School Security Gap (with Related Video)
Jan 1, 2012 12:00 PM, By Steve Skurnac
How to protect student and employee information stored on discarded electronics.
Discarded electronics are vulnerable to thieves, who want to extract valuable student and staff data.
Data security breaches in the educational sector can be devastating to institutions and the students and employees they serve. They carry the potential for identity theft, violations of federal and state laws, and loss of trust of students, alumni and employees.
The Identity Theft Resource Center says that as of October 2011, education institutions in 2011 had experienced 47 breaches that affected 618,216 records. To combat the problem, education administrators have dedicated substantial resources to ensure their IT equipment is protected against hacker attacks, malware intrusions and phishing.
Too much school security is at stake—student academic, financial aid and health records; alumni and donor records; employee records; academic research; and other sensitive institutional data. Institutions must take seriously their responsibility to handle this information securely.
Latent Data Dangers
This sensitive data also could be at risk during routine IT equipment upgrades. Administrators may assume, incorrectly, that once old electronics are laid to rest, the data on them are, too. Yet the data lives on—not just on computer and server hard drives that have been declared obsolete or redundant, but across a wide range of devices, including printers, copiers, scanners and fax machines. Copier and printer hard drives, for example, contain readily obtainable data. Printable copies of applications, financial information, transcripts, registration forms, university records and donor records all can be found on end-of-life copiers and printers.
Furthermore, cell phones, PDAs and other smart mobile communication devices also retain confidential information, which because of memory storage is increasingly difficult to clear. Even basic network equipment such as switches and routers hold network-specific information that can leave an institution’s school security network vulnerable. Data disasters most commonly arise from a lack of due diligence.
Sitting Duck Data
As soon as technology leaves an education institution’s premises, the uncleared data becomes vulnerable. The gray market—where information and goods are sold outside authorized channels—is evolving and becoming more sophisticated to the point where solutions that might have worked in the past may not be adequate.
Thieves used to desire discarded machines for the commodities they contain, such as aluminum, copper and gold. Now, machines are coveted because of the confidential data that can be extracted. A year-long study of the online underground economy revealed that the potential value of advertised goods was in excess of $276 million. Credit card and bank account data were among the most popular goods routinely bought and sold by cybercriminals.
This should concern education institutions because of the variety of school security privacy regulations in effect. Institutions typically are subject to the data protection provisions of the Family Educational Rights and Privacy Act (FERPA), the Identity Theft and Assumption Deterrence Act (ITADA), the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act (GLBA).
Given stringent compliance requirements and the importance of maintaining the trust of those whose information they hold, how can education institutions guarantee data security? Many organizations facing similar issues turn to outside vendors specializing in electronics reuse and recycling.
An International Association of IT Asset Managers 2010 survey found that 74 percent of the organizations participating ranked data security and privacy as extremely important to their IT asset disposal (ITAD) program. This survey also found that 69 percent of these organizations outsource their IT asset-disposal programs. Among those who do so, 76 percent indicated that data security is either extremely or very important when choosing an electronics reuse and recycling vendor.
Yet, like every other industry, all reuse and recycling companies are not created equal. Therefore, it is vital that education institutions ask the right questions before selecting a vendor to remarket or recycle end-of-life electronics. Their reputations depend on making an informed choice.
Acceptable Use Policy blog comments powered by Disqus
