Early this year, the Bruyere Family Medical Centre in Ottawa warned its patients to keep an eye on their credit ratings because two of the clinic’s computers storing the personal information of about 60,000 patients from 1971 to 2006 were stolen last October. Just last week, the Canadian government admitted that servers based in China were used to gain unauthorized entry to computer systems in the Finance Department, the Treasury Board Office and the Defence Research and Development Canada.
Instances of data theft abound and many Canadian small and medium sized businesses (SMBs) are beginning to take serious steps to protect themselves against cyber attacks. But apart from break-ins (physical or virtual), critical and sensitive information can also be lost when businesses decide to discard old files or machines, according to an executive of a local data destruction firm.
“It’s a common mistake for business owners to think that just because documents or data is of no use to them anymore that it will not be important for other people as well,” said Michael Collins, vice president of sales for the Canadian operation of Shred-it. The document destruction company has 140 offices in 14 countries and destroys an estimated 100 billion documents each year. The company also gets rid of data stored in digital media such as DVDs, CD-ROMs and hard drives.
Collins explained that various types of data when improperly handled or disposed of poses a risk to a business.
While different provinces may have varying laws regarding the privacy and security of employee records and client information. “But the bottom line is a company and its officials can be sued for failure to properly store or destroy such records,” said Collin.
Classified corporate information such as financial standings or proprietary data and plans can also end up in a competitor’s hands if they are discarded intact, he said.
Related story: SMBs migrating to cloud-based data backup
A lawsuit or negative media coverage of a data leak has serious repercussions for a company, he said. According to Ernst & Young’s 2009 Global Information Security Survey, as much as 85 per cent of executives interviewed for the survey cited damage to reputation and brand as the most significant impact of a data breach.
Data buckets
Data that is most likely to be stolen are information that has the highest commercial value, according to James Quin, lead research analyst for Info-Tech Research Group in London, Ont.
He said information typically falls into two buckets – intellectual property and client/employee information.
“The former is generally attacked through targeted types of attacks and is generally business specific. The latter is usually attacked through a broad-based attack is non-business specific,” said Quin.
Electronic records must be kept in secured systems “protected by firewalls and anti-malware at least and with restricted and monitored user access,” he adds.
He also strongly recommended data encryption and secure shredding of documents upon disposal.
Protecting employee records
The protection of workers’ personal information is a primary concern for any human resources (HR) department, according to Sonia Singh, HR director for ITWorldCanada.com, a Toronto-based umbrella company for several print and online tech publications including ITBusiness.ca.
Employee records contain very personal data such a financial data, social insurance numbers, work performance, warning letters or even medical information that can be used for fraud, or prejudice future career moves or could cause embarrassment to the worker, said Singh. That is why companies are bound by privacy laws and compliance requirements to ensure that employee records are kept safe and viewed only by individuals who are lawfully allowed to see them.
“If any of that information is leaked, a company or its officials can be sued for damages and officials may even face imprisonment depending of the charges,” she said.
Related story: Privacy by Design comes to power: Protecting personal information in the Smart Grid
Hard copy employee records at ITWorldCanada are kept locked in a fireproofed safe. Digital records, such as letters to employees, payroll information, and attendance records are encrypted and password protected in company computers and backed up to the company server, said Singh. Employee performance reviews are kept in digital form with third party firm that keeps the data off site.
An employee’s records are typically kept on site for seven years after the employee has left the company. After that, the data is filled offsite and then destroyed after 10 years.
Singh practices safe document handling procedures such as:
- Backing –up data to the server every day
- Never leaves her laptop unattended
- Her laptop is password protected
- Files are encrypted
- Payroll information has added protection for payroll service provider ADP
Auto backup of data is a good method of making sure a company retains information as “insurance against the day when the need to produce it comes up,” according to Matt Panchalingam, IT manager for ITWorldCanada.com.
“When an employee leaves the company for instance, it is standard procedure for me to undo the deletions that the employee has done in his machine,” said Panchalingam. The recovered data is then transferred to the company’s server.
This is not because the company is snooping on the worker, but is rather meant to make sure that the company has access to data stored in the machine “just in case it becomes critical to recover that piece of information,” said the IT manager.
Hypothetically, a subject of a story written by a reporter who has since left the company might lodge a complaint or suit against ITWorldCanada. “If we have access to the reporter’s data this could help us reconstruct some of the events that might have a barring in the case,” Panchalingam explained.
Before discarding old computers, Panchalingam, makes sure that they do not contain any hard drive. The computers are then donated to charitable organizations sans hard drive.
The IT staff, “wipes” the hard drive clean with a software that “totally erases” data contained in the drive before they are discarded.
“Another surefire way of preventing data theft is to physically take a hammer to the hard drive making sure it’s smashed and rendered unusable,” said Panchalingam. He said there are data and e-waste companies that offer this service.
Rule of thumb
Collins of Shred-it, said that ideally companies should have policies emplace that specify which information should be kept and for how long as well as which information should be destroyed and how.
“This depends on the nature of your business, what information you consider valuable and what legislations cover your operations,” he said.
Here are some ways you can protect your data:
- Shredding the document or destroying the media before dumping them
- Incinerating documents
- Not passing information to unknown individuals or organizations
- Not providing information to unknown Web sites not certified by security authorities
- Keeping computers, laptops and personal effects that may contain data such as cell phones, and wallets, secure
To protect client information business can:
- Shred sales receipts and old bills
- Destroy documents containing credit card numbers, addresses and phone numbers
- Employ third party protection to protect your network against hackers
How do you know if you need to destroy certain data?
“When in doubt, destroy it,” said Collins, “you might be better off having it gone than the information landing in the wrong hands.”
Nestor Arellano is a Senior Writer at ITBusiness.ca. Follow him on Twitter, read his blog, and join the IT Business Facebook Page.