Dodging a Data Disposal Debacle

By: (CISA, CISSP)

Publication: The Colorado Banker , July/August 2010

I trust your information security policies include a policy and procedures for the disposal of all sensitive information in a secure manner once any retention requirements are met. But, there is a high probability gigabytes of data may have escaped your disposal plans and been wheeled out of the bank right under your nose. Before I divulge this mysterious data location, let's examine some important elements of a Data Destruction Policy.

Where Is My Confidential Data Located?

Presumably, your information security risk assessment includes a threat related to the improper disposal of customer or bank nonpublic information, both paper-based and electronic. To ensure you have adequately controlled this threat, you must first identify the location of all confidential information. However, this identification process has likely failed to identify and control one location of electronic nonpublic information. But, I'm not ready to let that cat out of the bag yet.

How Should Data Be Destroyed?

Historically, paper documents have been the primary media for customer information. However, as we move rapidly toward a paperless society, the bulk of nonpublic customer and bank information will be in electronic form.

A growing number of banks utilize a shred vendor for their printed document destruction. Ideally, bank personnel should witness the destruction of information onsite at the bank. Otherwise, the bank should be very particular about the confidentiality and incident response provisions in the shred vendor's contract.

Banks shredding their own documents must utilize crosscut or diamond cut shredders. The FFIEC IT Examination Handbook, Information Security Booklet (July 2006) requires appropriate disposal procedures for paper-based media to “ensure the media is rendered unreadable and unlikely to be reconstructed.” Strip cut shred remnants can usually be reconstructed quickly and easily.

Many shred vendors, and crosscut shredders, will destroy CDs, DVDs and backup tapes. Some shred vendors also accept for destruction hard drives from decommissioned workstations and servers. Due to the large volume of nonpublic customer or bank information on a hard drive, banks often choose to destroy their own hard drives with a sledgehammer, drill or degaussing. It is not sufficient to simply erase a hard drive. If you wish to retain the drive for reuse, free space must be overwritten with a tool such as Microsoft's SDelete (http://technet.microsoft.com/en-us/sysinternals/bb897443.aspx).

In any case, your Data Destruction Policy should address the secure destruction of all customer and bank nonpublic information, whether paper-based or stored on floppy disks, magnetic tapes, CDs and DVDs, internal or external hard drives or USB mass storage devices (flash drives). But, there is a very high likelihood you've overlooked one critical location – the hard drive inside your copiers / digital duplicators, printers and multifunction peripheral devices (MFP).

What?

You never knew many copy machines, printers and MFPs (all-in-one devices which may print, make copies, scan documents and send faxes) have an internal hard drive? You're not alone. A recent report by CBS alerted the public to the existence of these internal drives and the associated risk:

http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml

In the interest of space, I'll not attempt to summarize the article. However, the data retrieved from the hard drives of used copy machines should make you shudder, motivate you to read the story and respond:

  • Detailed domestic violence complaints and a list of wanted sex offenders (previously owned by the Buffalo, N.Y. Police Sex Crimes Division)
  • 95 pages of pay stubs with names, addresses and social security numbers and $40,000 in copied checks (formerly owned by a New York construction company)
  • 300 pages of individual medical records (previously owned by Affinity Health Plan)

These copiers (or printers, etc.) might just have easily been owned...or leased...by a bank.

How Should This Risk Be Addressed?

The good news is, many hardware vendors appear to have built in (or offer optional solutions) for securely erasing data stored on these internal hard drives. Consider these questions regarding your Data Destruction Policy and vendor management program:

  • Do my copiers, printers and MFPs have internal hard drives?
  • Did the manufacturer include or offer an optional solution to securely erase data on internal hard drives?
  • Does your contract with the copier / printer / MFP vendor address this issue?
  • Does bank policy address securely erasing data on leased equipment and is the leased contract consistent with the bank's policy?