Playing it safe

Let’s say you’re buying a car. The salesperson photocopies your registration, but it comes out on the wrong size paper. He tosses that copy into a blue bin and photocopies your registration again. What do you do?

June 20, 2011
by Deanna Rosolen


Let’s say you’re buying a car. The salesperson photocopies your registration, but it comes out on the wrong size paper. He tosses that copy into a blue bin and photocopies your registration again. What do you do?

Michael Collins, regional vice-president of sales for Oakville, Ontario-based Shred-It International Canada, bought a car recently and after the salesperson tossed that copy of his registration (which included his personal information), Collins retrieved it.

“Something like that should be put in a locked container until it can be properly disposed of, not placed in a blue bin on the sales floor,” says Collins.

While perhaps no one would have found Collins’s information, it’s still a security risk many large corporations and small- to medium-size enterprises (SMEs) dismiss.

“The individuals who own a shop and provide a service or product and employ three to 10 employees-—they often don’t appreciate the risks associated with exposure of information that they should, in fact, have control of within their respective businesses.”

While large corporations could likely absorb the costs of fraud, those costs could put an SME out of business. And any company would face damaged consumer confidence, reputations and lost sales.

The best advice, says Collins, is for companies to engage in introspection. Do they have procedures for properly securing and destroying sensitive data? Are staff aware of them? If management is aware of a security gap, what is the best way to close that gap? When organizations are not sure, Collins says they should adopt a “shred-all” policy.

“Don’t leave the decision to an employee as to whether or not that document is a sensitive piece of information,” he says. “Assume that every document is a risk if it’s exposed to the wrong person.”

Third-party organizations can manage sensitive document disposal from “cradle to grave,” says Collins. They can also outline organizations’ obligations.

Canadian businesses are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA). The act covers the collection, use and disclosure of personal information for commercial activities. Quebec, British Columbia and Alberta have their own private sector privacy legislation. But even in those provinces, PIPEDA applies to federally regulated sectors, such as banks, telecommunications and transportation.

Secure destruction
For computer hard drives, secure destruction is fairly easy. Walter MacMillan, business development executive for Eban software with Barrie, Ontario-based GEEP Enterprise Data Security, says organizations should buy DOD Nist 800-88 Compliant Data Erasure software, which produces a certificate of destruction (COD).

“Organizations that do this will know the data on their hard drives has been wiped,” says MacMillan. “That’s the only way that you can be assured that it’s been done properly because that DOD software is the go-to standard.”

MacMillan says often organizations don’t know they need a COD to ensure hard drives have been wiped. Once they know their responsibilities, organizations should establish a policy to make clear how to handle IT equipment that’s reached its end of life.

Do it right
There are still organizations not disposing of IT equipment or e-waste properly, or not researching and hiring reputable firms to dispose of it for them. In a white paper, Blancco, a Finland-based data destruction and computer reuse management firm, says one US firm had to track down several hard drives because they hadn’t been wiped of data. The drives were sold to a contractor who had recycled some, sold some to other parties and auctioned the rest.

It’s not difficult to retrieve hard-drive information, and even moderately equipped IT professionals can do it. So could a tech-savvy high school student.

“Identity theft and corporate data theft is big business,” says MacMillan. “Criminal identity theft consortiums make it their business to have the skill set and the tools to get at the data.”

Companies like GEEP can securely pick up e-waste, wipe it clean of data and recycle the materials. If the equipment is still usable, once they’re wiped clean these companies can sell them and share the revenue with clients.

For sensitive documents and hard drives, organizations should discard some lingering myths. The biggest one is they won’t be targets or their methods are foolproof.

MacMillan says, “people think, ‘who can get my data?’ They can get it”. b2b