Data breaches have serious consequences, ranging from lost money, sensitive data, and clients to a damaged reputation, lengthy court battles, crisis management, investigations, fines, and penalties.
Most companies take some measures to protect their data (find out Why You Might Need Cyber Insurance Even if You Run a Small Business). But they may not realize that the way they get rid of the data and the devices that store them could leave them vulnerable.
We'll go over what you need to consider whenever you have to destroy documents or dispose of electronic devices.
Secure Information Overview
Besides the obvious business and financial impact, businesses also have a legal responsibility to maintain and protect sensitive data. If you handle this kind of information, regulatory bodies now lay the responsibility for data security squarely on your shoulders.
If you run a business of any kind, there's really no way to avoid it. Whether it's a law firm or a pizza place, you'll collect and store some kind of data on your employees, partners, suppliers, or clients.
Going low-tech also won't protect you. Data stored on paper is still vulnerable to identity and information thieves.
Data Protection Laws and Compliance
All companies that collect personally identifiable information (PII) must dispose of data safely to avoid prosecution and fines. PII includes any information that could single out individuals, such as:
- Telephone numbers
- Email addresses
- Social Security numbers
The U.S. does not have one overarching statute to cover all data liability issues, but it does have ones for particular industries and the mismanagement of data. Many states now have specific laws to address these issues, too.
The Federal Trade Commission Act
The Federal Trade Commission Act applies to both online and offline security. The FTC brings enforcement actions against companies when they fail to comply with their policies or when a company discloses personal data through negligence.
Gramm-Leach Billey Act (Financial Data)
The Gramm-Leach-Bliley Act (GLB) safeguards sensitive financial data. Its regulations cover collection, use, and disclosure of this data, including loss through the disposal process.
It applies mainly to financial institutions, but it may also apply to any business that offers financial products and services.
The Security Rule (Medical Data)
The Security Standards for the Protection of Electronic Protected Health Information, also known as the Security Rule, provides standards for protecting medical data.
It was later strengthened to include a requirement HIPPA organizations notify patients of any breach of their protected health information.
The Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act are designed to improve the accuracy of consumers' credit-related records. They apply to lenders who use consumer reports and companies that supply information to credit bureaus and how they protect data.
Red Flag Rules
Federal Trade Commission Red Flag Rules require many organizations to develop a Theft Prevention Program to identify “red flags” during operations.
You may need to comply if your business does any of the following:
- Defer payment for goods and services
- Bill customers
- Grant or arrange credit
- Participate in the decision to extend, renew, or set the terms of credit
Disposing of Data
To fully comply with state and federal law, you must destroy unneeded personally identifiable information. But if not done properly, destroying PII exposes that data to theft. Regulatory compliance should be considered the minimum standard, not the final goal.
Organizations need official guidelines for document destruction, and specific policies for disposing of paper waste.
Start by identifying potential risks within at every point in the information cycle, including:
- Tracking sensitive data
- Generating paper documents
- Document transfer policies
- Information storage
- Destruction of documents
The most common method for disposing of sensitive data is shredding followed by document destruction. Although shredded material looks completely unusable, it remains vulnerable until destroyed. Store shredded documents in locked cabinets or use an on-site destruction unit through a supplier.
Getting Rid of Electronic Data
According to a 2017 Ipsos Reid study, across the United States, Canada, and the UK:
- 50% of small businesses have no policy in place at all for managing the use of electronic devices
- 46% of small businesses don’t have a policy in place for disposing of confidential data found on electronic devices
And the figures for big business are not much better.
While U.S. businesses recognize the risk of security breaches, most don’t regularly review security processes, conduct audits, or train their employees to safeguard sensitive information. That last item is bad news, because people are often the weakest link in your company’s security chain. Extensive security training can go a long way to reducing the risk of a data breach.
Sanitize Hard Drives
Sending files to the trash or recycle bin does not entirely erase the data. Unless the hard drive is sanitized, the information is still accessible to data thieves.
According to US-Cert: The United States Computer Readiness Team, only two ways exist to destroy data safely: overwriting and physical destruction.
Basically, overwriting means replacing your existing data with random data.
Many free, open-source tools exist to overwrite hard drives, but know that solid state drives are almost impossible to erase. With those, physical destruction is the best avenue.
You can destroy most electronic devices and tapes by degaussing them, which involves exposing the device to a strong magnetic field. This process destroys the firmware, making the device unusable and its data inaccessible. Businesses can either rent or buy degaussing machines, depending on the scale and frequency of their electronic disposal needs.
Never burn a hard drive with acid or put it in the microwave. Although this might destroy it sufficiently, it will emit toxic gases.
Destroying Mobile Devices
Many companies do not realize the risks they take on when they allow employees to use their own devices for company work. It's important to develop a clear and thorough policy that specifies which data workers can access, how to access it through a secure network, and what they are authorized to store on their own devices.
If employees use company devices, terminate all accounts associated with them before destruction. Remove and destroy the memory or SIM card. Restore the device to its factory settings to wipe existing data. Finally, destroy the device or have a company do it for you.
Data Liability Protection
Properly getting rid of your data can be as tricky as keeping it secure while it's stored. Human error can compromise even the most stringent disposal procedures. Even if you store and dispose of your data and devices diligently, cyber liability insurance is a wise precaution. It will give you an added layer of protection in case the information you tried to get rid of still ends up in the wrong hands.
Insurers offer many layers of coverage, so you can tailor a policy to your needs. A skilled agent or broker may include first-party coverage to protect you from your own losses and third-party coverage against claims arising from losses suffered by clients.
Here are a few of the protections cyber liability insurance may offer.
Complying with state regulations requires notifying affected parties when a data breach occurs. This is a costly, time-consuming venture, and particularly troublesome during the post-havoc of a data breach.
Some policies include coverage to hire a PR company and additional staff to communicate with clients and minimize reputational damage.
When you lose personally identifiable information, state and federal agencies may require an investigation to determine whether it occurred as the result of negligence within your company.
Some policies include coverage for this expense and even compensation for fines or penalties levied by authorities.
Data Breach Liability
Disgruntled stakeholders may file a lawsuit against your business, particularly if someone uses their data to tap into their finances or credit. Data breach liability coverage can compensate you for the resulting legal costs and settlements.
Standard business policies typically cover damage to computers up to the policy limit. However, they do not cover the data stored on these devices.
Generally, cyber liability policies can cover theft or loss of personally identifiable information. Some may also include coverage for a forensic analysis to determine how the culprits accessed data.
Hackers may shut down a business, restrict access, or damage devices with viruses or malware. Business interruption coverage can compensate you for lost revenue incurred during this time.
(For more on cyber vulnerability and protection, see Cyber Liability Insurance: Is Your Business Covered?)
Protect Your Data
Don’t ignore the importance of data protection throughout a document or device's entire life cycle. Create policies, train your staff, and make sure that all sensitive data is disposed of properly. And make sure you have enough insurance coverage in place to help you cope and recover from a data breach.
Managing and protecting your data can be difficult. If you don't know where to start or want to make sure you stay one step ahead of data thieves' latest tricks, seek professional guidance.