By Robert Johnson, NAID & Kyle Marks, Retire-IT, LLC
ITAK V9 I5
Last January, Coca-Cola admitted to the theft of an unspecified number of laptops containing personal information on approximately 74,000 individuals, including social security numbers, driving license details, salaries, and ethnicity. Reportedly, the laptops had been stolen by the employee in charge of the company’s information technology asset disposal (ITAD) process. However, Coke’s release was decidedly vague on its policy related to ITAD. And, while the media and the data protection experts reacting to the incident were duly outraged by the company’s lax policies, few if any have commented on the most unique and troubling aspect of this story.
Anyone involved in ITAD management will confirm that lost and stolen IT assets are very common in a vast majority of organizations. The fact that Coca-Cola discovered the theft and subsequently treated it as a data breach notification incident actually points to a far bigger problem. In most cases, organizations ignore missing IT assets, violating state and federal laws that require data breach reporting and, thereby, putting themselves at risk.
Data Breach Notification
To fully appreciate the problem that can result from failing to report missing IT assets, one has to first understand data breach notification laws and enforcement.
The first breach notification law was instituted in California in 2004. It required organizations doing business in the state to report to the authorities and the affected individuals when an unauthorized access to residents’ personal information occurred. Very quickly, other states sought such protections for their residents. Over the following years, 48 states have instituted some form of data breach notification requirements. More recently, the Health Information Technology for Clinical and Economic Health (HITECH) Act amended the Health Insurance Portability and Accountability Act (HIPAA) to include a national health data breach notification requirement. Australia, Canada and the European Commission are currently considering similar regulations.
Penalties for neglecting the legal obligation to report data breaches are severe. Last year, Adult & Pediatric Dermatology, P.C., a small medical practice in Concord, Mass., paid $150,000 to settle charges by the state that it failed to report a potential breach that resulted when a thumb drive containing the personal information of 2,200 patients was stolen while in a staff member’s care.
On the other end of the spectrum, Blue Cross Blue Shield of Tennessee paid the U.S. Department of Health and Human Services (HHS) $1,500,000 in 2012 for failing to report stolen computer hard drives.
In both instances, the fines did not result from the data breach itself but rather from the failure to report the breach. Regulators have shown that they’re likely to consider failure to report a potential breaches more severely than the actual breach.
By not investigating and subsequently reporting the discovery of missing assets, an organization creates a major liability; a liability that has no statute of limitations, and could surface at any point in the future if those devices are eventually discovered in the possession of bad guys or simply sold on the second hand market. A recent study in Australia found that 30% of hard drives purchased on the used market, half of which had been deployed in commercial or government institutions, contained extremely sensitive personal information.
The discovery could also surface if someone files a confidential Security Rule Violation Complaint with the Office of Civil Rights (OCR), or through a plaintiff discovery request.
If the C-Suite Knew
Believe it or not, it is actually rare for an organization to reconcile the IT assets to be retired with the IT assets that were acquired. In the few instances where they attempt it, the two lists rarely match. This equates to a potential data breach any way it’s sliced.
There are two issues that lead to this common problem. First, ITAD is given too low a priority from both a mission-critical and compliance perspective. Second, when speaking of IT assets, disposition is viewed as a separate and isolated event, disconnected from the lifespan of the asset over its entire deployment. Both approaches are flawed but the combination of the two creates a compliance nightmare.
ITAD is often a process left to facilities or operations. In larger firms, it may fall to an asset recovery division. In our experience, rarely is ITAD subject to the oversight of data protection or privacy compliance professionals. Even more rarely does IT asset disposal come under the jurisdiction of C-suite risk management professionals, which is where it legitimately belongs.
If given the appropriate priority, individuals aware of compliance requirements and the negative consequences of failure implement a system to detect missing IT assets. This system is a compliance-imperative. Further, compliance and risk management professionals would also make it a professional imperative to make sure missing IT assets are investigated and, if their absence is unresolved, determine whether it warrants breach notification.
Opportunity for IT Asset Management
If there is a silver lining to all of this, disposal-related breaches give IT asset managers an opportunity to demonstrate value and elevate their profession. Educating executives about hidden risks can secure the Information Technology Asset Management (ITAM) resources needed to prevent similar breaches from occurring at their organization.
Organizations constantly replace outdated computers, servers, laptops, copiers, and countless other types of electronic devices that contain private data. Numerous steps, both physical and administrative, are performed by individuals from field services to facilities and from privacy to procurement.
Certified IT asset managers are uniquely qualified to lead and manage the complexities of ITAD initiatives. ITAM has the requisite skills and purview to effectively manage the entire process. Before executives acknowledge ITAM as a viable solution, asset managers must first quantify the problem.
The Ugly Truth
In a perfect world, all assets acquired would effortlessly reconcile with assets retired. Today, executives assume that every retired asset is positively tracked by serial number. This belief exists because they haven’t been told otherwise.
We don’t live in a perfect world and ITAM has a professional responsibility to share the sober facts with executives. Perpetuating a myth of perfect tracking ensures troubles persist. Certainly ITAM does not want to be part of the problem. ITAM must debunk this myth with data and offer a compelling solution.
Only a careful examination of tracking data can confirm chain-of-custody — or reveal potential liability. Detailed inventory reconciliation is required to determine if a particular asset is missing. If no evidence exists to prove an asset was received by a disposal vendor, that asset must be presumed lost or stolen.
The ugly truth about ITAD is that often fewer than 50% of serial numbers exactly match. Of course, this does not mean that half of all retired asset are stolen. It means that matching serial numbers is an ineffective way to track retired assets and many security incidents currently go unreported as a result.
When it comes to regulatory compliance, ITAM professionals have two choices; either lead or relinquish their professional mandate. Continuing to report that every asset is tracked without evidence is interpreted by regulators as a deliberate misstatement of the facts in an investigation. As a result, turning a blind eye to the unreconciled end-of-life IT assets, thereby putting an organization at risk, is tantamount to professional misconduct.
Messengers Don’t Get Shot
Headline-grabbing news of privacy breaches has fueled increased interest in governance, risk, and compliance (GRC) initiatives. The aim of GRC efforts is to proactively prevent risk events and compliance violations. ITAM deserves and needs a seat at the GRC table to be an effective ITAD solution.
GRC professionals understand and demand objective, independent verification. When ITAM participates in GRC, the discovery of a missing asset is not a failure. Failing to discover a missing asset would be. If ITAM is not perceived as GRC, asset managers may be motived to sweep problems under-the-rug. When an asset is discovered missing, ITAM should be commended, not blamed.
ITAM must learn to speak the language of GRC. The term “safeguard” is a synonym for countermeasure. In security-speak, this means a control. We know that IT asset managers are the perfect choice to help GRC establish safeguards and controls for ITAD. ITAM professionals must communicate their case to be given the responsibility.
Presenting the Solution
Senior executives are usually solution-oriented and risk adverse. Once a problem has been legitimately identified, they seek a fix; in fact, in the world since Sarbanes Oxley (SOX), they are more or less obligated. ITAM should seize the opportunity by offering a compelling solution. Viable solutions must provide both basic types of control: preventive and detective.
Here are eight steps organizations could take to prevent a disposal breach from occurring in the first place.
1. Track IT Assets from the Moment They’re Acquired – All IT assets will eventually be disposed; it is inevitable. It is therefore logical to track the asset closely from the moment it is acquired. While it is tempting to use financial accounting software for this purpose, it has proven incapable. In fact, attempting to reconcile the asset acquisition within the accounting software is precisely why so many of the assets are missing at the end of life. IT asset tracking protocols and software created specifically for this purpose is the solution. Service providers should be able to provider options and alternatives that will coordinate with their operating procedures.
2. Treat ITAD as a Potential Incident – Considering each ITAD project an incident, and requiring compelling evidence for an investigation, will ensure adequate safeguards exist. Whenever an incident occurs, an obligation is created to prove that there was no breach. Evidence of data destruction and/or chain-of-custody is required to prove an ITAD incident was not a breach.
3. Recognize that Encryption is Not a Silver Bullet – Too often we hear technology managers dismiss essential safeguards. Chain-of-custody tracking may be considered superfluous when encryption is used. Coca-Cola had a policy of encryption. Encryption does not eliminate the requirement to detect and investigate incidents. Encryption can keep an incident from becoming a breach. Encryption cannot stop an incident from occurring.
4. Outsource Inventory Reconciliation to a Qualified Service Provider – Spreadsheet reconciliation is time-consuming and tedious. Moreover, the results of manual reconciliation can be subjective and impossible for someone else to verify without redoing the entire thing. Outsourcing reconciliation ensures a consistent, objective approach, and allows IT asset managers to spend valuable time solving problems.
5. Use Disposal Tags – On average, 40% of inventories captured by disposal vendors contain errors (e.g. duplicates, missing identifiers, etc.). Both employees and vendors make mistakes, which is why fewer than 50% of serial numbers are successfully matched. Bar-coded disposal tags increase tracking to 98%, or higher. Disposal tags provide an effective way to track assets and prove chain-of-custody. Equally as important, disposal tags deter employee theft – certainly a pertinent concern after the Coca-Cola incident.
6. Secure or Destroy Data before Any Move – 99% of ITAD problems happen before a disposal vendor touches the equipment. Employee theft is a common occurrence. Working with a certified electronics recycler is essential, but like encryption, it is not a silver bullet. Unfortunately, no vendor can sanitize a hard drive inside a laptop it never receives. Steps must be taken to securely store equipment until it can be effectively sanitized. When transporting equipment for sanitization, special precautions and procedures must be observered.
7. Don’t Let the Fox Watch the Hen House – A critical aspect of privacy regulations is segregation of duties. When an organization implements a process to independently verify chain-of-custody, there is accountability. Losses can’t be swept under the rug. Employees can’t take equipment without detection. Coke let the fox watch the hen house.
8. Test Security Controls – Compliance requires an organization to implement and test safeguards. Detecting a missing asset requires a robust reconciliation process. An effective test of this control is to include a fictitious asset on every disposal inventory. This dummy asset should get flagged as missing. If the disposal vendor reports receiving the fictitious asset, there is a problem.
We began our article by pointing out that Coca-Cola incident was unusual, not because it happened, but because it was reported.
Thanks to the incident at Coca-Cola, however, the public now knows what IT asset managers have known for quite some time. It is easy for trusted insiders to take retired assets and it is difficult to detect the losses. Sadly, the person responsible for the disposal at Coke was also the perpetrator. Experienced IT asset manager know how easy it would be for them to take a retired asset.
And the stakes have only gotten higher over the ensuing months, further increasing the risk of simply ignoring or dismissing these potential breaches inherent in missing assets.
This April, for the first time in history, a court allowed class-action data breach law suit to proceed even though no damages were directly apparent. The defendant, AvMed, a Florida-based health insurer, immediately settled the suit for $3 million. It only took a week for a court in California to do the same thing, resulting in $4.1 million settlement between plaintiffs and Stanford Hospital & Clinics. In this environment, prevention is the only effective strategy. The alternative is a death sentence for the organization, and unreported missing IT assets are essentially a time bomb with a perpetual clock.
ITAM professionals have an opportunity to raise awareness and become the solution to prevent similar disposal-related incidents. Rarely is any profession given the chance to so meaningfully protect their organization. The problem is clear and it seems the choice for compliance professionals is as well; become the champion for change or turn a blind eye. Professional ethics and career management would seem to dictate a proactive solution-based plan of action is warranted sooner rather than later.