Rossander’s Security Reader

This article was originally published in the May 2007 edition of The Agent Newsline, a publication of Westfield Insurance.

What you need to consider from Information Security

How is your Records Retention program? Do you have one? Are you following it? In December 2006, the U.S. Supreme Court released new rules regarding the finding and turning over of electronic documents in response to a subpoena or other court request. Among other requirements, the new rules make it clear that every company must have a records retention/destruction policy that is strictly followed.

With that in mind, your document retention/destruction policy must find the balance between potential future benefits of a document and potential future costs of holding that document.

Think through the total costs of holding a document.

Documents are accumulating at an incredible rate. Who will wade through the archives to find the relevant document? Who will remove all protected or irrelevant hits from your search, and how much will you have to pay that person? (If it is a lawyer in response to a subpoena request, the answer is "a lot.") Even if you do find the document, will you be able to open it? What operating system did it run on? What hardware did it require? What will you do about the inevitable files that go corrupt? What storage medium will you use? These are just some of the questions you must consider.

Unless you have a carefully architected solution for document storage and categorization, your costs for electronic storage can skyrocket over time. If you have a copy of the document, the court can order you to produce it, forcing you to spend money to convert it into a format that they want and can read. Good companies have been forced to spend several millions of dollars recovering old versions and restoring old systems just to get through the discovery phase of a suit.

Then there are the legal liabilities of holding onto documents longer than is necessary. We all write things occasionally that we regret. Courts have said repeatedly that as long as you still have a copy of that message, it must be turned over. However, if you destroyed it in the normal course of business and in accordance to your own policy, the courts do not normally require you to go to extraordinary measures to undelete and recreate the document.

Remember that you also need the ability to centrally suspend the destruction cycle when you receive (or reasonably believe that you will receive) a court-ordered litigation hold. Courts have been unforgiving to companies that fail to suspend their destruction programs. Have a policy and follow it strictly.

The drugstore chain CVS is being sued by the Texas Attorney General for failure to properly dispose of customer records including credit card and debit card numbers, drivers license numbers and medical prescription forms with name, address, date of birth, issuing physician and the types of medication. According to news reports, the store was being closed when over 1,000 papers with confidential information were found in the dumpster behind the store. (1,000 records would be 2 reams or about 10 pounds of paper and could easily have come from a single office-sized trash can.)

Dumpster-diving for sellable information is an increasingly common problem. Last year, a local Westfield Office Manager drove into his office’s parking lot early one morning and surprised a man and a woman fishing papers out of the building’s dumpster. Before he could even get parked, they jumped into their pickup truck and sped away. (Because the members of the office follow Westfield’s "shred everything" policy, none of our customer information was compromised but we did notify the other tenants of the building.)

Failure to properly destroy confidential information is a violation of the Federal Trade Commission’s regulation on disposal. In addition, it is a violation of several Texas laws and carries potential penalties of $50,000 per violation and/or $500 per abandoned record. This one incident could cost CVS’s parent company over $500,000 in regulatory fines alone. The company is also reported to be under investigation by the US Office for Civil Rights and the Illinois AG for similar failures in other states.

In addition to the legal penalties, CVS is expected to suffer in the marketplace. According to a recent study by Javelin Strategy & Research, 77% of consumers said that they would stop shopping at stores that suffer data breaches. While it’s unclear how many customers will realistically carry through with that threat, independent research estimates that a security breach costs $200-300 per lost record when you include the costs of disclosure, increased call centers costs, lost employee productivity, legal fees and the loss of investor and customer confidence.

While the law requires only that confidential documents be properly destroyed, I strongly recommend a policy that all papers must be shredded when they are no longer needed – that no office paper may go into the regular trash stream. There is too much chance that a social security number or unlisted phone number will be overlooked on the back side of a page.

For offices below about 10 employees, the most cost-effective solution is usually to invest in a good quality cross-cut shredder. For larger offices, consider contracting with a shredding vendor who can provide secure bins where papers can be collected until the vendor’s scheduled pick-up. Require that all paper trash be placed in one of these bins.

It’s time for spring cleaning and you finally want to get rid of that old computer that’s been gathering dust for so long. What will you do with the old one? You can’t just give it away or sell it. There are thieves who specialize in buying used computers on eBay just to search them for private or financial information before reselling them.

Even if you remembered to delete your files, the data is not really gone yet. (When you delete a file in Windows, all that really happens is that the file information is removed from the computer’s "table-of-contents". The data is still on the hard-drive and will stay there until Windows decides that it needs to overwrite that particular space with a new file. That can take months or years.) Even re-formatting the hard-drive does not sufficiently wipe the data. You might hide it from a casual hacker that way but a determined attacker using the latest techniques will be able to reconstruct your hidden information. Read this PC World article for more.

You also can’t just put the old hardware out on the curb with the weekly trash. Even if it doesn’t get taken from your trash by some passerby, there are hazardous materials within most of the devices that should be properly disposed of. Here are some steps you should take:

1. Make a couple of backup copies of important data and programs by writing the files to CDs.
2. Use one of the free or relatively inexpensive software programs available that will write over the data on the hard drive. This ensures that no one will be able to access your personal information later even if they try to use data-restoration software. Click here for a review of several common programs.
3. If you can, donate or recycle the equipment. Computer manufacturers often have suggestions on their websites (see for example, Dell or HP) and may even offer free pick-up and will work with local agencies in order to donate or recycle the equipment. You can also look for local donation sites at websites such as Earth 911. Finally, many counties offer computer hardware drop-off locations at their hazardous waste collection and recycling sites (e.g., Medina, and Summit counties) .

Note: Several donation programs ask that you not delete the operating system or software from your computer, arguing that schools can’t afford to replace the software. This is in general untrue. Most schools, like most corporations, buy "site licenses" and can reinstall the operating system at a fixed, discounted rate. If you do want to donate the software along with the hardware, give them the original installation disks and let them install the software themselves. Always wipe the drive before you donate it.

Many companies have a shared drive set aside for "temporary" use. When used properly, this can be an efficient way to share short-term documents across the organization and to minimize email bloat. Users post their document to this shared folder and provide a link to the document rather than sending dozens of copies of attachments around and bogging down your email system. When the short-term need is complete, users are supposed to go back to the shared folder and delete the documents they posted.

Too often, documents posted to these "temporary" folders are hardly temporary. And, while shared, they are rarely shared properly. Users post documents and forget to delete them or fail to consider that others (who may not have a need-to-know the contents) will be able to see the documents. IT departments know that these folders have to be extremely flexible in order to work well. They rarely implement access controls or other restrictions on the use of the folder. Doing so would defeat much of the purpose of the shared folder.

• If you have a shared "temporary" folder on your network, you need to know about it. Don’t let these documents fly under the radar screen.
• Consider implementing controls on the folder. Controls can include:
  • Limit access to employees only. Lock out contractors, vendors and others who don’t need to see the contents of the folder.
  • Set up the folder to automatically purge all contents older than some set (and short) period. A week or two is all that you can reasonably call "temporary".
  • Never allow the posting of unprotected confidential information to a shared folder.
• Many electronic content management systems (ECM) can make the need for these temp folders obsolete. If you haven’t already invested in an ECM system, ask your technology team to look into it. If you have an ECM application, make sure that your staff are taking full advantage of it and not still using the old, uncontrolled shared folders.

This article was originally published in the Oct/Nov 2006 edition of The Agent Newsline, a publication of Westfield Insurance.

We all know about the rising threat of identity theft, and hear how it can affect a person’s life. Along with businesses, legislatures around the country are also under a lot of pressure to do something about identity theft. Here are some tips to help you keep your customers’ Social Security Numbers (SSNs) and your agency safe. It’s not just a good practice – in almost all states, it’s the law.

• If you don’t absolutely need the SSN, don’t ask for it. Take the field off forms unless it is absolutely necessary.
• If you only need the SSN once, use and destroy. Don’t record a copy or make a note "just in case." If you must ask for the SSN, protect it carefully:
  • Watch records that get posted on a web site. Be cautious of spreadsheets with SSNs, which can get found via a search engine. Keep documents with SSNs in secured folders.
  • For log-ons to web sites, don’t use the SSN unless the web site also requires a password or PIN for access.
  • Several states explicitly ban the selling, renting, trading, etc. of any list containing the consumer’s SSN, so don’t give out a consumer’s SSN to anyone.
  • Only print or show the last four characters from the SSN.
  • SSNs may not be printed on any ID card required for the individual to receive products or services. That means that SSNs generally may not be printed on the proof-of-insurance card. This includes embedding the SSN using a barcode, smart chip or magnetic strip.
  • Unless the message is encrypted, don’t request or send SSNs via e-mail.
• When sending mail, do not print the SSN on anything mailed to the individual unless required by law. The news tends to highlight the technology-based hacks and compromises but research continues to show that most identity theft is committed based on paper records and the largest single source of stolen SSNs is still physical mail theft. (The second source is trash.)
  • If you do send a document with a SSN in the mail, be sure the SSN is not visible through the envelope. Also watch postcards, top-sealed mailers with open sides or envelope window openings.
  • The "required by law" exception applies primarily to certain HR records like your W-2. There may be a few state laws requiring us to send SSNs by mail either to a state agency or to the individual but as a general rule, avoid putting any document with the consumer’s SSN in the mail unless it is strictly required.
• Destroy everything when it is no longer necessary. As soon as that retention period runs out and the record is no longer necessary, make sure that it is properly destroyed.
  • Paper documents should generally be destroyed by shredding. While the FACTA Disposal regulation allows other means of destroying paper documents, shredding is almost always the most reliable and cost-effective way.
  • Make sure that all electronic media (hard-drives, floppy-disks, thumb-drives, CD-ROMs) get sent back to your IT department for wipe. Make sure that the data has been irrecoverably destroyed first before donating or throwing away.