The Top 5 Ways Our Personal Data Gets Compromised

April 30, 2019 at 8:26 pm by Heidi White

It seems like we can’t go a week without hearing about a data breach or a situation in which personal data has been compromised. Unfortunately, cybercriminals are becoming more sophisticated in their antics and there is very little we can do to stop cyber attacks from happening.

We can, however, arm ourselves against hackers and identity thieves by first understanding the main ways in which our personal data can be compromised. Then, we can take necessary steps to safeguard our personal data and prevent criminals from accessing our private information.

Understanding How our Personal Data Gets Compromised

The fact of the matter is that there are many ways in which our personal data can become compromised. Yet, they all seem to boil down to five main reasons, some of which are under our control and some are not. 

The Top 5 Ways Personal Data is Compromised:

data-breach

1. Organizational Data Breach: In order to do business with us, organizations often require our personal information. From financial institutions and credit bureaus to medical groups, email and social media platforms, subscription-based platforms and data-storage cloud companies…the list goes on. We trust that the organization follows its outlined security protocols to keep our private information, private. When that organization fails to deliver on its security measures, as we’ve collectively witnessed with the recent onslaught of big-data and cloud-system security breaches, our personal information is subject to unauthorized access and theft. Be sure you trust the organization and understand its data management policies and procedures for how your personal data will be used, stored, secured and destroyed before sharing personal information.

2. Unsecured Internet Connection: Even though it’s enticing to stop in to your local coffee shop or public library to work remotely from your laptop or portable device, you should always check the security of the internet connection you’re about to use, first. Public or otherwise unsecured connections are the most susceptible to cyber-criminal activity; using an unsecured internet connection is like inviting the hackers to your doorstep. In short, if the internet connection can be accessed without a password, don’t connect to it. 

3. Unsecured Device: The same can be said for any device you use to access the internet. From smartphones to laptops and tablets and now smart home devices like Amazon Echo and Google Home; these devices hold troves of our personal and private data. Maintaining updated security software, firewalls and installing extra security like a two-way authenticator are imperative to ensuring your device is protected from outside penetration. Password strength also falls under device security. Passwords should never be the same, should include characters and numbers as well as letters and should never be something easily guessed about yourself. Even if you are using a secured internet connection, the lack of security or lack of updated security for your device is just another invitation for having your data stolen. 

4. Responding to a Scam: Scams are designed to look, read and feel as authentic a communication as possible. Email phishing, ‘robo’ calls and social engineering tactics like personality quizzes are just a few examples of the ever-growing scams hackers and cyber criminals have developed to steal your personal data—right from the horse’s mouth. We often (mistakenly) place our trust blindly into communication efforts like email, phone and social media because those are places we communicate with people and brands we do trust. Always be vigilant of the type of organization and the way in which they communicate with you before you answer. (The IRS, for instance, will never email you or call you for personal information.)

5. Data Storage and Disposal at Home: Probably one of the most overlooked ways in which our personal data can be compromised is how we manage our data at home. Do you have a safe, secure, and designated location at home for all your personal and private documents? (You should.) And, what do you do with sensitive information that you no longer need, like an expired credit card or an old bank statement? If your answer is to cut it up and throw it out, you’re putting your personal data at risk. This also holds true of old devices you want to get rid of. Consider the personal information amassed on the hard drives of your old laptop, tablet, smartphone or other data-storing device. If you don’t properly destroy the hard drive, the data can still be reconstructed and accessed long after you’ve disposed of the device (say, if you turned it over to a buy-back program or, worse, threw it in the trash for a dumpster-diver to find).

hard-drive-destruction
Security-focused organizations use hard drive shredders to destroy drives at end-of-life

Proper Data Destruction and Disposal

While there’s little you can personally do to protect your information from a data breach at an organization, ensuring that the companies with whom you do business have a comprehensive data security and destruction policy is a good first step. There are also ways for you to better control your own data security. Taking steps like assessing your internet connections and device security and thinking before you respond to any digital or telephoned communication can greatly help you ensure your private data stays secure and remains uncompromised. 

When it comes to home security measures and data disposal, we recommend you maintain a specific and private place for anything that contains your personal information, and that you bring end-of-life devices to a local data destruction day, often held at universities in the spring. Of course, if you are in the area, you are always welcome to bring your device to SEM for physical destruction. As a final note, if your personal data has been compromised and you’ve become a victim of identity theft, you should report the identity theft incident to the Federal Trade Commission (FTC) online at IdentityTheft.gov or by phone at 1-877-438-4338.

Security Engineered Machinery Provides Compliance Solutions for the Destruction of CUI

April 5, 2019 at 3:22 pm by Heidi White

Secure data destruction device manufacturer supplies CUI line of paper shredders to provide compliance solutions for Executive Branch agencies and their affiliates to meet ISOO’s new CUI directive

nsa-listed-paper-shredder
SEM’s entire line of high security paper shredders comply with the new CUI paper destruction requirement

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to offer a complete line of high security paper shredders that meet requirements of the new Controlled Unclassified Information (CUI) Program instituted by the National Archives and Records Administration (NARA) and the Information Security Oversight Office (ISOO). The Program, which affects all Executive Branch agencies within the Federal Government as well as their affiliates that may handle CUI, mandates that paper containing CUI be destroyed to a 1mmx5mm particle, which is the same particle size as required by the National Security Agency (NSA) for classified and top secret information.

“We have been in frequent contact with NARA and ISOO, including presenting at their first CUI Industry Day held at the National Archives in Washington DC,” stated Todd Busic, Vice President of Security and Intelligence Operations at SEM. “As a result of our communication with these organizations and our commitment to the new directive, SEM has pledged to educate government agencies on the paper destruction requirement of the new CUI Program, which is quite different than what was once accepted as standard.”

“SEM has long been an industry leader in providing solutions on the cutting edge of new technology and on educating entities on new and updated data security regulations,” added Andrew Kelleher, President of SEM. “As a solutions provider to the Federal Government, we are fully committed to assisting NARA and ISOO in educating Executive Branch agencies on the new CUI directive and how best to achieve compliance.”

All unclassified information throughout the Executive Branch that requires any safeguarding or dissemination control is characterized as CUI and includes nearly all government agencies. Further, unclassified data such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Personally Identifiable Information (PII), as well as information relating to critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation all fall under this requirement.

Executive Order 13556 “Controlled Unclassified Information” created a program for standardizing the management of CUI across the Executive branch and designated the National Archives and Records Administration (NARA) as Executive Agent. As such, NARA is responsible for the implementation of the CUI program as well as agency oversight to ensure compliance. The Archivist of the United States in turn delegated these responsibilities to the Information Security Oversight Office (ISOO), which issued 32 CFR Part 2002 “Controlled Unclassified Information” to establish a comprehensive policy for managing all aspects of CUI, including disposal and other program-specific requirements. 

The rule affects not only all federal Executive Branch agencies that handle CUI but also all other organizations that in any way interact with CUI or have access to federal information on behalf of an agency. Therefore, these agencies must implement safeguarding or dissemination controls that are consistent with the CUI Program for any and all unclassified information. Prior to the CUI Program, agencies typically utilized agency-specific policies and procedures, of which there were many, resulting in inconsistently managed CUI.

The ISOO CUI directive has very clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. For paper, the NIST 800-88 destruction specification is the same as NSA requirements for classified information: a 1mmx5mm final particle size. Therefore, all CUI paper must be destroyed using a high security shredder that produces a final particle size of 1mmx5mm or less, such as those listed on the NSA/CSS 02-01 EPL for classified paper destruction. All of SEM’s high security shredders meet the new CUI mandate.

In an effort to provide clear communication and simplified purchasing for Federal Government agencies, all of SEM’s compliant paper shredders are now marked as being appropriate for CUI destruction. For more information, visit www.semshred.com/CUI.

The Impact of GDPR on US Companies and Organizations

March 28, 2019 at 4:59 pm by Heidi White

With GDPR (General Data Protection Regulation) in effect for almost a year now, even US-based companies are feeling its impact and the need to comply with stricter data security policies. Indeed, it likely won’t be long before the US creates its own set of national data privacy laws that all organizations will have to follow. In 2018, leading US-based technology companies called on the federal government to pass a law similar to GDPR, and in February of this year, the US Government Accountability Office made the same recommendation.

For those organizations that do business internationally, the European security mandate must be adhered to as if it were already a rule from the US federal government. If you don’t, the cost could be catastrophic.

gdpr-data-center

The Criticality of Following GDPR

Not complying means subjecting your organization to a fine equaling two to four percent of your global annual revenue for the most recent fiscal year (on average, calculated at as much as $11-24 million). But, it’s not enough to simply ensure your current privacy policies comply with GDPR. Breaches happen to even those US organizations whose existing practices meet those compliance requirements.

You should instead look at the bigger picture and take a thoughtful approach to your data security measures using GDPR as your guide. For one, the GDPR looks at data differently and poses that all private data is owned by the customer, not the business in which it was collected. For another, just because you’ve protected the data from breaches from within the US doesn’t mean the data from your global company couldn’t be improperly accessed outside the country.

Using GDPR to improve all your data-related policies can help you to find any gaps in your current security that could be closed, especially as it relates to data destruction and hard drive end-of-life practices. By putting the customer first over your business, as GDPR stipulates, you can better ensure the protection of personal and otherwise private information when it is no longer necessary to your business.

cloud-data-storage

Think about your customer data and how it is stored. If you’re using a cloud system (as almost all of us are), your data isn’t just housed in one data center, but many, and that data is duplicated across multiple drives to prevent against data loss if a drive fails. For businesses operating outside the US, that means data centers housing this private information you are charged with protecting are not just within the US, but across the globe. Your data destruction policies therefore must address practices for drive end-of-life—something that happens on a regular basis since these drives operate for 24 hours a day, seven days a week, all year long.

Even if you don’t house your data across global centers, but you do business with EU customers who share their private information with your company, your business still has access to their data and therefore you must protect it, even upon disposal. More importantly, under the GDPR, any EU citizen has the right to request their information be eradicated and you must comply and delete the data while maintaining protection even after disposal.

So, how do you ensure your data disposal policies comply with GDPR for drives as well as for customers halfway across the world?

GDPR-Compliant Data and Drive Destruction Best Practices

GDPR requires your organization to place someone within the company in charge of overseeing and managing the compliance policies. Dubbed the Data Protection Officer, this person will be your key authority on data disposal and drive destruction as it relates to the GDPR. Along with this person, you’ll want to create a small group of personnel also within the US that will have the authority to access your company’s data.

data-protection-officer

At the very least, your Data Protection Officer should be on-site for drive destruction that occurs outside the US, such as if a drive in one of the data centers where your data is housed reaches end-of-life. It is crucial to have this person on-site to ensure your GDPR-compliant data and drive destruction policies are being followed. For one, this ensures control over who is accessing your data. For another, without this person present, you are blindly trusting that your data and drives have been properly disposed of, and that the person carrying out the disposal is not lying to you when they tell you the proper practices have been completed. What if this person, who reported to you that the data was properly destroyed, instead sold that data to a third party in another country or to a cybercriminal on the dark web? Sure, you can take legal action against this person after the breach has come to light. But the fallout from the breach itself can’t be stopped once it’s begun.

It’s therefore extremely important to require your Data Protection Officer or someone within your authorized personnel group to be on-site for outside-US data and drive destruction, and that this person must provide an audit report for the data and drive destruction event.

For drive destruction within the US, your Data Protection Officer and authorized personnel should manage the disposal process from start to finish. It’s recommended that you create a private space within your organization to house a data and/or drive destruction machine, rather than work with a third party off-site. We have data destruction machinery that is compliant with GDPR stipulations. It may also behoove your organization to keep a record audit of the disposal to prove your company’s compliance to GDPR in the event a breach does occur.

hard-drive-shredder
Hard drive shredders are the most efficient and secure method of destroying rotational hard drives.

Weighing the True Costs of Data Breaches

We already mentioned the massive fine that will be issued by the GDPR Supervisory Authorities for an organization under GDPR that is found to be noncompliant when the breach occurs. Then there’s the typical range of costs associated with data breaches including legal fees for any counselling or action taken by the company in its defense, civil and criminal penalties under US federal regulations and, of course, potential lawsuit payouts. Factor in the non-financial costs to your business, such as a loss to your reputation and integrity, along with a loss in your customer base, and you’re looking at a total cost to your organization that could severely impact its existence.

The irony is that by planning for the worst and investing in a team as well as the necessary on-site data destruction machinery, you can save your company’s standing as well as its revenue. Operating under GDPR rules includes making sure your company has the proper data and drive disposal methods that are deemed GDPR-compliant. SEM has plenty of affordable options, and when all things are considered in the aftermath of a breach, this technology provides protection at a fraction of the price it would cost if you were to experience a breach.

What’s the ‘Din’ about DIN?

February 15, 2019 at 4:03 pm by Heidi White

Under a Microscope: Dissecting the Implications of DIN 66399

Covering everything from safeguards for children’s toys to design requirements for roller sports equipment, DIN Security Standards are also used to help define and standardize the different levels of security for international physical data destruction. Originating in Europe, these standards are continually making headway toward global acceptance as a benchmark to set the size and type of data that needs to be destroyed appropriately.

DIN-p-7
The DIN 66399 P-7 standard for paper destruction is 1mm x 5mm, the same as the NSA standard for the destruction of classified paper.

DIN 66399 specifically addresses standards for the destruction of data devices. This particular standard—which replaced DIN 32757—features over 40 variations based on protection classes, material/media and security levels. These three broad criteria are intended to drive the data device destruction process, guiding users so they can make informed end-of-life data disposal decisions.

Protection Classes

Companies or government entities must begin the destruction process by first determining what type of data needs to be destroyed. DIN 66399 has three protection classes that help you define the requirements and classification for your data:

Information from professional service firms including lawyers and attorneys would fall under Class 1 or Class 2, depending on the type of data.

  • Class 1: Normal Protection: Sensitivity for internal data that’s accessible by fairly large groups of people. Unauthorized information disclosure or transfer at this level could have negative effects on a company or make individuals vulnerable to identity theft and besmirching of reputation.
  • Class 2: Higher Protection: Sensitivity for confidential data that’s restricted to a small group of employees. Unauthorized information disclosure or transfer at Class 2 would have serious effects on a company and could lead to violation of laws or contractual obligations. Disclosure of personal data runs the risk of serious damage to an individual’s social standing or financial situation.
  • Class 3: Very High Protection: Sensitivity for confidential and top-secret data that’s restricted to an extremely small group of named individuals. Any information disclosure here would pose catastrophic, existential threats to a company/government entity and/or lead to violation of trade secrets, contracts and laws. Disclosure of personal data runs the risk of jeopardizing an individual’s personal freedom, safety, or life.

Material/Media Classification and Security Levels

Having determined the applicable protection class, you should subsequently consult DIN-66399 to classify the material on which your data resides and identify the corresponding security level. Per DIN standards, this data destruction security level will dictate the appropriate final shredding size for your media or paper documents.

DIN-66399-electronic-Media
SEM lists devices that meet every type of DIN 66399 destruction requirement. Click here for details.

DIN 66399 requirements by data device material are as follows:

  • Film: DIN 66399 Material Classification F refers to information in miniaturized form (e.g., microfilm), with security levels running (lowest to highest) from F-1 to F-7. For example, F-1 stipulates a maximum material particle size of 160 mm2, while F-7 stipulates a corresponding size of 0.2 mm2.
  • Optical Media: DIN 66399 Material Classification O pertains to information on optical data carriers (e.g., CDs/DVDs). Security levels run from O-1 (max 2,000 mm2) to O-7 (max 0.2 mm2).
  • Magnetic Media: DIN 66399 Material Classification T pertains to information on magnetic data carriers (e.g., ID-cards, floppy disks and diskettes). Security levels run from T-1 (media must be rendered mechanically inoperable) to T-7 (max 2.5 mm2).
  • Hard Drives: DIN 66399 Material Classification H pertains to information on hard drives with magnetic data carriers. Security levels run from H-1 (media must be rendered mechanically/electrically inoperable) to H-7 (max 5 mm2).
  • Electronic Media: DIN 66399 Material Classification E pertains to information on electronic data carriers (e.g., chip cards and memory sticks/flash drives). Security levels run from E-1 (media must be rendered mechanically/electrically inoperable) to E-7 (max 0.5 mm2).
  • Paper: DIN 66399 Material Classification P pertains to information presentation in original size (e.g., paper, films and printing plates). Security levels run from P-1 (max strip width of 12 mm or max particle surface area of 2,000 mm²) to P-7 (1 mm x 5 mm).

The Relevance of DIN 66399 Regarding NSA Standards

In the U.S., of course, standards for classified data or otherwise protected information and data destruction device compliance are determined, implemented, and monitored by the NSA—not by DIN.

Nonetheless, DIN 66399 is increasingly gaining merit worldwide, including the U.S., as reflective of best practices within the data destruction industry, and DIN is frequently referenced in U.S. data destruction requirements. What’s more, despite the use of DIN Security Standards being voluntary, they can become mandatory in certain instances when they are referred to in contracts, laws, or regulations.

For these reasons, it’s important to stay current on the structure of DIN 66399 and its compliance requirements when you are beginning your data destruction process.

NIST Guidelines vs. the NSA EPL on Hard Drive Destruction: Clearing Up Confusion

February 5, 2019 at 5:44 pm by Heidi White

hard drive destructionOver the 20 years I have been working for SEM, I have explained to customers and former military colleagues about the requirements for classified destruction. Lately these requirements have become stricter due to the ever-changing technologies. It’s not as easy as just putting your paper in a shredder or disintegrator and walking away knowing your classified is destroyed. Your classified now comes on many types of media. With so many types of media, a requirement had to be set forth by the National Security Agency (NSA) as to how these needed to be destroyed. We will discuss destroying hard drives as it relates to the National Institute of Standards and Technology (NIST) 800-88 and NSA Evaluated Products List (EPL) for Hard Drive Destruction.

For this blog, I will only discuss a brief overview for the destruction of hard disks (SCSI, ATA, SATA). NIST 800-88 explains on page 16, table 5-1 there are three methods of destroying hard disks. The first is to CLEAR. This method uses software to overwrite the storage space on the media with non-sensitive data (unclassified) and gives you the option to reuse your hard drive. The second is to PURGE. This method uses degaussing and the Secure Erase command present on some ATA drives. This method is very effective again for unclassified drives. The third method is PHYSICAL DESTRUCTION. This method is the standard for classified data and it destroys the drive by using disintegration, pulverization, melting, or incineration.

emp 1000HS
SEM’s NSA listed Model EMP1000-HS degausser is an ideal solution for rotational hard drives; however, degaussing has NO effect on solid state media.

The second paragraph of the NSA/CSS EPL for Hard Drive Destruction Devices states, “Hard drive destruction devices on their own DO NOT SANITIZE magnetic and/or solid-state storage devices; use of these machines is only authorized in conjunction with degaussing for routine magnetic hard disk drive sanitization or by themselves only in extreme emergency situations. Sanitization guidance for classified storage devices is located in the NSA/CSS PM 9-12 Storage Device Sanitization Manual.” This leads you to believe that degaussing could be used on a solid state drive (SSD). This is misleading! A magnetic field created by a degausser will cause no damage to an SSD. A degausser will only destroy information on a standard rotational magnetic drive.

ssd shredder
Classified SSDs must be disintegrated to a 2mm particle size.

In the third paragraph it states; “All shredders designed for hard drives are approved for deformation of magnetic hard drive platters. Shredding alone will NOT SANITIZE magnetic and/or solid state storage devices unless a two-millimeter particle size or less of the magnetic disk or solid-state memory chip is accomplished in accordance with NSA/CSS PM 9-12 Storage Device Sanitization Manual.” This states that if you have a hard drive or SSD, you can shred it to a 2mm particle to sanitize the drive. This is confusing. Although the NSA guidelines REQUIRE you to reduce a classified SSD to a two-millimeter particle to render the device sanitized, the machine that does this may not be able to shred a standard magnetic hard disk drive to this two-millimeter particle. This is due to the size and materials used in the manufacturing of a magnetic hard disk.

In conclusion, in order to completely destroy the information in a hard drive is a two-step process for a magnetic hard drive and a single step process for a SSD.

A magnetic disk MUST BE degaussed using an NSA approved degausser THEN physically destroyed. This second step of physical destruction is left up to the end user and can vary greatly. It can be as simple as drilling a hole in the drive, hitting it several times with a hammer, or using a hydraulic punch or hard drive shredder. A solid state drive MUST be shredded to a two-millimeter particle and cannot be degaussed.

If you have any questions or would like to talk to a security professional, feel free to reach out to me or any SEM representative.

Karl Lotvedt, DC Region Sales Support, has over 20 years of experience with SEM, including targeted expertise in understanding military procedures and requirements. Prior to joining SEM, Karl spent 20 years in the United States Air Force including over five years in procurement. Now retired from the Air Force, Karl currently serves as an Air Force resource advisor. Karl received his AA and CIS from National College in Rapid City, SD.

The Criticality of FACTA-Compliant Data Disposal

January 31, 2019 at 8:58 pm by Heidi White

Along with the Fair Credit Reporting Act (FCRA), creditors, accountants, lawyers, financial institutions, and other organizations dealing with consumer credit information must follow the regulations set by the Fair and Accurate Credit Transactions Act (FACTA). FACTA is an addendum to the FCRA and limits how consumer information can be shared as well as controls how this private data is disposed of, to ensure protection of the individual in which the information pertains from identity theft.

FACTA-Compliant Data Disposal

0101 crusher
Destroying a rotational hard drive in a SEM 0101 crusher

When it comes to the proper disposal of consumer information, FACTA stipulates that reasonable measures must be taken by the organization to prevent the theft or otherwise unauthorized access and use of the protected data.

The Rule mandates said data be destroyed by the pulverization, shredding, or burning of all papers in which the consumer information is printed, rendering the information unreadable and otherwise unable to be reconstructed in any manner. FACTA disposal policies also extend to the electronic media housing the protected consumer information. Appropriate disposal methods for electronic media include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. As with the actual data, the electronic media must be rendered unreadable and otherwise unable to be reconstructed.

If you’re working with a third party data disposal company to comply with FACTA data destruction, you are required to conduct an independent audit of the process to ensure the integrity of the disposal and to ensure complete data destruction.

Lastly, you may need to incorporate your data disposal policies into your organization’s security information program as required by the Federal Trade Commission’s Standards for Safeguarding Customer Information, 16 CFR part 314 (“Safeguards Rule”) and for persons subject to the Gramm-Leach-Bliley Act.

Consequences of a FACTA Violation

FACTA-data-disposal
Failing to adhere to FACTA data disposal requirements can lead to hefty fines

Failure to comply with FACTA for either the data or the drive destruction can result in major damage to your company’s reputation and financial standing. If you become victim to a data breach and have not maintained FACTA regulations, the affected individuals of the breach can seek damages under the law. Your organization may face a class action lawsuit and fines up to $1,000 per individual violation, regardless of whether the persons suffered identity theft.

Moreover, the reputation of your company may be tarnished by the data breach and subsequent FACTA violations. This could mean the loss of existing customers and potential new business, furthering your organization’s financial loss and eroding economic stability.

When it comes to working with third-parties for data destruction, however, there is a reality of risk that needs to be considered. If your third-party experiences a breach, your organization maintains its sole liability for the data you have collected and stored; meaning you will still face civil penalties, and not the third-party.

It is therefore highly recommended that you partner with a vendor like SEM who can provide both data and drive destruction devices for your organization to use and keep in-house. By controlling who, where, when and how your data and drives are destroyed, you can better ensure data protection at every step during destruction.

What’s the Scoop on the New NSA DVD/Blu-ray Disc Standard?

January 25, 2019 at 8:03 pm by Heidi White

nsa Blu-ray shredderThis past December, the NSA released a complete new set of Evaluated Products Lists for secure document/media destruction devices, all dated 06 November 2018.  Such an extensive new EPL posting was quite a surprise to end users and equipment makers.  Typically, these lists come out in one at a time, often with years between updates.  Seven of them released all at once was unusual and unexpected.

Even more of a surprise was a change in the particle size standard for destroying classified DVD and Blu-ray Discs (BDs).  The change, apparent in the new EPL for Optical Media Destruction Devices, states the new standard as “DVDs and BDs to a maximum edge size of 2mm or less.”  This sudden change has led to a flood of inquiries at SEM from government organizations, so it seemed a good time to address this particular change.

NSA listed DVD shredder
SEM Model 0202 OMD/SSD and OMD/SSD-C shred optical media to less than 2mm and are listed on the 2018 NSA EPL.

The existing CD particle size standard, “CDs to a maximum edge size of 5mm or less,” was not changed.  As a result, looking at the list of products on the EPL, there is a column noting the acceptable materials that indicates whether each device is good for CD, DVD, BD, as well as other non-optical materials for which some of those machines are certified. A key takeaway is that NSA listed optical media destroyers are no longer all the same in terms of what they can destroy.  Users will need to check the EPL to make sure all items they want to destroy are approved.  This could make for a lot of confusion when looking at products on the market.

Yet another uncertainty is the timeline for users to make a changeover.  The EPLs do not give a transition period to switch to new machines, or grandfather the use of existing equipment.  In the past, when the NSA changed a standard for shredders or media destroyers, there was some time allowed to comply.  So far, there has been no announcement of that for the new DVD/Blu-ray standard, but many government entities are hopeful for such an announcement.

What does this mean for the status of existing optical media destroyers in use and on the market? The change is significant.  The great majority of optical media shredders that are in use are no longer shown on the EPL as approved for DVD or Blu-ray.  This includes the most popular optical media shredders on the market and almost all document and multi-media disintegrators. Producing a 2mm particle with no oversized particles is simply not possible with those machines.

DVD NSA EPL
SEM Model 0200 OMD/SSD-C is a cabinet version of the NSA listed CD/DVD/BD shredder

Only a few machines on the EPL for optical media destroyers have approval for DVD and BD. Of those, most are solid state media destroyers, which are large, expensive machines that cost $65,000 and up.  Users seeking a compact, affordable machine to destroy optical media can choose a machine like the SEM Model 0200 OMD/SSD.  Even better is the recently announced version of this machine with a more office-friendly configuration, the Model 0200 OMD/SSD-C.  The new version will better suit most customers with its attractive cabinet and better sound proofing for the vacuum versus the tabletop style of the standard version.  Both versions of the 0200 grind optical discs (not just the surfaces) into the NSA required particle size, which looks like beach sand.  The waste is collected and bagged by a vacuum.  These devices are not quite as user friendly as standard optical media shredders, like the SEM Model 0201 OMD.  Users who only have CDs, no DVDs or Blu-ray, will surely be happier with a machine like the 0201 OMD.

As an aside, another change on the optical media destruction device EPL, and the other EPLs, is that the NSA is no longer publishing official throughput rates.  In recent years these rates were on the EPLs.  This was a way for folks to check the claims made by vendors on capabilities.  The EPLs now direct users to the manufacturers to get throughput data.  In terms of optical media, the rating in question is the number of discs per hour.

At the end of the day, the NSA EPL is the golden standard for all types of secure data destruction, whether government or commercial, and must be followed for the destruction of classified and top secret data. SEM has over 50 years of experience with the destruction of sensitive and secret data and is here to help anyone who has questions on or needs assistance with the new EPLs.

Bob Glicker, Mid-Atlantic Regional Sales Manager, has over 35 total years of sales experience with over 23 years of targeted government sales experience. Bob prides himself on providing the highest level of service to his government clients, and he enjoys working with key resellers. Bob received his BS in Chemistry from the University of Maryland, College Park. In his free time, Bob enjoys a variety of activities including gym workouts, cycling, reading, and listening to podcasts. He is also an avid science lover, an amateur juggler, a vegetarian, and the quintessential family guy.

How to Effectively Maintain HIPAA Compliance in the Cloud

January 21, 2019 at 8:23 pm by Heidi White

cloud-data-securityIn today’s digital age, the majority of data is stored electronically in internet-based cloud software. Whether for convenience or accessibility, or due to physical hardware storage limitations, using a cloud to store data has become a norm for businesses, organizations, and individuals alike. And while cloud systems offer security measures that physical storage systems cannot, they also come with their own set of risks and security threats.

Moreover, the size and even financial power of an organization doesn’t necessarily equate to better and more secure methods of privacy protection for data stored in its cloud. Recent data breaches at large data centers like Experian, Facebook, and Target have proven that the proper protection of private and otherwise sensitive information is paramount, especially when stored electronically.

For healthcare providers, professionals, and clearinghouses (hereto referred as covered entities), HIPAA has specific regulations for safeguarding Protected Health Information (PHI), especially when it comes to the disposal of such sensitive and private data.

HIPAA Regulations & Best Practices for Data Disposal

HIPAA-privacy-ruleIf you’re a covered entity and need to dispose of data containing PHI, you cannot simply abandon the PHI data or dispose of it using a public container like a dumpster that can be accessed by unauthorized personnel. The only time this is appropriate is if the PHI has already been rendered unreadable, indecipherable and otherwise cannot be reconstructed. In order to fully destroy this data, certain steps must be followed.

The HIPAA Privacy Rule requires the covered entity to implement appropriate physical (e.g., facility access and control; workstation and device security), technical (e.g., access control; audit controls; integrity controls; transmission security), and administrative (e.g., security management process; security personnel; information access management; workforce training; policy and procedure evaluation) safeguards for PHI to avoid prohibited as well as incidental use and disclosure of the PHI data. See 45 CFR 164.530(c).

HIPAA-PHI-ePHIThis Rule holds especially true with the disposal of PHI and requires the covered entity to not only destroy the electronic PHI (ePHI) and the hardware or electronic media it is stored on, but to first properly dispose of the ePHI data on the media before that media is made ready for reuse.

In addition, the HIPAA Security Rule also requires the covered entity to set policies and procedures for the disposal of ePHI. As part of this mandatory safeguard process, covered entities must also train their workforce members on the proper disposal policies and procedures erected and enforce these policies. See 45 CFR 164.310(d)(2)(i).

It is up to the covered entity to determine a method of data destruction and disposal, by assessing their own potential risks to patient privacy as well as the form, type, and amount of PHI collected and stored. For instance, PHI such as name, social security number, driver’s license number, diagnosis, or treatment information are examples of sensitive information that may necessitate more care with regard to disposal. HIPAA does not require one method of data destruction and disposal over another, so long as the Security and Privacy Rules are followed.

HIPAA-degauss
Degaussing is a method of data disposal that completely erases the drive, rendering it unusable

In the case of ePHI, whether on hardware or in an internet cloud system, proper HIPAA disposal methods include overwriting non-sensitive information with software or hardware to clear the data, degaussing the media and rendering the magnetic field permanently unusable, or destroying the media by shredding, melting, pulverization, disintegration, or incineration. You may also opt to maintain a secure area for PHI disposal and/or you are permitted to work with a disposal vendor like SEM to destroy the PHI on your organization’s behalf (so long as there is a written agreement or contract authorized by both parties). There are no set HIPAA rules for how employees or workforce members dispose of PHI; if you have off-site employees who use PHI or ePHI, you can require that they return all PHI to your organization for proper disposal.

Failure to adhere to the HIPAA Security and Privacy Rules could result in unlawful release of PHI, and consequently, the potential for identity theft, employment discrimination or even harm to the individual’s reputation.Moreover, the covered entity can face serious penalties for noncompliance.

Penalties for Noncompliance

HIPAA-compliance-fineIn tandem with the Department of Justice, the Department of Health and Human Services (HHS) and its Office for Civil Rights (OCR) are responsible for the administration and enforcement of the HIPAA Security and Privacy Rules for the disposal of PHI.

Failure to comply with the HIPAA Security and Privacy Rules can result in an investigation and audit, and in some circumstances civil and criminal penalties. Factors such as violation date, whether the covered entity was aware of the failure to comply, or whether the failure to comply by the covered entity was willful neglect will determine the end consequence of the violation to either the Privacy or Security Rule.

If found guilty or in violation of either Rule, civil money penalties of $100 up to $50,000 per violation (and not exceeding $1,500,000 per calendar year for multiple violations) can be imposed. A civil penalty may not be imposed under certain circumstances, such as: the failure to comply was not due to willful neglect and was corrected during a 30-day period from the date in which the violation occurred; if the Department of Justice has imposed a criminal penalty; or, if the OCR chooses to reduce the penalty due to reasonable cause in the covered entity’s failure to comply, in that the penalty would be excessive given the nature and extent of the noncompliance.

HIPAA- prisonIn addition, criminal prosecution, in the form of a fine of $50,000 and up to one year of imprisonment, can be mandated for a person who knowingly obtains or discloses PHI and ePHI, which can occur as a result of improper disposal of the PHI. The criminal penalty increases to $100,000 and up to five years of imprisonment if the violation involves false pretenses, and to $250,000 and up to 10 years of imprisonment if the wrongful act involves the intent to sell, transfer or use the PHI for commercial advantage, personal gain, or malicious harm.

One last note: the HIPAA Privacy Rule does not include requirements for the length of time medical data like PHI should be retained before disposal. Instead, check with your state’s laws for medical record retention rules before disposing of any data.

Security Engineered Machinery Introduces New Optical Media Shredder

January 9, 2019 at 3:03 pm by Heidi White

Secure data destruction device manufacturer releases the Model 0200 OMD/SSD-C for NSA listed destruction of classified CDs, DVDs, and Blu-ray discs

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to announce the introduction of the Model 0200 OMD/SSD-C optical media shredder. The device, which is listed on the most recent National Security Agency/Central Security Service (NSA/CSS) Evaluated Product List (EPL) for the destruction of classified CD, DVD, and Blu-ray discs (BDs), is specifically designed for portability and ease of use in office environments. 

DVD NSA EPL
SEM Model 0200 OMD/SSD-C is a cabinet version of the NSA listed CD/DVD/BD shredder

In November 2018, the NSA/CSS released updated EPLs that meet NSA/CSS specifications for classified and top secret information in accordance with NSA/CSS Policy Manual 9-12, Storage Device Sanitization. The updated EPL for Optical Media Destruction Devices includes a new directive for DVD and BD destruction that requires a final particle size of <2mm. The previous directive was 5mm for DVDs and incineration only for BDs. 

“The new 2mm NSA specification for DVD and BD destruction found many government agencies suddenly without an approved optical media destruction device,” said Nicholas Cakounes, SEM Executive Vice President. “Our new optical media destroyer is an office-friendly, NSA listed plug and play solution that meets the needs of government entities with any type of classified optical media requiring destruction.”

The Model 0200 OMD/SSD-C includes the NSA listed 0200 OMD/SSD optical media shredder and a 3-gallon vacuum waste evacuation system housed in a compact cabinet, which is mounted on casters for easy portability. The system is approved by the NSA for the destruction of classified CDs, DVDs, BDs, EMV credit cards, magnetic stripe cards, CAC ID cards, and SIM cards. It is also completely self-contained and uses a standard 110V plug, making it an efficient, user-friendly solution for office environments.

“We are excited to offer this new system to satisfy the NSA/CSS optical media destruction standards,” added Bryan Cunic, SEM Director of Customer Care. “SEM has always been on the cutting edge of information destruction technology and we are thrilled to continue that tradition of excellence with the release of the Model 0200 OMD/SSD-C.” The Model 0200 OMD/SSD-C has a list price of $5,999 but is available to US government entities for $4,999. The device is TAA compliant and comes with a one-year warranty. 

Hard Drive Data Destruction and Sanitization: Understanding Your Options

December 18, 2018 at 9:23 pm by Heidi White

cyber-security-hard-driveIn the age of sophisticated cyberattacks and data breaches, digital security continues to be a primary concern for government organizations and businesses of every industry. To be effective, today’s security procedures must treat internal threats with the same level of importance as external threats. While it may not be the first thing that comes to mind, a key element of your overall digital security strategy is your plan for what you do with information when it’s no longer needed. Hard drive data destruction is a general term for the process of clearing all sensitive information from your computer hard drives and solid state drives (SSDs), and it’s an essential step for protecting your organization, your customers, and your employees.

There are three methods of hard drive data destruction: erasing (sanitizing), crushing, and destroying. Here’s a look at each option.

Sanitization of the Hard Drive (Erasing): Degaussing

degauss-destroy
L to R: SEM Model EMP-1000HS degausser, SEM Model 0101 hard drive crusher, and SEM iWitness media tracking solution

Degaussing is a very effective method of erasing data on magnetic media (hard drives and or data tapes). If you are trying to erase unclassified or sensitive data, a commercial degausser such as the SEM Model EMP-1000 is a perfect solution. The SEM EMP-1000 is the most powerful commercially sold degausser in the marketplace today. With the strength in power at 16,000 gauss (1.6 Tesla), it erases the highest coercivity magnetic media available today without the use of adapters.

However, if you are erasing classified or highly sensitive magnetic media, the  NSA listed SEM EMP-1000HS would be the correct choice for your organization. The EMP-1000HS is a 20,000 gauss (2.0 Tesla) machine that has been evaluated by the National Security Agency for use on classified media.

Considerations: when choosing to sanitize hard drives, be sure to choose a company such as SEM that offers both NSA approved and commercial (PII/CUI) type degaussers. Regardless of the sanitization level required, don’t take the easy path of simply reformatting the drive or removing the directory. These methods simply make the data on the hard drive harder to find. The hard drive should be completely erased (sanitized), which the SEM EMP-1000 series can assure your organization on every single degauss cycle.

Crushing the Hard Drive

hard-drive-crusher-sledgehammer
A hard drive is decommissioned with a SEM Model 0101 hard drive crusher, which is used to permanently destroy the units according to the approved destruction method at Malmstrom’s client systems center. In order to prevent unwanted review of old files and documents, physical storage mediums are degaussed and physically broken before being recycled. (U.S. Air Force photo/Airman 1st Class Collin Schmidt)

Most organizations and their IT leaders know that destroying a hard drive is the most secure way to dispose of data, but they often mistake damaging it for actual drive destruction. Damaging a hard drive with a hammer or by driving a nail into it is less time consuming than hard drive shredding or crushing, but it is also much less secure. For lower volume applications, hard drive crushing is the most secure and economical solution.

SEM’s Model 0101 automatic hard drive crusher is a hard drive crusher that has been evaluated by the NSA and meets NSA and DoD compliance guidelines for the physical damage of media. Note that all classified rotational hard drives MUST be degaussed prior to destruction. Not only does the Model 0101 punch a hole in the drive, it also bends the platter, rendering the drive inoperable. This handy device is compact and affordable, making it the ideal solution for smaller installments or where portability is of key importance.

Destroying the Hard Drive

The fastest and easiest way to destroy a hard drive is to shred it. Hard drive shredders quickly chew up hard drives to particle sizes ranging from 0.75″-1.5″ for rotational media to 0.375″ for solid state media. The SEM Model 0315 Combo Shredder is SEM’s best-selling hard drive shredder that destroys both HDDs and SSDs in one convenient device.

Considerations: The most compliant form of rotational hard drive data destruction that protects your organization from liability associated with data stored on magnetic media’s the NSA’s two-step process of degauss and destroy. This process is only NSA compliant when NSA listed devices are used. Consider the SEM Model EMP-1000HS degausser and the SEM Model 0101 hard drive crusher or SEM Model 0315 hard drive shredder. However, solid state media is not degaussable and stores significant amounts of data on tiny chips. Therefore, the most secure way to destroy solid state drives is by following the NSA directive that mandates a 2mm or less particle, such as is achieved with the SEM Model 2SSD.

 

Mike Palaia is Western Regional Sales Manager at Security Engineered Machinery (SEM)