while others may deploy an outside service to shred the paper. If an office or institution utilizes an outside service to destroy their paper documents, they are usually stored in a locked cabinet or receptacle that only the outside service has access to. While these documents are securely stored in the meantime, SEM will always recommend in-house data destruction to ensure secure destruction. By opting for a third party vendor to handle your end-of-life destruction, the number of safety risks can be immeasurable. It can be far too easy for an ITAD vendor to mishandle, misuse, or even lose drives and/or paper when in transportation, being sorted by staff, and in the actual acts of destruction and disposal. (Some third party vendors have even been known to sell the data they are given to online third parties!)

Unfortunately, many college applications are now submitted virtually through applications like CommonApp and through institutions’ online portals. This means that the destruction of their electronic media is a bit more challenging. Again, there are outside services that perform this function, but they do not come without their own set of consequences. For hard drives, it is best practice to degauss any end-of-life drive prior to destruction. SEM degaussers use powerful magnetic fields to sanitize the magnetic storage media which renders the drive completely inoperable. This can in turn potentially save an institution more time and money in the long run by preventing a breach of any kind and ensuring their applicants’ PII stays safe.

At SEM, we specialize in providing secure and effective in-house solutions to numerous educational facilities around the country. We have an array of various high-quality NSA listed/CUI and unclassified magnetic media degaussers, IT crushers, and enterprise IT shredders to meet any regulation. Any one of our exceptional sales team members are more than happy to help answer any questions you may have and help determine which machine will best meet your institution’s destruction needs.

How to Destroy Tipping Foil, RFID and EMV Chips, and Magnetic Stripes in Credit Cards

June 16, 2020 at 10:00 am by Flora Knolton

Tipping foil is used to enhance and secure financial institutions’ cards. The metallic ribbon is fixed on the card’s embossed characters, helping to bring out the embossed characters even more. This results in clearer alphanumeric characters that are easier to read. This ribbon also improves bank card durability, as it’s designed to resist daily wear and tear and to maintain plastic card quality over the years. They are like the “makeup” for the face of the card. Tipping foil is essentially stamped onto the raised lettering during the in-line vertical personalization process. What is important to remember is that the embossed, foiled letters are now reversed on the sheet of foil they were stamped from, much like a typewriter ribbon. The physical impression left behind on the foil is why it is so critical that tipping foil needs to be destroyed prior to throwing away.

However, this method of creating credit/debit cards is currently being phased out. Many years ago, numbers had to be raised and embossed on the front of the card so when it was run through a card reader, an imprinted image of those numbers would appear on a slip of paper for the customers to sign. But traditional magnetic stripes are well on their way out as “microchip” card readers are becoming the new way to pay. Magnetic stripes on cards contain all of the cardholder information needed to make a purchase or duplicate the card. As technology advances, so do the world’s best hackers, and the magnetic stripe is significantly becoming easier for people to steal data from.

The EMV® (Europay, Mastercard, and Visa, after the three credit card networks that originally developed the protocol) credit and debit cards equipped with computer chips are now the global standard used to authenticate transactions. The data stored in a magnetic stripe is stagnant — it is how it is, and always stays the same. On the contrary, the chip in the card generates a unique code for each transaction and is only used once. If a thief were to copy the chip’s information to validate during a transaction, they wouldn’t be able to. No two transaction codes are ever repeated, so each code becomes useless following the completion of the transaction it represents.

The difference between contactless (RFID) transactions and chip transactions is the method by which the data is transferred. Radio frequency-enabled cards require the card to be within a short proximity of the payment terminal, rather than inserting the card into a cheap reader. EMV chip cards and contactless cards are both more secure than the magnetic stripe. Although, cards equipped with chips do not equate to fraudulent immunity by any means. NFC (Near Field Communication) skimming is where EMV-enabled cards can still be subjected to information being stolen. Near field communication skimmers utilize a wireless technology that allows data to transfer from a mobile device to a card reader within a short distance.

Consumers and organizations alike must properly shred their expired or useless cards that contain PII, whether that be in form of an EMV chip or residual printed tipping foil that still withholds information. Luckily, companies like SEM offer a host of devices specifically designed to ensure everyone has the opportunity to securely take control of their personal data and destroy it once and for all.

The Model DS-400 is one of our top multipurpose turnkey disintegrators. This powerhouse high security model was evaluated by the NSA, listed on the NSA/CSS EPL, and specifically designed to destroy metal cards and license plates. This device can also securely destroy classified paper and CDs as well as other unclassified media stored on smaller forms of e-media such as flash and thumb drives, solid state drives (SSDs), and SIM chips.

The Model 0205NANO is just one part of a revolutionary SSD destroyer duo. The NANO is a mobile crushing solution that was solely designed for the destruction of the world’s smallest forms solid state media. From Compact Flash Type 1 drives to SOIC-8 and SD cards to PLCC-32 drives, the 0205NANO crushes the SSD beyond recovery by the specially crafted and designed internal rotors.

The second solution in the 0205 SSD disintegrator duo is the Model 0205MICRO. Like the NANO, the MICRO was specifically designed to destroy a wide variety of other SSD media such as, cell phones, PC boards, IronKeys, small tablets, and more.

The key to understanding how to destroy something properly is by first having an understanding of how said technology works. A number of our disintegrators would also do the job for destroying tipping foil, EMV chips, SSDs, and various media, at a number of different volumes. We also have devices that can easily destroy tough metal credit cards.

Classified or unclassified, there’s a way to destroy it. Leaving data in a stockpiled room “unsure of what to do” with it is not excusable, and yet many still haven’t educated themselves further to see how their negligence is putting their lives and companies at risk. Mitigate those risks today and be smart when handling personally identifiable information (PII) with Security Engineered Machinery. We’re always eager to help answer questions and can assure you we will help you meet your destruction requirements.

The Effects of Compromised Personally Identifiable Information

November 12, 2019 at 2:42 pm by Paul Falcone

Today more than ever, data security is a hot-button topic, with serious data theft and data breaches seemingly occurring on a daily basis. Since storing sensitive personally identifiable information (PII) is now the norm for virtually all businesses, it is incumbent on those businesses to consistently ensure the integrity of that information.

Around the world, consumers are justifiably growing more concerned about data privacy. The European Union and countries such as Canada and the United States work to protect their individual and corporate citizens by enacting and enforcing regulations that restrict the use and flow of PII, as well as mandate how PII is stored, disseminated, and destroyed.

gdpr-data-center

Although organizations subject to PII regulations incur steep fines for noncompliance, the consequences can be significantly more severe for the individuals whose PII is breached. For example, compromised data can be exposed to manipulation and illegal transactions that ultimately lead to wholesale identity theft. In 2017 alone, identity thieves pilfered $16.8 billion from 6.64% of U.S. consumers, or approximately one of every fifteen people.

Within an organization, it is critical that your data storage and data end-of-life destruction processes are invariably sound and thorough and executed error-free. As the following real-life examples demonstrate, any instances of irresponsibility or lapses in oversight—such as discarding paper without proper shredding or disposing of still-readable hard drives—can have dire consequences, particularly to individuals’ livelihoods and reputations.

2017: Medical Records in Public Trash Bins in Hawaii

An anonymous resident of Palolo, Honolulu, found a stack of approximately 50 residents’ personal and medical information while using a public-access trash bin. Evidently, a local therapy center discarded the paperwork without taking the necessary security measures. The documents contained a “fraudster’s treasure trove,” including complete social security numbers, pictures of driver’s licenses and extensive medical information. Thankfully, the documents fell into the right hands; otherwise, lives could well have been ruined.

2019: Used Electronic Storage Devices Contained PII

Companies relying on a data removal plan rather than a data end-of-life destruction plan should reconsider their strategy. A recent study conducted by Blannco analyzed 159 used storage drives purchased from eBay. The data removal company discovered that an astounding 42% of the drives (66) still contained data. More disturbingly, more than fifteen percent of the drives (25) still contained PII. Furthermore, one of those drives came from a software developer that had been granted government security clearance.

In another recent study, a Rapid7 researcher procured 85 discarded hardware components from businesses, including old computers, flash drives, phones, and hard drives. Of the 85 devices, only two had been properly wiped and only three were encrypted. In total, the researcher collected 611 email addresses, 50 birth dates, 41 social security numbers, 19 credit card numbers, six driver’s license numbers, and two passport numbers.

data-theft

2010: Australians Have Identities Stolen by Hit Squad

Imagine being six-months pregnant, living in Israel, and yet somehow being wanted for murder in Australia. In fact, it’s a real-life nightmare for a former Melbourne resident. In 2010, she was one of three Australian citizens living in Israel who had their identities stolen and used by members of the Mossad hit squad while carrying out an assassination. In each case, the three individuals’ PII was swiped and used to forge passports in their names with the perpetrators’ photos. It has never been definitively determined how their PII was compromised.

2016: Albuquerque Man Arrested for Fraud—When He Himself Was the Victim

In 2016, a dispatcher for the Kirtland Air Force Base Fire Department and military veteran with a security clearance and no prior arrests was pulled over, detained, and booked in Las Vegas, New Mexico, on an outstanding fraud and forgery warrant. Subsequently, it was determined that a younger man had obtained the individual’s personal information in the fall of 2015. This younger man used the stolen ID to cash a check and was seen on camera. Despite marked differences in the two men’s physical appearances, the Albuquerque Police still issued a warrant for the dispatcher, resulting in a highly traumatic experience (which, by the way, led him to file a suit against local law enforcement).

2019: Woman Arrested After Identity Thief Steals Car Using Her Name

A 25-year-old Indiana woman was recently arrested and booked on charges of auto theft when an impersonator used her driver’s license to test drive and steal multiple vehicles. The woman did not know she was being investigated until she was detained two weeks after an incident. While she believes the identity theft was likely the result of a stolen purse, the exact circumstances are unknown since no arrests have been made.

identity-theft

Although it’s often impossible to know whether compromised data is the result of inadequate end-of-life procedures, faulty storage protocols, illicit cyber activity, or everyday petty theft, an overriding theme emerges from the above examples: given the extreme sensitivity of PII—and the dire consequences for individuals when PII is compromised—it is the legal and ethical responsibility of all businesses possessing PII to protect it. The onus is on them to ensure all reasonable measures and precautions are taken to ensure its absolute security and integrity, and, ultimately, its utter, irreversible destruction at end-of-life.

Companies like SEM provide state-of-the-art data end-of-life solutions that ensure PII is destroyed to the point of non-recovery, thereby mitigating the attendant risks of data theft and compromises for both individual and corporate citizens alike.

Personally Identifiable Information (PII): What It Is and Why It Must Be Destroyed

July 9, 2019 at 5:30 pm by Paul Falcone

We’ve all heard of ‘Personally Identifiable Information’ (PII)—those pieces of information about ourselves that are unique to us, and therefore make us identifiable and distinguishable from others. Well-known PII includes data such as full name, social security number, driver’s license number, passport information, medical records, and financial account numbers.

Yet, there are other types of PII that we, as individuals and consumers, put out there about ourselves which we do not consider to be personally identifying. These pieces of information include email addresses and social media usernames, phone numbers, mailing addresses, and even religion. Then there’s quasi-identifiers that are also available in public sources like your race, zip code, gender and birth date, that when used with other relevant data can easily identify you, too.

PII

Moreover, we often underestimate the power of some of our PII when, in fact, this information provides access to many facets of everyday life including our ability to drive, receive health care, and make large purchases (like buying a home).

Sensitive & Non-Sensitive PII: The Difference

Personally identifiable information falls within one of two groups: sensitive and non-sensitive. While many experts tout that sensitive data is what should be protected and encrypted, non-sensitive data is just as important to safeguard against unauthorized access and theft.

The following, although by no means exhaustive, are lists of most of these types of data:

Sensitive PII:

• Full name
• Social Security Number (SSN)
• Driver’s license
• Passport information
• Passwords and PIN numbers
• Biometric information (e.g. fingerprints, iris and retina scan, DNA, facial recognition)
• Medical records (e.g. PHI, all data under HIPAA regulations)
• Financial information (e.g. bank accounts and loans, credit and debit card numbers)
• Employee personnel records and tax information (includes Employer Identification Number)
• Digital/Electronic account information (e.g. email addresses, internet account numbers, digital account passwords)
• School identification numbers and records
• Private phone numbers (especially cell phone numbers)
• Mailing and/or home address

Non-Sensitive PII:

• Zip code
• Race
• Gender
• Date of birth
• Place of birth
• Religion
• Ethnicity
• Sexual orientation
• IP addresses
• Cookies stored on a web browser
• Outside-of-home addresses (e.g. workplace)
• Business phone numbers and public personal phone numbers
• Employment-related information (e.g. job title and status)

The Pervasiveness of PII

Too many individuals overlook the sensitivity of their personal information, or don’t realize how they are interconnected and how easily they can be pieced together to form a unique identity. What’s more, people often use unprotected means to share their personal information with family and friends, such as through text and SMS message, email, social media, and other messenger apps.

Many people even allow their personal, sensitive data to be saved on their computers and other electronic devices and drives so as to provide convenience when accessing digital accounts and places where information is stored. A survey conducted by Experian reported that the average person stores three to four pieces of sensitive information online, and 25% of Americans share credit card and PIN numbers with family and friends.

The Importance of Proper Data and Drive Destruction

PII holds immense value to identify thieves who want to use your information for their personal gain. Criminals (including cybercriminals) therefore also find value in stealing this information, either for the use of financial gain through sale to an identity thief or for ransom payment directly from the victim. This is why it is imperative that you not only make sure all of your sensitive data and PII is secure and protected, but that the data is rendered unreadable and unable to be reconstructed from the drive, device, or material that it’s stored on when it’s no longer needed. Moreover, this end-of-life destruction needs to extend to the drive, device, and/or material on which the data is stored.

Landfills and trash and recycling centers are easy targets for someone to rummage through and find a device or material that potentially contains PII and that can be restored. For instance, it’s not enough to clear data from a laptop hard drive. To ensure the total destruction of sensitive data to the point that it cannot be reconstructed, both data and device must be destroyed by overwriting non-sensitive information with software or hardware to clear the data, and by degaussing the media and rendering the magnetic field permanently unusable or destroying the media by shredding, melting, pulverization, disintegration, or incineration.

Is Your Data Disposal Plan GDPR-Ready?

November 21, 2018 at 3:29 pm by Heidi White

gdpr-readyWith GDPR just around the corner, data security has been enjoying some much-needed time in the limelight. Never before has there been such a hyper-focus on the protection of sensitive data, particularly confidential and personally identifiable information (PII) such as healthcare records, personal data, financial information, and legal records. While data privacy conversations have more traditionally revolved around identify theft issues, the new GDPR regulation prioritizes the fiduciary responsibility of all sensitive and personal information.

Savvy organizations began planning and implementing their GDPR compliance programs months ago. Because of the numerous ways in which GDPR mandates data privacy across all storage media and within all facets of an organization, a comprehensive compliance program requires a well-researched, detailed approach with multi-departmental buy-in and execution.

healthcare-data-securityFor example, a healthcare provider possessing sensitive patient data in the form of medical records is obvious. What would not be so obvious would be the numerous other places where a patient’s PII may reside. The scheduling department keeps PII such as address and birthdate, the billing department has financial and insurance information, while the marketing department may possess email and browsing data for patient communications. And let’s not forget the backup servers. Personal data is literally everywhere.

Safeguarding sensitive data throughout an organization is critical, and many organizations are well aware of the need for firewalls, passwords, physical security measures, encryption, and employee training. What may be more of a need and challenge for some organizations is GDPR’s Article 17 Right to Erasure, also known as the “right to be forgotten.” While it is not an absolute, the basic premise of Article 17 is that an individual’s request to have his data removed must be honored within 30 days. In some instances, the request is not realistic. For example, banks must retain records for a minimum of seven years, so deleting the data would be in direct conflict to an existing legal mandate. However, Article 17 states that individuals have the right to have their personal data erased without undue delay if the data is no longer necessary for the purpose for which it was originally processed or collected, and this applies in a large number of cases with consumer transactions.

online-data-securityConsumer transactions typically include the storage of personal information such as address, phone, and payment information. While large organizations may have their own servers and storage solutions and are therefore more easily able to purge a consumer’s data from their system, the thousands of smaller organizations typically rely on outside vendors and cloud storage providers to manage their data. Data stored in the cloud is actually housed in data centers, where data is duplicated across multiple drives in an effort to create redundancies that help to mitigate data loss when drives fail — and drives DO fail on a very regular basis. After all, these drives are running 24 hours a day, seven days a week, year-round, so their life expectancy is understandably rather short. When a drive fails, the data it contains is still for the most part intact. Therefore, a comprehensive data disposition program should always include drive destruction so that personal data is not compromised at end-of-life. But end-of-life is only part of the problem. Smaller organizations and others who outsource their data storage must confirm with their providers that their data removal policy is GDPR compliant and must include policies and procedures for the Right to Erasure in their GDPR programs.

GDPR is a broad and encompassing regulation that is actually long overdue. While implementing a GDPR program is proving to be more challenging than organizations may have originally thought, particularly with regard to Article 17 and the Right to Erasure, the safeguarding of data and the diligent focus on data privacy have been positive results of GDPR. In a time where data breaches and identity theft are increasing exponentially, the implementation of a means by which to protect our privacy and security is most welcome.

10 Cybersecurity Tips for Small Businesses

November 15, 2018 at 4:02 pm by Heidi White

Information Security — The protection of information and information systems from unauthorized access, use, disclosure, disruption, modification, or destruction in order to provide confidentiality, integrity, and availability.

Cybersecurity — The ability to protect or defend the use of cyberspace from cyber attacks. —”Glossary of Key Information Security Terms”, NIST IR 7298

cybersecurity-dataIn today’s digital world, threats to cybersecurity are everywhere. Data breaches are rampant and indiscriminate, affecting businesses of all sizes from small mom and pop shops to massive organizations like Target and Massachusetts General Hospital. Cybercrime is one of the fastest growing illicit activities today, and businesses are now wondering not if they will be a victim of cybercrime, but when. With key preventive measures including employee education, established policies, and implemented best practices, proactive companies can avoid becoming yet another statistic in the world of cybercrime. As longstanding experts in sensitive data security, SEM is pleased to share these 10 cybersecurity tips for small business.

1. Educate Employees

employee-data-breachThe fact that human error is by far the biggest contributor to data breaches cannot be overstated. Educating employees on safe email usage, avoiding phishing scams, ensuring safe social media practices, and safeguarding personal information is critical to the success of any cybersecurity policy. Ensure that employees are using password best practices including updating passwords every 90 days, at a minimum. Also, educate employees on the importance of secure socket layer protocol and to never submit company or personally identifiable information (PII) over an unsecured network.

2. Implement a Device Policy

As business becomes more mobile, so do the possibilities of data theft. If employees’ devices such as phones or laptops have access to confidential company data, require that employees encrypt data, password protect their devices, and understand reporting procedures in the event of a data breach. Employees who work from home should be required to protect their home network behind a firewall.

3. Always Update

update-softwareAntivirus protection, operating systems, system software, and company firewalls only work to protect against breaches when they are kept up to date. As security threats constantly evolve, so do software patches and updates. Install updates as soon as they are released and implement a clear software update policy.

4. Establish IT Best Practices

Standardize a backup plan for all data on the network, including HR files, payroll information, spreadsheets, documents, and all other critical information. Only allow IT staff and key personnel to install software or have administrative rights to company devices. In addition, credentials should be required for access to any company device, and all employees should be given their own unique user names and strong passwords. Encrypt and hide the company’s WiFi network to avoid outsider access.

5. Identify Threats, Vulnerabilities, Likelihood, and Risks

threat-vulnerability-riskThreats come in the form of cyber or physical attacks, human error, accidents (natural or manmade), or resource failure (software, hardware, etc.), while vulnerabilities are the causes of these threats and include items such as outdated software and hardware, untrained staff, and minimal policy enforcement. Likelihood combines the threat with the vulnerability and assigns a rating. For example, the threat of being exposed through a phishing scam combined with inadequately trained staff equates to a high likelihood rating. Once threats, vulnerabilities, and likelihood are explored, a risk assessment can be formulated along with resulting consequence. At that point, the decision to accept or mitigate the risk can be made. Acceptance of the risk should only be considered if the consequences or the likelihood are low.

6. Establish a Data Breach Response Plan

Just as an Emergency Response Plan (ERP) is critical to minimizing loss of life during a natural disaster, so a Data Breach Response Plan is critical to mitigating data loss and resulting expense in the event of a data breach. An effective Data Breach Response Plan should include items such as the following:

  • Documentation of events prior to and immediately following the discovery of a data breach
  • Transparent and immediate communication to all employees including how they should respond to external inquiries and the press
  • Activation of a designated response team, in particular legal council, to determine if regulatory agencies or law enforcement should be notified
  • Identification of what caused the breach as well as implementation of a plan of action to fix it
  • Plan of action based on legal counsel with regard to compliance regulations and other mandates affecting messaging, notification, and possible compensation to breach victims
  • Messaging and schedule for notification of those with compromised data

As with an ERP, a Data Breach Response Plan must be continually updated — annually at a minimum.

7. Communicate ROI

Many companies discount the implementation of a sound cybersecurity policy due to costs that are not easily justified. While the fact remains that no tangible Return on Investment (ROI) for a cybersecurity policy exists, the potential cost of NOT implementing one could be catastrophic. According to the 2017 Cost of Data Breach Study, the cost per record for a data breach was $255, with the average total cost of a data breach being $3.62 million. A cybersecurity policy, and the associated costs, are critical to the protection of a company’s data — and resources.

8. Talk to a Professional

Businesses who do not have dedicated IT professionals on staff or whose IT staff is not fully trained in cybersecurity should consider hiring an outside consultant to implement their cybersecurity policy. As previously stated, ROI for such a hire is not readily apparent. However, one breach can spell disaster — including business closure — for some smaller companies. The cost of hiring a professional to set up an effective data security policy far outweighs the potential risk and subsequent cost of not doing so.

9. Establish an Information End-of-Life Policy

SEM devices meet all compliance regulations and shred hard drives to client specifications.

Often overlooked, information end-of-life policies are critical to a successful cybersecurity plan. The most comprehensive cybersecurity policy still presents high risk if retired or failed data storage devices are improperly disposed of or discarded. Security-minded organizations must identify the confidentiality of the information, the media on which it is stored, and any required regulatory compliance measures. All PII should be considered confidential information that needs to be sanitized prior to disposal. Several methodologies of data disposal exist, from erasure to degaussing to shredding to disintegration, and the best solution is typically identified through a consultation with a data disposition expert.

10. Explore Cyber Insurance

Cyber insurance is not for everyone, but it makes sense to have the conversation with an insurance broker — but only AFTER a security program is already in place! Rates and qualifications have not been standardized and are solely based on overall business security health and ensuing risk.