An Ounce Of Prevention Is Worth A Pound Of Cure

The recent Blue Cross Blue Shield Data Breach highlights an often overlooked risk to data; that of recycled, or unused hardware which is in storage. In the BCBS example, 57 hard drives were stolen from a secure locker at a former call center location. The theft was not believed to have targeted the data but rather was the result of a burglar looking for hardware to steal and resell. Unfortunately for Blue Cross Blue Shield, the result was the same. Over $1.5 million in HIPAA HITECH fines and over $17 million in “corrective action” later, and it is prudent to assume that the company had wished they had encrypted data on the drives before storing them in the locker. By ensuring data is encrypted and strong key management is implemented, companies can minimize the risk of data exposure when drives are recycled, or archived. If the BCBS example is not convincing consider that in 2009 sensitive US Missile Technology was found on a hard drive purchased from eBay. Or consider that blueprints and access logs for the German Embassy in Paris was purchased from eBay in France. Examples like these abound and many companies find themselves on the defensive when a disk turns up with company information.