2017 Data Breach Report Indicates Higher Damage Ratio For Improper Disposal Incidents

The non-profit Identity Theft Resource Center reports that improper disposal accounted for about 10% of last year’s increase in U.S. data breaches, but that these incidents cause disproportionate damage. According to the 2017 Data Breach Report, official accounts of overall data breaches rose 45% over 2016 to a total of 1,579 incidents.

While about 60% of the breaches were the result of hacking, the improper disposal category is notable because it tracks employee error, negligence and loss. Statistically, this category is especially damaging, exposing nearly 146 million records, a whopping 82 percent of the total. Almost all of those records were reported from the business sector, far more than medical/healthcare industry, banking/credit/financial institutions, government/military and educational organizations.

Of the five industry sectors that the ITRC tracks, the business category had the most breaches with 870 breaches, or 55%. The Banking/Credit/Financial sector moved into the top three categories for only the second time since 2005, with 8.5%.

According to president and CEO Eva Velasquez , some of the increase is the result of more organizations feeling compelled to report breaches. “We’ve seen the number of identified breaches increase as a result of industries moving toward more transparency,” said Valasquez.

CyberScout, an ID theft protection company, provided some funding for the report.

New Report Supports Positive Trends in IT Hardware Purchases

Cascade Asset Management’s Fourth Annual Benchmark Report provides strong statistical evidence that the hardware remarketing sector showed a strong rebound in 2017; these trends are expected to continue this year. The Madison, WI – based ITAD organization reported that sales of assets grew by over 18% in 2017, with clients refreshing their equipment at an accelerated pace.  The trend supported increased average resale prices for both laptops (7.3%) and desktop PCs (13.4%).

According to the research survey, more than two thirds of responders indicated that they anticipate equal or increased IT hardware purchases in 2018, an increase of about 10% over 2017.  According to study author Neil Peters-Michaud: "While there continues to be a rapid adoption of mobile devices in the workplace, our clients don't plan on giving up their workstations any time soon. Retirement of desktops and laptops is staying fairly consistent, but there is an increase in the disposition of smart phones and the data center equipment that supports them."

Another key finding concerned asset tracking, with 88% of enterprises reporting that they track all laptops, desktops and servers through their lifecycle. However, another interesting statistic suggests that although many organizations perform data destruction on hard drives before they leave their premises, over half 56% did not handle onsite data destruction themselves, but rather outsourced the process. A surprising 11% reported that they continue to rely on hitting the hard drive with a hammer.

Respondents also ranked the value of various certifications, including NAID security certification (44.4%) and e-Stewards Standard for Responsible Recycling (42.2%)..

The Cascade report was compiled from data collected through a November 2017 survey representing organizations with more than 160,000 employees, an evaluation of more than 259,000 refurbished and recycled assets, in combination with a review of related industry research.

Moving Beyond DoD 5220.22-M:

The Data Wipe “Standard” That Would Not Die

Not a day goes by that we don't come across yet another reference to sanitizing hard drives in compliance with the Department of Defense Standard Dod 5220.22-M. Otherwise known as the data erasure standard that never was..

The DoD 5220.22-M standard for erasing or wiping data from a hard drive emerged early on in the evolving electronic data destruction business. A classic case of echo chamber knowledge distribution, the de facto adaption of this process was more of a marketing phenomenon than it was the result of any official policy supported by the Department of Defense.

DoD 5220.22-M specifies a process that overwrites data on a hard drive with random patterns of ones and zeros. The fact that the DoD 5220.22-M protocol required three overwriting passes made it seem all the more secure, as did the implied Department of Defense imprimatur. At some point, this pseudo standard took on a life of its own as third-party computer recycling and refurbishing companies, IT asset disposition (ITAD) firms and other types of organizations asserted DoD compliance on websites and marketing collateral.

DoD 5220.22-M was never approved by the Department of Defense for civilian media sanitization, and even more importantly, the DoD never intended for it to be a standard for classified data. The DoD is not in the business of certifying data destruction standards and has no mechanism for policing any given company's procedures. For its own classified data, the DoD requires a combination of wipingdegaussing and/or physical destruction.

Continue the story here or download our paper.

Carefirst Data Breach Case Moves Forward Following Key Ruling

Appeals Court Says Consumers Can Sue Organizations That Fail to Protect Data

In a case that is likely to have far reaching consequences in privacy law enforcement, the Federal Appeals Court in Washington, DC has ruled that a consumer class action suit seeking compensation for faulty security practices can proceed. The ruling overturned a July 2016 decision by a Maryland district court, which had found that the plaintiffs had failed to demonstrate sufficient standing in their case against healthcare insurers CareFirst Inc. and CareFirst of Maryland Inc.

The case was triggered by a data breach reported in 2015, which affected 1.1 millions current and former members of the healthcare networks.  Originally filed by plaintiffs Pamela Chambliss and Scott Adamson, the lawsuit claims that the insurer should be held responsible for failing to protect their personal data.

The case read as follows: “As customers of CareFirst, Plaintiffs allege that they had a reasonable expectation that their confidential personal information would remain private and confidential. Due to CareFirst’s failure to secure the personal information at issue, Plaintiffs claim that they and the class members ‘have lost or are subject to losing money and property.”

The Maryland ruling was based on a lack of evidence that the data had been misused. In their decision, the justices wrote: “Their theory of harm relies solely on the actions of an unknown independent third party. It is thus not clear ‘whether future harm from a data security breach will materialize,’ but also uncertain ‘when such harm will occur.’”

However, the higher court seemed to indicate the absence of damage did not necessarily mean that the case was invalid.  "No long sequence of uncertain contingencies involving multiple independent actors has to occur before the plaintiffs in this case will suffer any harm," the justices wrote in their opinion.

Class-action lawsuits are often filed after healthcare provider security breaches, but have in the past had a high bar of proof. The latest ruling is significant because it represents a departure from previous cases, which tended to turn on whether any actual damage had occurred.  

Phil Stamnas Joins DestructData as Director Technical Services

Product Lifecycle Expert to Spearhead Growth in New Business Services

Dover, NH - DestructData, Inc. has announced the appointment of Phil Stamnas as Director Technical Services.

Stamnas brings ten years of experience working directly with engineering and product management professionals to develop and deliver software and hardware products from inception to release. He also has extensive experience in both technical sales and networking solutions support, including switches, routers, wired and wireless components. Stamnas’ broad range of expertise embraces field, service, quality assurance, product support, systems engineering, compliance and monitoring and analytics.

According to DestructData founder and president Michael Lawlor, Stamnas will be instrumental in developing new business opportunities for DestructData, including expansion of onsite data destruction and data center services, as well as client training.

“His experience with product lifecycles is key to his skills with both prospects and customers when dealing with mission critical procedures, policies and products,” said Lawlor.

Mr. Stamnas will operate out of the company’s headquarters in Dover, NH.