School Security Gap (with related video)
Data security breaches in the educational sector can be devastating to institutions and the students and employees they serve. They carry the potential for identity theft, violations of federal and state laws, and loss of trust of students, alumni and employees.
The Identity Theft Resource Center says that as of October 2011, education institutions in 2011 had experienced 47 breaches that affected 618,216 records. To combat the problem, education administrators have dedicated substantial resources to ensure their IT equipment is protected against hacker attacks, malware intrusions and phishing.
Too much school security is at stake—student academic, financial aid and health records; alumni and donor records; employee records; academic research; and other sensitive institutional data. Institutions must take seriously their responsibility to handle this information securely.
Latent Data Dangers
This sensitive data also could be at risk during routine IT equipment upgrades. Administrators may assume, incorrectly, that once old electronics are laid to rest, the data on them are, too. Yet the data lives on—not just on computer and server hard drives that have been declared obsolete or redundant, but across a wide range of devices, including printers, copiers, scanners and fax machines. Copier and printer hard drives, for example, contain readily obtainable data. Printable copies of applications, financial information, transcripts, registration forms, university records and donor records all can be found on end-of-life copiers and printers.
Furthermore, cell phones, PDAs and other smart mobile communication devices also retain confidential information, which because of memory storage is increasingly difficult to clear. Even basic network equipment such as switches and routers hold network-specific information that can leave an institution’s school security network vulnerable. Data disasters most commonly arise from a lack of due diligence.
Sitting Duck Data
As soon as technology leaves an education institution’s premises, the uncleared data becomes vulnerable. The gray market—where information and goods are sold outside authorized channels—is evolving and becoming more sophisticated to the point where solutions that might have worked in the past may not be adequate.
Thieves used to desire discarded machines for the commodities they contain, such as aluminum, copper and gold. Now, machines are coveted because of the confidential data that can be extracted. A year-long study of the online underground economy revealed that the potential value of advertised goods was in excess of $276 million. Credit card and bank account data were among the most popular goods routinely bought and sold by cybercriminals.
This should concern education institutions because of the variety of school security privacy regulations in effect. Institutions typically are subject to the data protection provisions of the Family Educational Rights and Privacy Act (FERPA), the Identity Theft and Assumption Deterrence Act (ITADA), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
Given stringent compliance requirements and the importance of maintaining the trust of those whose information they hold, how can education institutions guarantee data security? Many organizations facing similar issues turn to outside vendors specializing in electronics reuse and recycling.
An International Association of IT Asset Managers 2010 survey found that 74 percent of the organizations participating ranked data security and privacy as extremely important to their IT asset disposal (ITAD) program. This survey also found that 69 percent of these organizations outsource their IT asset-disposal programs. Among those who do so, 76 percent indicated that data security is either extremely or very important when choosing an electronics reuse and recycling vendor.
Yet, like every other industry, all reuse and recycling companies are not created equal. Therefore, it is vital that education institutions ask the right questions before selecting a vendor to remarket or recycle end-of-life electronics. Their reputations depend on making an informed choice.
Reputable Recycling
Some questions education institutions should ask when selecting a vendor:
-
Does the recycler "own the life cycle" or rely on subcontractors? A recycler offering a complete range of remarketing and recycling services internally will eliminate reliance on subcontractors to process the redundant electronics. Selecting a recycler that manages every step of the process internally improves accountability, increases security and streamlines reporting.
-
Can the recycler ensure data security? Look for a recycler that offers NIST-compliant data destruction and validation of that destruction, especially if IT assets will be resold. Depending on an institution's requirements, it may want to choose a recycler that can provide on-site degaussing and hard-drive destruction, hard-drive shredding, witnessed destruction, and certificates of data and physical destruction.
-
Is the recycler certified? A certified recycler is committed to operating in accordance with recycling industry best practices that govern environmental, health, and safety management systems (R2, e-Stewards, ISO 14001, OHSAS 18001), and complies with the latest standards that regulate information destruction (NAID) and the secure handling, warehousing and transportation of equipment (TAPA).
-
Does the recycler have the financial heft to protect customers from potential liability? A good indicator of a recycler's ability to do this is evidence of general and excess liability insurance, as well as pollution liability and cyber security insurance. An insured recycler is able to protect customers from and manage the potential financial risks associated with recycling electronics.
-
Where does the recycler do business? A recycler operating a network of strategically situated facilities will be able to process and recycle an institution's obsolete electronics no matter where the school's campuses and research centers are situated. This also will minimize freight costs, reduce greenhouse gas emissions and simplify logistics.
-
Does the recycler allow tours? Even if a potential recycler meets all the above criteria, conduct a site visit to see the facility size, examine the recycling equipment and evaluate the physical security measures in place. Determine if the recycler conducts employee background checks and tests for drug use. Request a list of customer references and contact them.
Remember that an institution will continue to be held accountable for data even after equipment is removed from service. That is why it's imperative for education institutions to reach informed decisions about the way they dispose of retired electronics.
Skurnac is the president of Sims Recycling Solutions, West Chicago, Ill., the global leader in electronics reuse and recycling. (888)234-9967
Related Video
About recycling electronics: