Preventing Digital Disasters

By Stampp Corbin

E-mail Story
Print Story
The digital world is an ecosystem teeming with life and supporting an abundance of trade, commerce, and culture. Petabytes of data stream continuously over public and private networks, with content ranging from instant messaging chatter to highly sensitive financial records. People with bad intent sometimes attack networks. Whether they are professional thieves prowling for account numbers or bored teenagers intent on mischief, these parasites disrupt commerce, steal information, and do billions of dollars worth of damage every year. Their actions can have devastating long-term consequences for an unwary individual or business.

The Federal Trade Commission estimates that identity theft alone has cost American businesses and consumers more than $48 billion over the past five years. Once a thief assumes another person’s identity, clearing up credit records and restoring one’s good name can take years of hard work. And while juggling calls from collection agencies and resolving problems with banks and credit bureaus, the victim will still likely be denied access to basic financial tools and services such as home mortgages and small business loans.

A major source of digital pollution is outdated computer equipment. The U.S. Environmental Protection Agency (EPA) estimates that a quarter billion personal computers will be made obsolete by 2005. The International Association of Electronics Recyclers predicts that by 2010 the mountain of scrapped computers will quadruple to one billion units.

The physical disposal of information technology presents formidable challenges. A typical CRT monitor, for example, contains three to nine pounds of lead. Printed circuit boards contain beryllium, cadmium, flame retardants, and other toxic compounds that can seep into groundwater or escape into the air when incinerated. The problem is so daunting that the EPA has identified e-waste as the nation’s fastest-growing waste stream, and many states and municipalities now ban the disposal of monitors and other equipment into the nation’s landfills.

For example, California Civil Code section 1789.82 (formerly known as SB 1386), California’s Mandatory Disclosure Statutes, requires all entities that do business in California to disclose information security breaches to every California resident whose data was acquired by an unauthorized person. Other states that are considering similar statues include New York, New Jersey, Idaho, and Indiana.

Ghosts in the Machines

Unfortunately, the danger is not limited to the physical realm. Ghosts in those machines—unerased information left on hard drives and other storage devices—represent a digital disaster waiting to happen. Consider these recent examples:

  • The Bank of Montreal sold two high-powered computers containing hundreds, possibly thousands, of customer records, including names, addresses, telephone numbers, and account numbers and balances, to a reseller, who put them up for sale on a popular online auction site. Fortunately for the bank and its customers, the reseller immediately pulled the servers off the market when he turned on one of the machines and noticed that the hard drives had not been erased. While a disaster was averted, the bank was forced to spend considerable time and effort investigating the incident and reassuring customers that their confidential financial information was safe.
  • The Commonwealth of Kentucky nearly sold surplus computers containing confidential files naming thousands of people with AIDS and other sexually transmitted diseases, as well as the number of sexual partners.
  • A former Morgan Stanley executive sold an outdated handheld device, not realizing that it still contained thousands of names, account numbers, and passwords.

Preventive Measures

Cognizant of these digital dangers, forward-thinking IT managers are looking to prevent digital disasters along with the accompanying liability and loss of reputation. When dealing with e-waste, follow these precautions:

  • Have assets collected by certified vendors that adhere to strict shipping and security guidelines.
  • Have all data and software erased from hard drives and other media.
  • Ensure stringent adherence to data destruction protocols such as the U.S. Department of Defense’s 5220.2-M standard, which requires the triple overwriting of each disk sector and ensures that hard drives do not enter the secondary market with proprietary software, corporate data, or customer information still resident.
  • Subject inoperable hard drives to a certified degausser, which demagnetizes the hard drive and renders all of the data unrecoverable.
  • Strip all equipment of asset tags and identifiers.
  • Recycle all assets not destined for resale or charitable donation in strict compliance with relevant state and federal environmental rules, with formal indemnification from environmental liability or risk.

Stampp Corbin is president and CEO of RetroBox Inc. (www.retrobox.com), an information technology disposal company. This article was adapted from a version published in CyberDefense (www.cyberdefensemag.com).

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 



The CPA Journal is broadly recognized as an outstanding, technical-refereed publication aimed at public practitioners, management, educators, and other accounting professionals. It is edited by CPAs for CPAs. Our goal is to provide CPAs and other accounting professionals with the information and news to enable them to be successful accountants, managers, and executives in today's practice environments.

©2009 The New York State Society of CPAs. Legal Notices