Hiding in Your Old Fax Machine
“Many of us get medication at a pharmacy. Recently, I watched as the clerk filled my prescription, which comes in duplicate out of the fax machine. Following data privacy protocol, she very carefully put one in a secure file and shredded the other one right there.
“I said to the young lady, ‘I noticed you’ve got a new fax machine there. What did you do with the old one?’ And she said, ‘Oh, we sent it back to the leasing company yesterday.’
“So, they send the prescription over a fax line, which is relatively secure. As they print it out, they very carefully shred the duplicate copy to make sure that it doesn’t escape and it’s secure. At the same time, a hard drive with 150,000 prescriptions just walked out the door to some warehouse somewhere. That data is now sitting in storage still on the fax machine. Those are the big risks and liabilities that nobody thinks about.
Most people are unaware of the way that their personal information is being collected and used. That has pushed data privacy to center stage.” Michael Harstrick, Chief Global Development Officer, Garner Products
Gain from Michael’s deep background in data security as he addresses the key data privacy issues of our current digital-first environment:
Q. What are the origins of data privacy?
A. About 15 years ago, every health insurance entity in the world used your social security number as your policy number. They changed that after HIPAA. And that’s why you now have to give them your name and your date of birth to be accurately identified.
The concept of data privacy is immense. So, a little history here. Broadly speaking, the American concept of data privacy really comes out of the fourth amendment. The unreasonable search and seizure clause has been interpreted in the legal system to extend to information about you. The first act that did something about that was the Social Security Act of 1935 that said your social security number is a value and therefore is a privacy issue.
Q. What are the most important considerations any data security leader should have about data privacy in today’s digital workplace?
A. In yesterday’s world, we came to an office where the security and data privacy teams could create real boundaries. The security problem with the digital workplace today is we have laptops and cell phones, which people working remotely take home. So, now you have to reorganize every piece of data you have. Then you must set limits on who is allowed to see that data, and who is allowed to use that data — by pretty much every user in the organization. And that’s an immensely complex task.
Q. What are the key steps a company can take to ensure data privacy in the workplace?
A. You have to go to the lowest common denominator and decide what is not allowed in your particular environment. You have to set permissions in that data, monitor and enforce the permissions to make sure that only the people who are allowed to see certain data can see it. You have to make sure that only the people who are allowed to move the data can move it. You can’t let someone access sensitive data and then let them export it and take it with them.
That requires a matrix for the definition of information. The data privacy team must first configure that plan, then map it, then determine how to administer it and how to enforce it. You have to find the balance between following the compliance rules and the security practices, and being able to use the data so that it provides value to the organization that needs the data.
Q. What is one of the most overlooked areas of data privacy in many organizations?
A. Clearly, it is data disposal at end of life. It’s understanding that the complexity and sophistication of storage devices are simply staggering. Everyone is familiar with how to dispose of paper, but not so with digital data. The vast majority of people know you don’t leave a medical chart on your desk, but don’t know what to do with an old hard drive containing that same data.
Most people don’t understand the complexity of data storage in the products they use. For example, printers and fax machines have storage drives. The manufacturer recommends that the company remove the storage before they dispose of the printer. But how often do you think that happens? Rarely, as my pharmacy example clearly showed.
Q. How do you recommend data privacy and data security professionals dispose of sensitive data and confidential personal information?
A. There is only one way to be sure. Your risk of a data breach from decommissioned hard drives and backup tapes can be reduced to zero with a simple three-step media decommissioning process:
- Degauss all hard drives in-house while the media in your company’s controlled, secure facility
- Physically destroy each hard drive in-house immediately after it is degaussed
- Maintain verified proof of data erasure and destruction