In the never-ending battle against identity theft, a proactive event recently took place in Texas: a company was charged with improperly dumping patient records. This was discovered before any actual identity theft was reported.

Per the Texas 2005 Identity Theft Enforcement and Protection Act: "A business shall implement and maintain reasonable procedures, including taking any appropriate corrective action, to protect and safeguard from unlawful use or disclosure any sensitive personal information collected or maintained by the business in the regular course of business. A business shall destroy or arrange for the destruction of customer records containing sensitive personal information within the business's custody or control that are not to be retained by the business by: (1) shredding; (2) erasing; or (3) otherwise modifying the sensitive personal information in the records to make the information unreadable or undecipherable through any means."

But there something that still bothers me about this act--the technical details. For example:

1. Shredding: cross-cut or strip cut?
2. Erasing: low-level multi-pass erase, zero out the data, or just delete the files?
3. Modifying sensitive data: change just the name and SSN, or include data of birth, address and any account numbers?

How an organization complies with this act and makes "the information unreadable or undecipherable through any means" remains open to interpretation. And that's the problem. Throwing strips of sensitive data into the dumpster instead of the actual documents isn't much of an improvement.

Organizations want to elicit the services security professional (e.g. a CISSP) to properly safeguard and dispose of their sensitive data, and to meet their legal obligations. Otherwise, they may be giving themselves a false sense of security.





More...