Image: Anna Vignet
In retail, employee theft can be worse than shopper theft. Employees can easily learn the internal operations of a store. In some ways, the same can be said for theft inside a business. Employees have access to equipment and knowledge of which equipment will be missed and which won't.
As businesses struggle with strained budgets, information technology departments are becoming overworked and understaffed. Important security precautions turn into secondary priorities as employees focus on immediate needs. Some companies run out of time and resources to carefully screen potential hires, allowing questionable characters to become staff members. This combination of factors has led to an alarming vulnerability in the security of company data.
Once a piece of computer equipment has been relegated to the scrap heap, most business owners and CEOs write it off as no longer a part of the company inventory. However, the hard drives inside laptops, PCs, mobile devices, and even multifunction copiers, contain sensitive data about your business and your customers. If an employee steals a piece of equipment and gives it away or sells it, that sensitive data could end up in the hands of someone who will use it or sell it.
Before you dispose of one more piece of equipment, consider these possible revisions in policy and procedures that could protect your company against data leakage. Below are a few tips to follow that will help to prevent your disposed equipment from becoming a liability.
KNOW THE LAW
It is one thing for an inexperienced internet user to be unaware of public Wi-Fi risks or a trusting Facebook user to be oblivious of privacy risks. It is another thing for an organization to ignore the threat of employee theft of retired equipment. Last year, the U.S. Department of Health and Human Services, Office of Civil Rights (OCR) stressed that organizations must "have in place meaningful access controls to safeguard hardware." Effective safeguards must include all equipment, even retired equipment. The OCR also stressed that they "expect organizations to comply with their obligations" ignorance is no longer a valid excuse for noncompliance.
RECOGNIZE THE CONSEQUENCES
It should be no surprise that the OCR has begun to apply unprecedented sanctions for violating the security and privacy regulations in the Health Information Portability and Accountability Act. There is no doubt that penalties can be punitive. However, the indirect costs of dealing with a breach and the impact of a privacy class action lawsuit can be much worse than penalties.
In May, the OCR fined BlueCross BlueShield of Tennessee $1.5 million for violations following the theft of 57 unencrypted retired hard drives. The cost of the fine was just the tip of the iceberg. In addition to the penalty, BCBST reportedly spent $17 million in investigation, notification, and protection efforts.
In July, eight separate privacy lawsuits filed against healthcare benefits provider TRICARE were consolidated to one case to be heard by a U.S District Court. The suits stem from the loss of a backup data tape and allege that TRICARE and its subcontractor were negligent for failing to respond to "recurring, systemic, and fundamental deficiencies in its information security." One suit was seeking an astounding $4.9 billion in damages.