02/ 15/ 2005
by Jeffrey Moses
Identity theft has become so widespread in our society that several recently enacted federal acts mandate the proper storage and destruction of confidential information, both in document and electronic form.
For example, the Health Insurance Portability and Accountability Act of 1996 requires medical health-care providers and health-care insurers to maintain confidentiality of all personal information, both during storage and disposal.
The Gramm-Leach-Bliley Act of 1999 requires financial institutions and other business to create policies and procedures that ensure the secure confidentiality of customer information, including proper disposal.
And, most inclusive, the Fair and Accurate Credit Transactions Act will require businesses nationwide to assure "the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed."
It is clear from these acts that government entities consider businesses responsible for the security of confidential electronic information as well as confidential hardcopy information.
The secure storage of confidential electronic information is an ongoing process. Tape backups of PC and server information should be treated as though they are cash in a vault. Access should be limited to authorized personnel only, during both storage and transfer. Personal access codes and PINs should be standard practice for access to backups and for general employee usage of PCs. Additionally, employees should be instructed in the secure selection and use of passwords, and in the proper shutdown of their computers when not in use.
E-mails and other electronic transfer of data offer special problems in regard to security of confidential information. When transferring confidential information, care should be taken that recipients are authorized, and in many cases, bonded for security. A company employee should never transfer confidential information to individuals outside the company unless the security policies of the recipient have been validated.
The disposal of electronic files and documents offers additional problems. As stated in a section of The Security Handbook of The Federal Financial Institutions Examination Council:
"Computer-based media presents unique disposal problems. Residual data frequently remains on media after erasure. Since that data can be recovered, additional disposal techniques should be applied to sensitive data. Physical destruction of the media, for instance by subjecting a compact disk to microwaves, can make the data unrecoverable. Additionally, data can sometimes be destroyed after overwriting. Overwriting may be preferred when the media will be reused. Institutions should base their disposal policies on the sensitivity of the information contained on the media and, through policies, procedures and training, ensure that the actions taken to securely dispose of computer-based media adequately protect the data from the risks of reconstruction. Where practical, management should log the disposal of sensitive media, especially computer-based media."
Bulk erasing of backup tapes, drives and disks may not adequately erase information. Computer experts can readily recreate "erased" data. Additionally, simply writing over data (as suggested in The Safety Handbook) may not totally render underlying data unreadable. Therefore, reused or bulk-erased media should be handled in a secure manner and not considered unreadable.
Optimal security would demand the physical destruction of electronic storage media when it will no longer be reused. Destruction techniques include shredding or incineration. Burial should not be considered a destruction technique because media may contain readable data for years even underground.
