From HIPPA to Sarbox, a slew of regulations to protect customer and employee data force CIOs to step lively to comply. The punishment for failure to do so is costly and even dire. But once a company folds-and more are folding every week given the economy-what happens to that data? Who in the business and IT could be hit by the splatter if it all hits the fan?
"Certain companies have been disposing of records containing sensitive consumer information in very questionable ways, including by leaving in bags at the curb, tossing it in public dumpsters, leaving it in vacant properties and/or leaving it behind in the offices and other facilities once they've gone out of business and left those offices," says Jacqueline Klosek, a senior counsel in Goodwin Procter's Business Law Department and a member of its Intellectual Property Group.
"In addition, company computers, often containing personal data, will find their ways to the auction block," she adds. "All too often, the discarded documents and computer files will sensitive data, such as credit card numbers, social security numbers and driver's licenses numbers. This is the just the kind of data that can be used to commit identity theft."
Discarded and unguarded data is now low-hanging fruit for criminal harvesters and corporate spies. "Recent client activity supports that competitors are beginning to buy up such auction devices specifically with the intention of trying to salvage the data," says James DeLuccia, author of IT Compliance & Controls. "Hard drives are being removed and sold online, or whole servers are sold via Craigslist and Ebay."
In some cases, the courts insist data be sold during a bankruptcy. "Company servers, once I restore them to operation, are handed over to the bankruptcy trustee's representative," says Bill Horne, a consultant at William Warren Consulting, a computer and network installations, security and service company. "The data they contain is considered to be a corporate asset and it is conveyed to the new owners in every situation I've seen."
Horne says his business is booming as more companies fail and more buyers await the goods.
Even companies still in business but looking to discard excess hardware abandoned by laid-off workers are exposing customer data to hordes of thieves. "Outdated or unused desktop machines, which might contain all kinds of sensitive data, are either sold to recycling firms or to the general public, with no attention to data security," says Horne.
Most recyclers expect PCs to arrive with software intact, says Horne, because it raises their resale value. Few computer service firms bother to tell their customers about the danger of letting old machines go out the door without first erasing their disks, he says.
"When I accept machines from my customers, either for resale or recycling, they know I will 'flatten' the machines before passing them on," he says. "Unfortunately, I'm the exception rather than the rule."