A Big Lesson From a $60M Fine for Poorly Performed Data Disposition

Posted by Frank Milia

Oct 13, 2020 9:59:39 AM

Last week the Department of the Treasury OCC levied a $60 million dollar fine to Morgan Stanley for data breaches that occurred from poorly managed IT asset disposition projects associated to data center decommissioning activities in 2016 and additional disposal events in 2019. 

In a recent consent order the OCC describes that the bank “…failed to effectively assess or address the risks associated with the decommissioning of its hardware; failed to adequately assess the risk of using third party vendors, including subcontractors; and failed to maintain an appropriate inventory of customer data stored on the devices.”

The responsibility to stop unauthorized access to protected data is disproportionately the responsibility of the data controller, in this case Morgan Stanley. Detailing all of the security controls required to lower risk would not be possible in this short article. In reality there is no one tool, vendor, process, method, policy, or procedure that one could point to that would have guaranteed the bank hundred percent security. 

Secure management of data disposition, especially for large enterprises, requires a robust program that includes policies, procedures, assigned accountability, employee training, contracting and vendor due diligence requirements, and a process for strict oversight of activities all working together to minimize the risk of exposure and regulatory non-compliance.  

From a reading of the previously mentioned description from the OCC it would be easy to characterize Morgan Stanley’s management of these data disposition activities as a failure by every measure.   However, it is the following accusation by the OCC that most likely explains why the fine is so high “The Bank failed to exercise adequate due diligence in selecting the third party vendor engaged by Morgan Stanley and failed to adequately monitor the vendor’s performance”.   

Due Diligence on Black-Golden Watch Face with Closeup View of Watch Mechanism.

Typically, regulatory fines are reduced when the organization under investigation is able to prove that reasonable steps to protect private data were taken. In other words, mistakes will happen but if an organization can display that they have formal and documented data disposition procedures that includes vendor due diligences the penalties for an incident will likely be reduced.

At this time Morgan Stanley has yet to disclose the vendors utilized to perform these services. Considering the OCC’s claims that the bank failed to perform due diligence and oversight of the vendor’s practices it is likely that Morgan Stanley is unable to effectively shift the liability and financial responsibility to the contractor. 

Although there is no legal mechanism for Morgan Stanley to be indemnified of their regulatory obligations, they theoretically would be able to recoup some of the financial impact of the fine if there were well written contracts, documented performance testing and due diligence records. 

Performing documented due diligence in vendor selection and ongoing auditing of a vendor’s practices will significantly reduce the financial impact of breach or other regulatory non-compliance by reducing fines and ensuring an effective method for suing vendors that break contractual obligations. Vendor due diligence should include documented investigation of a vendor’s policies, procedures, methods, breach notification systems, training programs, third party certifications and key management system protocols at selection and at minimum on an annual basis. 

In the most simplest terms it appears that Morgan Stanley did little to deter these breaches from occurring, but the impact of the breaches were multiplied by the inability to establish that any care was taken in their approach to data disposition and vendor management. 

Every organization is at a risk of data breach or regulatory fine associated to poor data disposition. The only way to both minimize the likelihood of an exposure and reduce the financial impact if one would to occur is by investing in your data disposition program and ensuring internal and external stakeholders are regularly tested, results are documented, and corrective actions implemented when applicable. 

 

Looking to reduce your risks from IT asset disposal?

Get the Best Practices Guide Today:

Learn More

 
more

Topics: IT Asset Disposal, data breach, education & tips, IT Asset Disposition, Risk Management

Lowering the Carbon Footprint of IT Asset Disposition

Posted by Frank Milia

Feb 14, 2020 9:37:41 AM

We here at IT Asset Management Group (ITAMG) regularly come across regional organizations such as universities, hospitals, media companies and local banks that are engaged with disposal providers that ship their retired IT equipment several hundred or even a thousand miles away to be processed.

Regional businesses and generators can drastically lower their costs and carbon footprint by switching to local, certified, and qualified IT asset disposal providers. National and global enterprises have a more complicated challenge to reducing ITAD related emissions than their regional counterparts (a longer post for another day).

Due to this, I would argue regional organizations have an even higher environmental and social obligation to source local vendors and significantly outperform the environmental impact of their peers that have global footprints.

Truck Pics

Local providers will also likely manage and operate in-house trucking, technicians and moving teams that will be typically perform better and be held more accountable for performance at the client site than providers that exclusively rely on third party transportation resources.

By using local trucking companies you also reduce the risk of a breech event or exposure related to third party transport of the material.     

Simply put, choosing local is good for our environment, improved performance of the disposal program, and is better for your bottom line.

If your firm is a regional organization (or otherwise) please consider reviewing your program to see if lowering carbon footprint through sourcing local vendors is an option available to you.  

Are you evaluating IT asset disposition providers?  Please use the following link to let us know how we can specifically help you: 

Get Customized Help

more

Topics: IT Asset Disposal, IT End of Life Strategy, ITAD, eWaste Disposal, Green Technology Procurement, IT Asset Disposal NY

Evaluating Data Destruction and Data Protection Compliance

Posted by Frank Milia

Aug 1, 2019 9:25:20 AM

As a NAID Certified Secure Destruction Specialist my goal is to offer information security and compliance professionals objective advice backed by experience, industry best practices and a keen knowledge of the applicable regulatory requirements. 

When working with organizations of all sizes one of my consistent challenges is getting various stakeholders to openly and honestly evaluate their data destruction and disposition program to identify blind spots and allow me the opportunity to identify areas for improvement and risk mitigation. 

Risk Assessment. Business Concept on Blurred Background. Office Folder with Inscription Risk Assessment on Working Desktop. Risk Assessment - Concept. 3D.

Below are some of my questions to open up a conversation with folks who are willing to perform a self-evaluation and begin the process of assessing their data disposition practice.

 

  1. Do we have a contract in place with our current downstream data disposition providers?
    a. Does this contract include breach notification requirements?
    b. Does this contract include definitions of data protection service levels and data destruction deliverables?
  2. Do we use multiple downstream data disposition providers (example: e-Waste goes to a recycler but media goes to a document destruction company)?
    a. If so, how do we control what vendor is liable if a breach occurs? 
  3. Have we formally vetted our downstream data disposition providers?
    a. Have we evaluated and vetted third party certification(s) that our provider holds?
    b. Have we documented our vendor’s policies, procedures, downstream charts, and third party certificates?
    c. Are we annually checking in on updates from vendor for policies, procedures, downstream charts and third party certificates?
  4. Do we have written policies and procedures for our data protection program?

a. If we perform data destruction internally are the processes formally documented including confirmation of results?
b. Do we have an assigned person in charge of compliance?
c. Do we have formal training for employees and documentation of such training?
d. Do we have employee acknowledgement in writing for acceptance of data security responsibilities?

I urge everyone to ask these questions and evaluate the answers that come back.  

Once these answers are provided, we can provide suggestions to ensure better security or regulatory compliance.  If the answers all seem satisfactory, there is always an opportunity to dig deeper to find where other improvements can be made and to make sure the organization is documenting the program's success effectively.

Data security and data protection compliance is a moving target.  Evaluation and audit of your data disposition program should be on a regular schedule, including at minimum an annual review of any of your contractors or internal operators.

 

more

Topics: IT Asset Disposal, data security, data destruction, IT Best Practices, Information Security

Lessons from Arrow’s Closure of IT Asset Disposition Business

Posted by Frank Milia

Jul 22, 2019 6:30:27 PM

 

Last week Arrow Electronics Inc. announced that it would be shutting the doors on its IT asset disposition service business leaving the industry dumbfounded and thousands of customers concerned with how to proceed with their day to day disposal requirements.   

Although Arrow has claimed the USA operations will remain active until end of the year, we have received several reports from Arrow’s customers that they will no longer receive disposed of assets shortly after this month. 

Recovery direction sign with sunset background

If you are a current customer of Arrow or otherwise depend on a single service provider for your global asset disposition services there are some lessons to take away from this as you look to source your next provider. 

 

The Largest vendors don’t necessarily offer more stability or security

Many businesses signed on with Arrow because they liked the security of working with a fellow Fortune 500 company.  Arrow actively sold these businesses a narrative that they were a more stable option than the smaller boutique providers since they had the capital and infrastructure necessary of supporting the largest customers.  Ironically in the end Arrow’s decision to end the ITAD service line is at least partly because they are such a large public company and had the need to cut out expenses from a small business unit to avoid having to repeatedly publish poor earnings reports. 

I do not agree with Arrow’s claim that they are leaving the ITAD space because it is not a sustainable business model.  There are plenty of healthy and capable ITAD providers that offer this service has their exclusive business model.  For instance, my firm IT Asset Management Group has been operating in the space for almost 20 years and we forecast continued year over year growth. 

It is important to at least consider setting up a multi-vendor option for disposition and data destruction services.

As an IT asset disposition provider I’m happy to hear our customers want us as a single provider for their disposal and data destruction needs.  However, I suggest to all of the largest customers, especially those with a significant global foot print, to consider having multiple vendors to properly cover their needs. 

Arrow is dropping out with very little notice and many customers are concerned about establishing new vendors under deadlines that large organizations worry they will struggle to meet.  By vetting and properly contracting multiple vendors to cover your disposition and disposal needs you will protect your company from your vendor leaving the market or otherwise under performing to a degree that would require a switch in providers. 

Over the years we have worked with many customers that have a huge footprint in the USA and want us to cover their much smaller footprint globally.  The most successful of these customers have leveraged our company to receive lower cost services and more competitive asset recovery value returns on their larger sites in the USA and relied on a network of regional partners to cover their smaller global offices.  For many of our clients we do also manage the international disposal network via our own substantial team of capable partners.   

The customers that have been able to remain more flexible with their approach, not only financially perform better, but are also better setup with redundancies and have avoided the stress that so many others are feeling from Arrow’s sudden announcement to quit ITAD. 

 

 

Has Arrow's closure of their IT disposal services business left you concerned with how to manage secure disposition of retired assets and media?

Our senior leadership team is offering free consultations and review of your disposition programs.

Let's have a discussion and put your mind at ease:

Get Free Consultation

 

 

more

Topics: IT Asset Disposal, IT End of Life Strategy, Management Tips, IT Asset Disposal NY, IT Liquidation

Maintaining Rational Policies in the Face of Failure

Posted by Frank Milia

May 29, 2019 2:48:09 PM

When we fail in life, especially at our security, we tend to overreact and make quick and sweeping changes.  If you leave your door open and your home is burglarized, moving out of your neighborhood or installing a state of the art security system may be an irrational response compared to locking your doors from now on. When implementing changes, it is important to address the specific cause of the failure and not let fear of reoccurrence cloud the way you make improvements.         

When organizations uncover regulatory data protection non-compliance or suffer the consequences of an outright data breach, many times they struggle to implement corrective actions that address the root cause of the issue or otherwise implement new policies that can adversely affect the business and fail to focus on addressing the deficiency head on.   Security, IT, and compliance stakeholders need to stay focused on resolving the cause of an issue and not be distracted by fear or be rushed into implementing hastily designed corrective actions.  

Policies - Red Ring Binder on Office Desktop with Office Supplies and Modern Laptop. Business Concept on Blurred Background. Toned Illustration.

To illustrate this point I will provide a common scenario I have witnessed from clients that I provide data disposition and regulatory compliance consulting as well as IT asset disposition and data destruction services to.       

Scenario:

A large financial institution has internal policies and procedures to perform erasure of hard drives prior to performing lease returns and disposal of retired assets.  The firm is notified that a shipment back to a vendor contained drives that were not wiped. The drives were encrypted so at the time of this event there were no regulations in the USA that would consider this event a breach requiring disclosure.  However, the company’s internal policies and procedures were not followed therefore an investigation and corrective action was required by internal stakeholders. 

The company identified the risk was from allowing erasure and reuse of the hard drives and implemented a new policy and procedure that all hard drives would now have to be physically destroyed before disposal or lease return.  Although one could argue that this approach makes sense considering the high cost and risk of a data breach, it is actually a flawed response that does not address the root cause of the non-conformity (an employee’s actions failed to adhere to company policy). 

When I analyze and investigate events like this, common root causes tend to include:

  1. Technician(s) failed to erase and document erasure as designed and provided in existing management system
  2. Management system failed to assign accountability of such events
  3. Technician(s) not properly trained or no documented training sessions found
  4. Routine audit of applicable work not practiced
  5. Process for erasure and equipment returns failed to have redundancies, spot checks, and/or verification steps to ensure compliance
  6. Inadequate managerial oversight or approval system in place for data destruction and return management
  7. Detailed processes and work flow procedures poorly documented or none in writing found

The client’s response to require on-site destruction of all media does not address any of the issues noted above.  The firm can change the method, destruction tool, and policy but without addressing the core deficiencies in the management system, procedures, training, and redundancies the threat of a non-conformity or event that leads to a data breach remains. 

Not only has the firm made a policy change that will cost millions of dollars in lost revenue from resale and increased lease return fees but they have also done little to reduce the risk stemming from the lack of accountability and the imperfect system that lead to a technician shipping a device with live data still residing on the hard drive.   This same flawed system left unchanged, other than method of destruction, will likely lead to a technician again shipping a device with a hard drive (not wiped or physically shredded).   

Security is too often judged as a consensus of feelings. Many times even the most sophisticated organizations and experienced practitioners will make irrational policies based on how a policy makes them feel.  In this case although the financial firm’s policy to destroy the drives does not address the root-cause, it does make them feel more secure now that all drives will be destroyed.  Organizations incorrectly choose abrupt and elementary policy changes rather than more complicated procedural updates that require greater oversight and investment but will more effectively address deficiencies.          

As security professionals we need to analyze the logical and empirical security deficiencies, prescribe solutions based on the root causes, assign accountability and test and evaluate our systems and programs all the while taking care to prove the value of such investment to the business’s stakeholders.  When changing policies in the face of failure, it is important to remove fear from the equation and focus on addressing the problem with a clear mindset. 

more

Topics: education & tips, IT Best Practices, IT Management, Risk Management, Information Security

   

ITAD Guidance

Stay informed on important IT asset management topics.

Our posts focus on IT management, data security, and computer hardware from the unique perspective of IT asset disposal experts.

Subscribe and you will stay on top of:

  • IT procurement trends and analysis
  • Data security methods and best practices
  • Compliance tools and updates

Subscribe to Email Updates

R2-2013_Logo.png

Recent Posts

Visit our Main Site at: www.itamg.com