Running Down the Risks
For Corey Jenrich, IT manager at Community Bank in Pasadena, Calif., the specter of bad publicity and reputation loss loomed large should a laptop theft ever lead to data exposure. "If we have a breach, then we have to notify the affected customers and tell them that their data may be compromised," Jenrich says. "That's a huge reputation risk for us. It wasn't something that we could sit by and say, 'That's OK.'"
Jenrich opted for Lost Data Destruction from Beachhead Solutions Inc., which encrypts and eliminates all data on a lost or stolen laptop. He especially likes taking data encryption responsibilities from end users and giving them to administrators. "Beachhead looks at the extension of the file and says, 'I am going to encrypt you,' and [that process is] transparent to the end user. They have no idea it's happening."
Top-notch encryption is vital for financial institutions. If a laptop is stolen and a bank can prove that the data was encrypted, it nullifies the bank's obligation to notify customers, says Jenrich. To ensure that encrypted data doesn't end up in the wrong hands, Beachhead's pre-installed timer signals the software to overwrite the data (for example, in the event a machine fails to connect to the bank's network within a certain period of time). The bank has also revamped its disposal of PC hard drives as the machines are decommissioned.
For 10 years, the bank accumulated some 300 PCs until it ran out of space. It pulled the drives out of the machines and called on a disposal company to wipe them clean. Then the bank bought WipeDrive software from WhiteCanyon Inc., which it uses to scrub the hard drives as the machines are decommissioned.
Many CIOs are well versed in the data-handling requirements of federal laws such as the Financial Services Modernization Act (also known as Gramm-Leach-Bliley) and the Public Company Accounting Reform and Investor Protection Act (also known as Sarbanes-Oxley). Now the Fair and Accurate Credit Transaction Act (FACTA) requires firms to address how they handle data disposal.
FACTA requires "any person who maintains or otherwise possesses consumer information for a business purpose to properly dispose of such information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal." The law's reach is also quite broad, affecting anyone "who maintains or otherwise possesses consumer information for a business purpose."
This was first published in October 2006