by Keith Boyce Thursday July 03 2014
The financial industry has to comply with a growing list of regulations and standards around data security to protect consumers including the Gramm-Leach-Bliley Act, Sarbanes-Oxley Act and the State Financial Data Privacy Act, just to name a few. While institutions consider their methods for complying with the electronic destruction of data, few have given thought to data that remain on discarded hardware.
Think about all the servers and computers at merchants, banks, doctors’ offices and even our own homes that retain our personal information. Now, think about what happens when these computers are retired or stop working. That information is still housed on those servers and computers. Despite the aforementioned legislation and other regulations in place, there is no one entity that monitors this hardware to ensure that complete data destruction takes place. While there are shredding companies that ensure documents are destroyed correctly, who is really monitoring the electronic data destruction?
The focus on less paper and providing information electronically has created an avenue for data breaches. As we have seen with HeartBleed and other malicious computer viruses, information is vulnerable. Destroying electronic data that is no longer needed could actually reduce the amount of electronic information theft.
In most instances, consumer information can be stored directly on the local computers instead of servers. Consider this example: Jane Doe sends her pay stubs by email upon request to her bank. Those documents then have to be extracted from the email and stored either on a server or a local hard drive. There is a fair chance that the bank employee is trying to be fast at his or her job and provide great customer service so he or she inadvertently save the document to the desktop. This creates a security concern if something happens to this local computer or it gets replaced.
Because Jane Doe’s information was not properly eliminated from that computer (not just deleted but completely erased), it still resides on the hard drive. Institutions need to be more aware of this type of situation and put a process in place to better protect consumer information. In addition, government agencies need to make a more conscious effort to protect this information through required methods of data destruction.
One approach that could solve this challenge is to have all businesses, whether it’s a bank, doctor’s office, accountant or merchant, invest in software that completely erases data from a local computer. The software that is certified by several government entities. In addition, the government could conduct audits on the data destruction to ensure businesses are adhering to policies and that they are not outdated.
Keep in mind the average computer is outdated within weeks of hitting the shelves because technology is ever changing. That means policies need to be reviewed and modified as needed.
Putting procedures in place that would require businesses to be more cautious in how they eliminate consumers’ financial data, including reviews and strong penalties for violations, could lead to the decrease in data breaches and more thorough data destruction processes.