Simplifying data sanitization compliance: An analysis of the regulatory matrix points the way to safe harbor

In addition to better known federal legislation such as Sarbanes-Oxley, FACTA and HIPAA, there are now 46 state and territorial laws that regulate the management of private electronic data. In addition, two more major federal acts are making their way through the U.S. Congress—one in the house another in the senate. In spite of the shifting political landscape, they have a high probability of enactment.

HR2221, the Data Accountability and Trust Act (DATA), is intended to establish a uniform set of regulations governing the collection and protection of consumers’ Personally Identifiable Information (PII). S.1490 is the senate version of HR2221 (DATA) bill. If the past is any indication, impending initiatives to standardize data privacy protection via more legislation will produce the opposite outcome, but that is beside the point of this discussion.

Within this expanding body of legislation, there is significant variation in terms of purpose and scope. The individual acts differ with regard to the classes of entities covered, definitions of personal information, identification of agencies selected for rulemaking, enforcement and other considerations. Some are intended to promote transparency within a specific industry segment; others are written for the purpose of expanding the use of electronic records. Civil and criminal penalties for failure to secure private data also differ from law to law, the common feature being a markedly upward trend in recent years. Criminal penalties now augment civil fines.

Regardless of other variations, recent privacy legislation consistently includes two common requirements—establishment of formal data security programs and notification of individuals in the case of a data breaches. As a key component of these mandatory data security programs, virtually every new law also includes a provision that covered entities must securely destroy end-of-lifecycle electronic private data. This is because, despite the focus on protecting data-in-motion, a significant percentage of data theft involves retired storage media.

This segment of privacy law is the topic of the following discussion. We believe there is a compelling argument that “real world” compliance in the somewhat narrow area of electronic data disposal and destruction is simpler than it appears. (I explicitly distinguish, by the way, “simpler” from “easier” in this context.) In this article, I hope to briefly distill the interpretation of regulatory data destruction requirements to a level at which practical strategy decisions can be made with some confidence.

There is a perception among some compliance professionals that they are up against an interlocking, conflicting and overlapping matrix of government oversight. They are essentially correct about the interlocking and overlapping characteristics, but the “conflicting” attribute is not actually the case. It is true that when one initially confronts the multitude of privacy legislation, it is far from clear what methods, procedures and technologies should be deployed for specific data destruction scenarios. However, a more comprehensive analysis of the current state of legislation reveals indicators that help us focus the search.

First, the specific technical nuts and bolts of data erasure and destruction are not referenced in any actual legislation language I know of, so it isn’t strictly accurate to describe a company or procedure as “FACTA compliant” or “HITECH approved.” Instead the various legislative acts describe the intent of the law then direct a government agency to develop real world “guidance” that determines rules governing practical execution.

Once the initial guidance or “rule” has been written, it is published in the

for public comment. Eventually the final rule goes into effect. Although many laws identify multiple agencies for oversight, the lead federal agency for rulemaking in this aspect of privacy law is often the Federal Trade Commission (FTC).

In terms of practical solutions then, a privacy or compliance professional will be looking to the guidance rule rather than to the legislation itself. Many laws reference the same rule. In almost every case we know of, these guidelines are expressly meant to be flexible and to be consistent with similar laws. Federal and state agencies are by their nature disinclined to establish new standards and best practices, especially in highly technical areas. By the same token, they are highly likely to incorporate language already used in other legislative guidance, meaning “best practices” are similar from one law to the next. Furthermore, most agency rulemaking specifies that compliance with rules imposed by other jurisdictions is satisfactory.

As a result, most federal guidance is notably (and perhaps notoriously) non-specific, tending toward “examples” than requirements. The FTC describes its key Disposal Rule, for example as allowing covered organizations to “determine what measures are reasonable based on the sensitivity of the information, the costs and benefits of different disposal methods and changes in technology.” Reasonability, of course, is a word that invites many alternative interpretations.

This self-referencing rulemaking process increasingly creates de facto adaptation of the recommendations published in the National Institute of Standards and Technology’s (NIST) Special Publication 800-88: Guidelines for Media Sanitization. Issued in 2006, this analysis identifies multiple methods for destroying data on electronic storage media and ranks them according to security level. An example of high-profile guidance language from the HITECH Act is: “electronic media have been cleared, purged or destroyed consistent with NIST Special Publication 800-88 such that PHI cannot be retrieved.”

A number of legal experts have indicated that the language found in government data disposal rules in most cases establishes a safe harbor scenario for covered entities that have applied technologies and methods referenced in the guidance. A safe harbor is a provision of a statute or regulation that minimizes liability on the condition that the party performed its actions in good faith. Good faith is a term that also invites a range of alternative interpretations.

In general, government guidance does not require specific data sanitization methods, but acknowledges that if used, they will “create the functional equivalent of a safe harbor” for security levels below top-secret classification.

Nevertheless, it is important to note that data destruction solutions and products describing themselves as NIST-approved are also not being strictly accurate. NIST establishes guidelines. It does not approve or disapprove of any product. It is therefore up to the organization to match its objectives with a particular method or combination of methods.

The NIST 800-88 guidelines don’t eliminate the need to take relevant technical, cost/benefit, environmental and custody/control factors into consideration, rather, they provide an outline for evaluating these parameters. Similarly, the report clearly recommends the data disposal process be well documented, but without spelling out specific protocols that would assure that goal. In a nutshell, the 41-page document provides a framework within which privacy professionals can implement data destruction solutions with a high degree of confidence that they are in compliance with this specific aspect of privacy law.

There are other standards that can apply to the destruction of electronic data, but they almost always apply to classified and top-secret data. Even so, the Department of Defense’s own Clearing and Sanitization Matrix references the NIST report in the following language:

In terms of specific technologies, the NIST guidelines deal with a manageable range of possibilities which are ranked according to security level. The methodologies are split between physical (or mechanical) destruction and non-destructive. Physical destruction ranks the highest in terms of security, but renders the storage media unusable. The non-destructive methods are described as purging and overwriting; they securely erase data without destroying the functionality of the hard drive or other electronic media.

Within any particular media storage scenario, IT managers should be able to choose one or more methodology consistent with scale of operations, business objectives, environmental considerations, security requirements and insurance-based considerations. As the discipline matures, more companies are seeking data disposal solutions within a greater business or mission context, such as the ability to maximize asset value through resale or recycling, or social and tax benefits through charity donation.

When establishing a data disposal procedure, an additional critical factor is

of data disposal in a manner consistent with the data security program scenario. Given that paperwork is likely to remain a significant component of government compliance, the ability to document the data destruction process is as important as the method of sanitization itself. Especially in the case of a privacy breach, it will be necessary to show that data has been securely removed from electronic storage devices. Once a hard drive is physically destroyed, for example, it is no longer possible to prove that the data it contained was destroyed. Other parameters, such as physical location and access to the drive are also part of this process.

For this reason, most enterprise-level erasure products are designed to generate a device list and audit logs that track hard drive serial numbers, date and time, erasure method, operator identification and other parameters as part of the data destruction process. In this sense, the level of verification selected for a given data sanitization environment should be seen as a factor in the disposal technology decision loop.

The safe harbor benefit will accrue to organizations that choose an appropriate, verifiable NIST-recommended data disposal solution and apply it within a written, well-documented data security program.