It seems like a victimless crime. Toss out an old computer or post it for sale on the Internet for a few bucks. Not a big deal, right?
Not so fast.
The Office of Civil Rights (“OCR”) for the U.S. Department of Health and Human Services (“HHS”) recently released “Guidance on Disposing of Electronic Devices and Media” underscoring the risks inherent in disposing of electronic media. The guidance is aimed at organizations that store sensitive data, including personally identifiable information (“PII”) and protected health information (“PHI”) on computer equipment such as “desktops, laptops, tablets, copiers, servers, smart phones, hard drives, USB drives, or any electronic storage device.” OCR recommends that organizations consider the following ten questions when designing policies for disposing old computer equipment:
- What data is maintained by the organization and where is it stored?
- Is the organization’s data disposal plan up to date?
- Are all asset tags and corporate identifying marks removed?
- Have all asset recovery-controlled equipment and devices been identified and isolated?
- Is data destruction of the organization’s assets handled by a certified provider?
- Have the individuals handling the organization’s assets been subjected to workforce clearance processes and undergone appropriate training?
- Is onsite hard drive destruction required?
- What is the chain of custody?
- How is equipment staged/stored prior to transfer to external sources for disposal or destruction?
- What are the logistics and security controls in moving the equipment?
The HIPAA Security Rule requires that organizations “implement policies and procedures to address the final disposition” of either the PHI or the electronic hardware itself. See 45 C.F.R. §§ 164.310(d)(2)(i)-(ii). According to prior OCR guidance, electronic PHI can be disposed of such that it would no longer be subject to HIPAA breach notification requirements by clearing, purging, or destroying the computer equipment in accordance with National Institute of Standards and Technology (“NIST”) Special Publication 800-88, Guidelines for Media Sanitization.
The NIST Guidelines for Media Sanitation discuss techniques applicable to different types of equipment and for different types of data. Broadly, NIST defines “clearing” as overwriting sensitive data with nonsensitive data, not only in the logical storage location, but in all user-addressable locations. It defines “purging” to include overwriting, block erasing, and cryptographically erasing, as well as destructive techniques like “incineration, shredding, disintegrating, degaussing, and pulverizing,” with the common theme being that the PHI is rendered inaccessible even using state of the art laboratory techniques. And it defines “destroying” as rendering the equipment itself unable to be used for subsequent storage, including disintegrating, pulverizing, melting, incinerating, and certain forms of shredding, such that the data is rendered inaccessible even using state of the art laboratory techniques.
The Federal Trade Commission’s (“FTC”) Disposal Rule applies more broadly to any person or organization under FTC jurisdiction that maintains or possesses consumer information for a business purpose. The FTC has specified that this rule applies to all organizations that use consumer reports, including in hiring, as landlords, or in providing loans or insurance. The rule requires persons or organizations to “properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information” when disposing it. See 16 C.F.R. § 682.3(a). For electronic records, among such reasonable measures are “the destruction or erasure of electronic media containing consumer information so that the information cannot practicably be read or reconstructed” and the hiring of a document destruction contractor after proper due diligence of that contractor’s compliance with this rule, qualifications and references, or information security policies and procedures. Id. §§ 682.3(b)(2)-(3).
Most states and Puerto Rico also have data disposal laws that apply to businesses. For example, under New York’s General Business Law § 399-h, an organization disposing of a record containing PII must first shred the record, destroy the PII in the record, make the PII unreadable, or follow commonly accepted industry practices.
One issue that is sometimes overlooked within data security policies is that many copiers and printers store documents on their hard drives. For example, in 2013, a health care company reached a settlement of more than $1.2 million with HHS for a data breach caused by returning leased copiers without properly erasing the information on their hard drives. The FTC provides more detailed guidance for businesses that use digital copiers.
The lesson to organizations should be clear: Without a workable data disposal plan, the millions of dollars spent on securing corporate networks and protecting data from hackers could be undermined by the loss or improper disposal of an old hard drive, smart phone or tablet. In fact, in 2016, a data erasure firm purchased 200 computer drives from eBay and Craigslist and found that 67% of the drives contained personally identifiable information and 11% contained sensitive corporate data.