ALM Properties, Inc.
Page printed from: Corporate Counsel
Select 'Print' in your browser menu to print this document.
Prevent Employee Theft of Your Retired IT Equipment
Law Technology News
In retail, employee theft can be worse than shopper theft. Employees can easily learn the internal operations of a store. In some ways, the same can be said for theft inside a business. Employees have access to equipment and knowledge of which equipment will be missed and which won't.
As businesses struggle with strained budgets, information technology departments are becoming overworked and understaffed. Important security precautions turn into secondary priorities as employees focus on immediate needs. Some companies run out of time and resources to carefully screen potential hires, allowing questionable characters to become staff members. This combination of factors has led to an alarming vulnerability in the security of company data.
Once a piece of computer equipment has been relegated to the scrap heap, most business owners and CEOs write it off as no longer a part of the company inventory. However, the hard drives inside laptops, PCs, mobile devices, and even multifunction copiers, contain sensitive data about your business and your customers. If an employee steals a piece of equipment and gives it away or sells it, that sensitive data could end up in the hands of someone who will use it or sell it.
Before you dispose of one more piece of equipment, consider these possible revisions in policy and procedures that could protect your company against data leakage. Below are a few tips to follow that will help to prevent your disposed equipment from becoming a liability.
KNOW THE LAW
It is one thing for an inexperienced internet user to be unaware of public Wi-Fi risks or a trusting Facebook user to be oblivious of privacy risks. It is another thing for an organization to ignore the threat of employee theft of retired equipment. Last year, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) stressed that organizations must "have in place meaningful access controls to safeguard hardware." Effective safeguards must include all equipment, even retired equipment. The OCR also stressed that they "expect organizations to comply with their obligations" ignorance is no longer a valid excuse for noncompliance.
RECOGNIZE THE CONSEQUENCES
It should be no surprise that the OCR has begun to apply unprecedented sanctions for violating the security and privacy regulations in the Health Information Portability and Accountability Act. There is no doubt that penalties can be punitive. However, the indirect costs of dealing with a breach and the impact of a privacy class action lawsuit can be much worse than penalties.
In May, the OCR fined BlueCross BlueShield of Tennessee $1.5 million for violations following the theft of 57 unencrypted retired hard drives. The cost of the fine was just the tip of the iceberg. In addition to the penalty, BCBST reportedly spent $17 million in investigation, notification, and protection efforts.
In July, eight separate privacy lawsuits filed against healthcare benefits provider TRICARE were consolidated to one case to be heard by a U.S District Court. The suits stem from the loss of a backup data tape and allege that TRICARE and its subcontractor were negligent for failing to respond to "recurring, systemic, and fundamental deficiencies in its information security." One suit was seeking an astounding $4.9 billion in damages.
Historically, privacy class actions fail for data breaches due to the difficulty of proving recoverable damages, but this little consolation to employers, executives, and directors when the initial cost to defending privacy suits can run up into millions of dollars. When it comes to protecting retired equipment from theft, an ounce of prevention is worth a ton of cure.
CREATE AND POST POLICIES
While it should go without saying that theft of company equipment is forbidden, having a written policy makes it easier to enforce the rules. Set clear equipment disposition policies that extend to every type of electronic device in your organization, regardless of age or condition. And have every employee sign the document to acknowledge that they have read and understand the policy.
ASSIGN MULTIPLE EMPLOYEES
You are opening up your business for potential theft and fraud if your equipment disposition process is handled by only one employee. Assign at least two employees to work on disposing equipment. Ideally, the process involves employees from different departments of your company. When your help desk worker determines a PC has reached its end of life, for instance, that employee should be required to input the information into a database. Another employee should then verify information about the asset is accurate and retire it to a secure holding area until it can be properly disposed of. Another employee should be tasked with wiping any hard drives. A fourth employee should work with the appropriate parties to transfer the PC to a certified disposal vendor.
Store retired IT equipment in a secure area and allow access only to a few trusted employees. If possible, install cardkey access that tracks the comings and goings of staff in that area. This will keep a log of employee activity in that area should something disappear. If an employee removes a piece of equipment, whether functional or damaged, require a sign-out sheet even if that employee is part of your technical staff. If your building has a security or reception desk, provide employees with a signed equipment sheet that they must show before taking equipment out of the building. Management should also follow these sign-out procedures to set a good example and to create an audit trail.
Theft of retired equipment doesn't have to be catastrophic, but theft of retired equipment that contains confidential data can drain budgets, deplete good will, and tarnish reputations. Assign an employee to ensure all data is removed from a device as soon as it has been identified for disposition using multiple-wipe software that has been proven to fully destroy data on a disk. Nonworking drives should be removed and physically destroyed using a hard drive crusher or even drill. Data destruction should be documented. The longer retired equipment is allowed to linger, the greater the chances that valuable data could end up in the wrong hands.
In all cases, it is wise to destroy data before equipment leaves your facility. A driver could steal a computer causing millions of dollars in damage to your organization. Should a computer be stolen or lost during transit, the transportation carrier might accept responsibility. Unfortunately, that would be a hollow victory, as the Carmack Amendment allows carriers to limit their liability for loss or damage to goods, regardless of how valuable it might be.
Ultimately, retired equipment should be handled by a qualified IT asset disposal vendor. You can outsource recycling, but not responsibility. If you think a pretty certificate will protect you, think again. Compliance and indemnification require unimpeachable chain-of-custody evidence. It is important to remember that unless you prove a vendor has your equipment, there is legal exposure. Disposal tags can protect that vulnerability by deterring employee theft and establishing chain-of-custody with a disposal vendor.
So why not ask a vendor, who is handling the equipment anyway, to also wipe data from the hard drives? You should. However, this should not be the primary method of data destruction. A vendor's data destruction services should be considered a secondary precaution. While it might sound appealing to ask a recycler to destroy data, no vendor can wipe data from a hard drive it never received.
Until a device is completely clear of all company data and verified to be in the custody of a qualified vendor, it is still just as important as it was while the device was in use. Companies spend large sums of money creating firewalls and encryption to protect sensitive business data, so why do companies treat retired equipment so carelessly?
By instituting policies that safeguard all of your equipment, you can ensure your sensitive data is safe from the time a computer is deployed until the day it is retired. With a little guidance, IT staff will likely work with you to keep your data safe.
Kyle Marks is the Founder and CEO of Retire-IT. Marks serves as the chairman of the Asset Disposal & Information Security Alliance North American Advisory Council and is also a Certified Hardware Asset Manager Professional (CHAMP) from the International Association of Information Technology Asset Managers.
This article originally appeared in Law Technology News.