Beware what lurks in your downstream

Beware what lurks in your downstream

“Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

The Data Protection Act is far from indirect in its legislation regarding the security of personal data. Yet with multiple examples of data washing up downstream and into potentially dangerous hands, why are organisations failing to identify best practise and the importance of compliance?

Through misunderstanding and ill-judgement surrounding ITAD process, standards and technology, the Data Protection Act is interpreted at the most basic of levels. In fact, in some cases, there is very little evidence of any compliance practised at all.

Legal obligations to follow procedures put in place to protect both an organisation and the personal data placed within it are often fulfilled in accordance with how cheaply it can be done, as opposed to how best it can be achieved – a familiar scenario to many.

In terms of IT asset recovery, what constitutes an “appropriate technical and organisational measure”, as detailed in Principle 7 of the Data Protection Act, is the certificated cleansing of data and WEEE disposal of IT equipment.

It is in the tangible evidence that personal data has been protected which an organisation can place trust, instead of in the promise that kit leaving your premises will be disposed of compliantly and for a snip of the cost of using an accredited ITAD.

A recent case involving NHS Surrey, in which the trust was dealt a monetary penalty of £200,000 by the Information Commissioner’s Office (ICO), saw in excess of 3,000 patient records discovered on a second-user computer purchased through an online auction site.

NHS Surrey had received the ITAD service for ‘free’ from a data destruction company in their employ since 2010. And while this may have seemed like an “appropriate technical and organisational measure” at the time, failing to consider downstream implications would subsequently seem a rather expensive endeavour in comparison.

Most organisations have in-house measures to ensure compliance with Principle 7; personnel, processes, physical security, computer security, business continuity etc. But when outsourcing IT asset disposal, it is critical to establish a system of checks and balances that protects end-of-life technology.

An unbroken chain of custody is necessary to ensure compliance and shield an organisation from malicious insiders, protecting downstream liability, avoiding monetary penalties and protecting brand reputation.

Establishing the required chain of custody sounds easier said than done, but in reality it is merely the evidence obtained that operative ITAD processes have been implemented in accordance with Principle 7.

Like NHS Surrey, too many organisations continue to pay a heavy price when their equipment is found in the wrong place, in the wrong hands, containing data, on an internet trading site or worse.

But with the ITAD industry tainted by questionable companies offering an inferior solution based on uncertified products or freeware, there remains a platform for the fostering and endorsement of a dangerous ‘free service mentality’, with scant regard for liability or compliance.

Too swift are some to disregard the question of how service offerings of this nature can be supported without compromise or risk to data protection. The reality being that they can’t. This was epitomised by the case of Tor Olson, former vice president of Executive Recycling.

Mr Olson was sentenced to 14 months in prison in 2012 for his role in duping customers into believing they were recycling IT domestically while it was actually sent as waste to developing countries, demonstrating the pitfalls of customer naivety and ignorance applied to data protection.

According to a 2012 survey conducted by Forrester across 240 companies in Europe and North America, 51% had at least one security breach in the 18 months prior.

A separate survey of 80 large healthcare organisations carried out by found that 94% had suffered a data breach in the past two years, with around 21 million patients becoming the victim of medical record breaches.

And by August last year, the ICO had issued over £1.7 million in fines to companies that fell foul to the Data Protection Act, in addition to multiple undertakings and four legal prosecutions.

The evidence suggests that not only are data breaches becoming more common, they are becoming more expensive as well. And there are calls for more responsibility to be taken in public sector incidences of information security not being managed in accordance with Principle 7 of the Data Protection Act.

With more and more falling foul to rogue ITAD practises that offer one service but deliver another, or don’t deliver at all, opportunists are abusing trust and exploiting the vulnerability of organisations by targeting an area in which a lack of understanding is as good as an invite.

Be it arrogance in the false assurance that it won’t happen to them, ignorance to the scale of the problem or the misguided belief that a free ITAD service provider will follow processes to personal data, the value of process and definition of an “appropriate technical and organisational measure” remain unclear to companies that should be well-versed in the Data Protection Act.

A managed, governed process produces superior evidence in the guise of staged reporting within a controlled environment. And, most importantly, it reduces another risk to downstream liability: theft.

As the largest threat to any ITAD, chain of custody deters employee theft by negating the ‘it was going to be destroyed anyway’ philosophy and delivering a company-wide understanding of why a strong disposal policy is so important.

Employees must take individual responsibility in information security and comprehend the implications of a breach starting from within; a lack of understanding increases the risk of opportunists misusing, moving or lifting assets.

Principle 7 states that an organisation must: design and organise security to fit the nature of the personal data held and the harm that may result from a security breach; be clear about who is responsible for ensuring information security; have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff; and be ready to respond to any breach of security swiftly and effectively.

An ITAD that can demonstrate efficient incident response processes can help minimise the threat of lost data-bearing assets. An ITAD that can demonstrate pedigree and accreditation is worth its weight in gold.

It’s not unusual to be put off by the size of a quote for a service which to some is not a necessity. With nothing tangible to show for peace of mind or compliance, only the careful review of costs will reveal expenditure that is regularly overlooked when justifying IT asset disposal.

Consider what an organisation pays its technicians and the value of the time it takes them to set up, perform an erasure and document it. There’s also the cost of taking a team away from a project that may be more strategic for the organisation.

Finally, there are costs associated with the space, systems and software required to perform data erasure, the hire of equipment to safely destroy failed drives, secure transport etc. The list goes on.

It’s probably at this point that a free service seems an attractive option. But what is lurking in your downstream? While two thirds of organisations orphan a proper ITAD policy, the question remains: what is most important?

The answer is, of course, information security.