This article is intended to help law enforcement agencies to understand the importance of utilizing a data erasure disposal policy that securely deals with the unclaimed electronics in their possession. It will guide you through the process of evaluating your current electronics disposal method. We will delve into the basic technical requirements your process should meet and how you can ensure your disposal method protects the owner’s information and your agency’s reputation.
It is no secret that smartphones, tablets, laptops, smartwatches, and other portable electronic devices contain a treasure trove of sensitive data. If these items were to end up in the wrong hands it could violate the original owner’s privacy, putting them or their loved ones in danger. It can also bring potential liability upon the law enforcement agency that oversees these items. It is incumbent upon the Property & Evidence Department to dispose of these items in a secure manner that protects the owner’s privacy as well as the reputation of the agency. Ensuring that these electronic devices are purged in a secure manner is an area that is often overlooked.
Let’s look at two possible scenarios:
Scenario 1: A teenage girl loses her phone. It is found by a local citizen who does the right thing by turning it into their local law enforcement agency for safekeeping. Since the phone was never claimed by the owner, the phone is then turned over to be sold at auction. The winner of the auction, who has a nefarious reputation, can now access the private information of this teenager and cause harm to this person and/or her family and friends.
Scenario 2: A charity receives donated electronic devices from their local law enforcement agency. The charity sells these devices to an electronics recycler, who in turn sells them without ensuring the data is deleted. To his delight, the buyer of the device finds innocent family photos of the children taking a bath together. Not only does this person now have access to these photos, but he also likely has the contact information of the family that the device once belonged to. Law enforcement effectively just gave these photos to a man who intends to share them with his network.
In both scenarios, the law enforcement agency could face liability along with negative publicity since they did not dispose of the devices in a safe and guaranteed secure manner.
DEFINING "SECURE:" WHAT DOES SECURE DISPOSAL ENTAIL?
There are two basic components to a secure electronics disposal program:
1. All data must be permanently erased from working devices.
2. Any device that cannot be erased must be recycled in a manner that protects the data from being recovered at a future time.
Erasing devices is not simply a matter of performing a factory reset. The factory reset process does not always erase the data. CLICK HERE for a 2-minute video demonstration of just how easy it is to recover data visit.
To ensure that data on devices is not recoverable, each device must be erased in compliance with minimum industry standards. Using a disposal company that utilizes a third-party, licensed erasure software can ensure that devices are erased to current industry standards. Additionally, third-party verification ensures the integrity of your erasure process.
Below is a list of the minimum standard by device type:
iOS – Cryptographic Erase Android – Character Overwrite NIST SP 800 Flash Memory – Character Overwrite DoD 5220 Hard Drives – Character Overwrite DoD 5220
Not all devices can be adequately erased. Some will not power on, are damaged, or are obsolete. These devices must be recycled by a certified R2 recycler. An R2 recycler strictly follows both environmental and security standards for the electronic recycling industry.
WHAT METHOD SHOULD I CONSIDER WHEN DISPOSING OF DEVICES?
SMASHING DEVICES: One way some choose to purge the devices in their possession is to smash them. This is not effective, nor is it secure. Secure data erasure recycling facilities have helped law enforcement agencies recover data from destroyed devices on multiple occasions. The device itself may be destroyed, but the data contained in it is still very much alive.
ONLINE AUCTION: Selling items through an online auction site may sound attractive, however, consider two items of utmost importance:
Protecting the sensitive information contained on the device
Protecting your agency
If you elect to sell devices through an auction site, make sure the company you choose GUARANTEES the complete erasure of data. Read all terms and conditions carefully. It is common for auctions to use terms like “Certified Data Erasure” or “Secure Data Destruction”, but they employ processes that DO NOT ensure complete data erasure. Some even say so in their user agreement – terminology such as: “we assume no liability” or “we do not guarantee we will erase all data on devices”.
WHY IT MATTERS
The 911 Cell Phone Bank (911CPB) is a nonprofit 501(c)(3) organization that securely recycles devices for law enforcement agencies at no charge. They purchased 10 smartphones from a popular online auction site that sells items on behalf of law enforcement and public agency clients to see if there was, indeed, data left behind. Many of the smartphones listed on this auction site are sold in “as-is” condition. Devices are listed as "untested due to the fact it does not power on, does not take charge, sold as-is, for parts, may be account or carrier locked". Remember, untested essentially means uncleared. James Mosieur, Director of the 911CPB, notes what was found on these 10 devices:
Two devices were simple feature phones with no user locks. All data on the devices were still available.
Two iPhones were iCloud locked. Data was encrypted and we were unable to recover any data.
One Android smartphone was unable to be repaired and we were unable to recover any data.
Three Android smartphones were repaired. These devices had no user lock. Photos, videos, text messages, and contacts were easily recovered.
Two Android smartphones were repaired. They had user locks, however, after a factory reset, photos (including pornography), videos, text messages, and contacts were easily recovered.
HOW DO I CHOOSE?
Regardless of who is processing devices on your behalf, be certain to get satisfactory answers to the following questions:
WHO IS PROCESSING THE DEVICES? First, determine who is doing the actual processing of the devices. Most charities simply pass the devices on to a third party to process and sell. If your agreement is not with the third party itself, then should a data breach occur, you could be held liable for any damages sustained by the original owner of the device.
WHAT ERASURE STANDARD DOES THE THIRD-PARTY PROCESSOR USE? Most organizations, non-profit and for-profit alike, simply use the built-in factory reset or ‘hard reset’ as some refer to it, to clear devices. As the video referred to above proves, factory resets don’t always delete personal data. Make certain the processor you choose adheres to the minimum standards listed above. Otherwise, you leave your agency open for liability. If your processor relies only on factory-resetting devices, find a new processor! Regardless of the good that may be accomplished, they are leaving your agency unnecessarily exposed to potential liability.
CAN YOUR PROCESSOR PROVE THAT THE DEVICES ARE BEING ERASED PROPERLY? Many organizations will simply assure you that the devices are being erased properly. That’s why third-party verification is important. Without it, you must take the word of the processor. However, with it, a qualified third-party software provider will confirm the device has been erased. Most processors do not use third-party software because of the cost since licensing can cost tens of thousands of dollars per year or more.
DOES THE PROCESSOR OPERATE A SECURE FACILITY? Most facilities have basic security like an alarm system and deadbolts on the doors. However, since portable electronic devices are just that - portable - there must be increased security inside the processor’s facility.
BACKGROUND CHECKS: A background check helps to identify applicants that have a criminal past. While someone with a past may qualify to work in other capacities, they should never have access to devices that contain private and personal data.
SECURE PROCESSING AREA: The processing area must be secure with locking doors and be accessible only by staff that has a legitimate reason to enter. Doors from the secure processing area must not open to the outside of the building.
SECURITY CAMERAS: Good surveillance, whether live-monitored or recorded, discourages theft and pilfering. Since the processor will have memory cards and thumb drives that can easily be slipped into a pocket before erasure, cameras in the entire facility are a necessary deterrent.
ALARM BACKUP AND MONITORING: The facility’s security alarm must be monitored. In addition, it should have a battery-powered wireless backup that allows it to continue to operate if the phone lines or power is disabled.
DO THE PROCESSOR'S INTERNAL POLICIES ENSURE SECURITY? Extra care must be taken when hiring and managing employees, and when handling shipments. Policies that ensure that the law enforcement agency’s data will be protected while under the control of the processor are imperative. Below is a list of minimum policy requirements that should be in place.
Personal items that can be used to steal or pilfer, such as jackets with pockets, lunch boxes, purses, backpacks, etc., should not be allowed in the processing area.
As shipments are received, they must be immediately secured in the processing area. Shipments should never be opened outside of the secure processing area. If devices are removed by the processor or their representative, they must be properly secured before removal (i.e. – Are boxes taped? Are they being transported in a vehicle that can be locked?...etc.)
Only necessary staff who have had a background check should have access to the secure processing area. It should be clear as to who is authorized to enter the secure processing area, and what the consequences are for unauthorized entry. Visitors should not be allowed in the secure processing area.
Devices that have not been erased should not be taken outside of the secure processing area.
Does the processor have a professional liability insurance policy? Mistakes do happen. Your processor should have a liability policy that covers them if they are negligent in the service they provide, and private information is exposed. They should have no problem adding your agency as an additional insured on the policy.
Does the processor use a certified R2 electronics recycler to recycle broken or obsolete devices? Proper disposal of broken or obsolete devices goes beyond the environmental aspect. Using a certified R2 recycler ensures that devices that cannot be erased are destroyed.
As you can see, there are many variables to consider when ensuring that devices leaving the care of your agency are disposed of in the most orderly and secure manner.
WHAT NOW?
Handling electronic devices from your agency is more important than ever before. The way your agency chooses to dispose of purged electronic devices matters. Showing as much concern for private data after the device leaves your property room can protect your agency and build trust from within your community.
Since 2004, the 911 Cell Phone Bank has been working with law enforcement agencies to provide guaranteed secure disposal of electronic devices. The service they provide is 100% FREE including shipping costs. Every erasure is tested, certified, and approved. To date, over 150,000 phones have been repurposed and used as emergency devices to help vulnerable persons contact 911 in an emergency.
To arrange for a donation of devices, or to request emergency phones for your Victim Agency Unit to assist victims of human trafficking and domestic violence, please contact: 911cellphonebank.org | 866-290-7864 | info@911cellphonebank.org
Take the necessary steps today to protect your agency’s reputation far into the future.
#lawenforcement #police #propertyroom #propertyandevidence #securedisposal #recycle #gogreen #environment #saveourearth #security #lostandfound #unclaimed #victim #humantrafficking #domesticviolence #secure #911cellphonebank #disposal #electronics #smartphone #cellphone #tablet #laptop #devices #guaranteed #free
Comments