© rugercm - Fotolia.com
In retail, employee theft can be worse than shopper theft. Employees can easily learn the internal operations of a store. In some ways, the same can be said for theft inside a business. Employees have access to equipment and knowledge of which equipment will be missed and which won't.
As businesses struggle with strained budgets, information technology departments are becoming overworked and understaffed. Important security precautions turn into secondary priorities as employees focus on immediate needs. Some companies run out of time and resources to carefully screen potential hires, allowing questionable characters to become staff members. This combination of factors has led to an alarming vulnerability in the security of company data.
Once a piece of computer equipment has been relegated to the scrap heap, most business owners and CEOs write it off as no longer a part of the company inventory. However, the hard drives inside laptops, PCs, mobile devices, and even multifunction copiers, contain sensitive data about your business and your customers. If an employee steals a piece of equipment and gives it away or sells it, that sensitive data could end up in the hands of someone who will use it or sell it.
Before you dispose of one more piece of equipment, consider these possible revisions in policy and procedures that could protect your company against data leakage. Below are a few tips to follow that will help to prevent your disposed equipment from becoming a liability.
KNOW THE LAW
It is one thing for an inexperienced internet user to be unaware of public Wi-Fi risks or a trusting Facebook user to be oblivious of privacy risks. It is another thing for an organization to ignore the threat of employee theft of retired equipment. Last year, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) stressed that organizations must "have in place meaningful access controls to safeguard hardware." Effective safeguards must include all equipment, even retired equipment. The OCR also stressed that they "expect organizations to comply with their obligations" ignorance is no longer a valid excuse for noncompliance.
RECOGNIZE THE CONSEQUENCES
It should be no surprise that the OCR has begun to apply unprecedented sanctions for violating the security and privacy regulations in the Health Information Portability and Accountability Act. There is no doubt that penalties can be punitive. However, the indirect costs of dealing with a breach and the impact of a privacy class action lawsuit can be much worse than penalties.
In May, the OCR fined BlueCross BlueShield of Tennessee $1.5 million for violations following the theft of 57 unencrypted retired hard drives. The cost of the fine was just the tip of the iceberg. In addition to the penalty, BCBST reportedly spent $17 million in investigation, notification, and protection efforts.
In July, eight separate privacy lawsuits filed against healthcare benefits provider TRICARE were consolidated to one case to be heard by a U.S District Court. The suits stem from the loss of a backup data tape and allege that TRICARE and its subcontractor were negligent for failing to respond to "recurring, systemic, and fundamental deficiencies in its information security." One suit was seeking an astounding $4.9 billion in damages.
Historically, privacy class actions fail for data breaches due to the difficulty of proving recoverable damages, but this little consolation to employers, executives, and directors when the initial cost to defending privacy suits can run up into millions of dollars. When it comes to protecting retired equipment from theft, an ounce of prevention is worth a ton of cure.
CREATE AND POST POLICIES
While it should go without saying that theft of company equipment is forbidden, having a written policy makes it easier to enforce the rules. Set clear equipment disposition policies that extend to every type of electronic device in your organization, regardless of age or condition. And have every employee sign the document to acknowledge that they have read and understand the policy.
ASSIGN MULTIPLE EMPLOYEES
You are opening up your business for potential theft and fraud if your equipment disposition process is handled by only one employee. Assign at least two employees to work on disposing equipment. Ideally, the process involves employees from different departments of your company. When your help desk worker determines a PC has reached its end of life, for instance, that employee should be required to input the information into a database. Another employee should then verify information about the asset is accurate and retire it to a secure holding area until it can be properly disposed of. Another employee should be tasked with wiping any hard drives. A fourth employee should work with the appropriate parties to transfer the PC to a certified disposal vendor.
Store retired IT equipment in a secure area and allow access only to a few trusted employees. If possible, install cardkey access that tracks the comings and goings of staff in that area. This will keep a log of employee activity in that area should something disappear. If an employee removes a piece of equipment, whether functional or damaged, require a sign-out sheet even if that employee is part of your technical staff. If your building has a security or reception desk, provide employees with a signed equipment sheet that they must show before taking equipment out of the building. Management should also follow these sign-out procedures to set a good example and to create an audit trail.