Donating Old Equipment: Good to Do ... If You Don't Violate Privacy Laws or Break the Public Trust

By Steven Lerner-Wright

It’s nearing the end of year, a time when organizations and individuals are encouraged to donate used computers and networking equipment to charitable organizations. Making such donations may not only garner tax deductions, it’s a good thing to do.

The demand for used computers is substantial. For instance, the nonprofit Goodwill Industries of Orange County, California maintains a computer outlet that sold more than $650,000 in used computer and networking equipment last year. Each week the organization receives nearly 30 truckloads of used goods, including used IT equipment that Goodwill Industries refurbishes, recycles or resells.

According to Randy Taylor, Director of Facilities for Goodwill Industries of Orange County, computers and computer hard drives are among the donations received, representing nearly 16% of all IT equipment donated.

In addition, Taylor estimates large- to medium-sized enterprises and< government agencies contribute nearly 15% of the donations Goodwill Industries receives.

Before an enterprise makes a donation, however, IT security managers should make sure they’re not running into legal trouble.

State and federal privacy laws require businesses and government agencies to make sure they’ve protected data files stored on computer hard drives -- even those they no longer possess. A growing number of regulations spawned by HIPAA, the Gramm-Leach-Bliley Act and the FACT Act include similar restrictions. Violations of these laws could result in civil action, either to recover damages, secure injunctive relief, or invoke other "remedies available under law."

In California, three relatively recent laws can have a big impact:

1. AB 1950, signed into law September 2004 and effective immediately, requires businesses that store or manage "private" information of California residents to provide "reasonable security" of that private information. Reasonable security is not spelled out in the legislation.
2. SB 1386, California’s Data Breach Notification Law effective since July 2003, requires any businesses or government agencies doing business in California to notify California residents when unencrypted personal information is exposed. This legislation
   specifically exempts encrypted data.
3. AB 2246, effective January 1, 2001, requires businesses -- before they dispose of data files -- to "take all reasonable steps to destroy" records that contain "personal information" of California residents by "(1) shredding, (2) erasing or (3) otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means."

In each case, encryption eliminates the risk of accidental exposure. Merely sending confidential files to, say, the Windows Recycling Bin does not, because “recycled” data can be left behind even when the bin is emptied.

The risks are genuine and often overlooked. In a demonstration led by Simson L. Garfinkel, an MIT research team recovered sensitive information on discarded hard drives. Data on the drives could be easily recovered, frequently without requiring any sophisticated forensics tools.

The MIT team’s observations and recommendations were as follows:

1. Users and their administrators need to be educated about the dangers of leaving information on old hard drives, and organizations must develop policies and procedures for protecting sensitive information.
2. Third-party vendors should encourage the use of encryption to minimize the risk.
3. Hard disk makers should integrate automated and transparent cryptographic technologies that would automatically protect all data stored on the hard drive.

To read the complete results and recommendations of the MIT study,
see: http://www.computer.org/security/garfinkel.pdf

Also, if you are based in the US and want to donate your old Computer and networking equipment to Goodwill Industries, please note this advice offered by Christine Bragal, Director, Media Relations:

“Not all Goodwill agencies accept computer donations -- it is important to note that donors should contact their local Goodwill before donating them. To find their local Goodwill, donors can either call (800) 664-6577, or use the online ZIP code locator at www.goodwill.org. Also at that web site, in the ‘newsroom’ section, you'll find a computer donor tip sheet which might be helpful as well.”

A recent editorial by Illena Armstrong, the USA Features Editor for SC Magazine, claims that data security regulations work when they’re backed by significant economic and legal consequences.

This prompts a question: Just what are the current penalties for failing to follow current US data security and privacy regulations and laws?

A brief scan uncovered a few serious consequences. Fines and imprisonment are possible under the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA) and California’s Data Breach Notification Law, SB 1386.

In addition, however, we also found evidence that data security breaches can hit shareholders -- in the wallet.

HIPAA Penalties

HIPAA specifies that organizations that are negligent about protecting sensitive patient health information may face a penalty. The penalty specified in the HIPAA legislation for negligent non-compliance is $100 per incident, with the cumulative financial penalty not to exceed $25,000 in a given calendar year.

However, the penalty for deliberate criminal theft and misuse of sensitive patient health information is more severe. If a person is convicted of accessing patient data with criminal intent, the fine could be $50,000 to $250,000 depending on how the data was meant to< be misused.

The enforcement agency is the US Department of Health and Human Services, which would have to lodge a complaint against the offending organization and initiate administrative hearings. To date, one person has been penalized for violating the HIPAA Privacy Rule, which took effect April 2003. The HIPAA Security Rule takes effect April 2005.

For more about HIPAA penalties, see proposed text for 45 CFR Part 160: http://edocket.access.gpo.gov/2003/pdf/03-9497.pdf

GLBA also specifies penalties for deliberately stealing sensitive financial information for use in committing a crime. The law reads:

“Whoever knowingly and intentionally violates, or knowingly and intentionally attempts to violate, section 6821 of this title shall be fined in accordance with Title 18 or imprisoned for not more than 5 years, or both.” In addition, stealing or knowingly possessing stolen property that crosses state lines could result in 10 years imprisonment.

Enforcement agencies include the Federal Trade Commission, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency and the National Credit Union Administration.

The law concerning Criminal Penalties under GLBA can be found at: http://www.ftc.gov/privacy/glbact/glbsub2.htm

An interesting side development took place this summer. President Bush signed the Identity Theft Penalty Enhancement Act into law. The new law mandates increased prison terms of two to five years for “aggravated” ID theft violations, including violations of GLBA. The new law does not impose any new requirements on companies to increase their protection of Social Security Numbers or other personal information.

See http://thomas.loc.gov/cgi-bin/query/z?c108:h.r.1731: See also White House reaction to consumer questions at: http://www.whitehouse.gov/ask/20040715.html

This law, which requires businesses to notify California residents whenever unencrypted personal information has been breached, offers no specific penalties. The law reads:

1798.84. (a) Any customer injured by a violation of this title may institute a civil action to recover damages. (b) Any business that violates, proposes to violate, or has violated this title may be enjoined. (c) The rights and remedies available under this section are cumulative to each other and to any other rights and remedies available under law.

With this law, however, the potential financial costs of having to comply with the notification provisions may be the real source of pain. For instance, the editors of The StrongAuth, Inc. Newsletter, attempting to estimate possible costs to Wells Fargo & Company when a laptop containing unencrypted sensitive data on 200,000 Californians was stolen, pegged the losses to the bank (and its shareholders) at $1.5 million to $1.8 million.

The text of SB1386 can be found at: http://www.privacy.ca.gov/code/cc1798.291798.82.htm

The StrongAuth Inc Newsletter article can be found at: http://www.strongauth.com/newsletters/2003Dec05.html

Reduced Market Valuations

The impact of data security breaches on shareholders is another angle to consider, especially in light of the penalties and cost impacts of failing to protect sensitive data.

A study by Professors Martin Loeb and Lawrence Gordon of the University of Maryland’s Smith School of Business demonstrated that theft of sensitive private customer data -- credit card numbers, Social Security Numbers, health information and the like -- can hurt shareholders.

Loeb and Gordon examined the impact of data security breaches on stock market values. The study results showed that stock prices were not significantly affected by most computer security incidents -- except one.

When a security breach involved the disclosure of personal, private data, such as credit cards or health data, the effect had a “marked negative” impact on the company’s shareholders. Their research demonstrated a reduction in market value of more than 5% once the word got out that confidential customer information had been stolen.

Loeb wrote about the results of his research in the article “The Indirect Cost of Cybercrime,” which was published in the April 13, 2004, edition of Bank Systems and Technology. An electronic version appears here: http://www.optimizemag.com/article/showArticle.jhtml?articleId=18700435&pgno=4

The SC Magazine editorial that started this discussion can be
found at: http://www.scmagazine.com/

So Why Aren’t You Using Encryption Yet?

As the above articles suggest, organizations should pay careful attention to data in their control -- especially the financial, personal, and health data of their customers and constituents –- or they could face serious consequences.

Encryption is an inexpensive way of controlling access to sensitive information.

For instance, donate 50 laptops to charity and if all sectors on hard drives are encrypted by default, then it doesn’t matter who has physical control of the drives. What matters is who controls the access control parameters to the encryption program.

In addition, although some organizations use “secure delete” programs that overwrite used sectors of a hard drive, encryption offers a much stronger and frankly an easier method of guaranteeing data protection because encryption works while the drives are in use and after they have been retired. Simply encrypt the entire disk itself, including space marked as “free” by the operating system. Then, before discarding the drive, destroy the encryption key.

If you do this for every laptop and desktop in your organization, you will be in compliance with the growing body of legislation focused on mitigating and punishing identity theft and improper care and management of sensitive third-party data.

What is more, if a computer -- or just the hard drive -- is either lost or stolen, you’ll never have to worry about implementing a costly customer notification program.

Encryption Plus Hard Disk provides this simplest of solutions. The software protects data on drives still being used by an organization and provides a built-in "default" method of secure deletion. It’s also specifically designed to protect -- and recover, if needed -- enterprise data.

A number of enterprises are using Encryption Plus Hard Disk to protect data on hard drives and to remain in compliance with state and federal privacy laws. These include Humana Inc., a leading healthcare organization based in Kentucky, and Lincoln National Financial Advisors, a leading financial planning organization based in Connecticut. These are two of hundreds of firms making smart use of encryption technology to avoid paying unnecessary penalties and costs, harming their shareholders, or alienating their customers.

If you’re planning on attending the RSA Conference this February in San Francisco be sure to visit the PC Guardian Technologies booth for a hands-on demonstration of Encryption Plus Hard Disk.

For more about the RSA Conference, visit:
http://www.pcguardiantechnologies.com/press/PCG_Event_Calendar.html

Until then, keep your guard up!

ABOUT THE AUTHOR
Steven Lerner-Wright is the Marketing Communications Director at PC Guardian.