Gov’t data disposal methods found wanting
Unfamiliarity with modern technology and careless disposal of computers, blackberries, photocopiers, removable ‘jump drives’ and the like has left the Cayman Islands government open to potential security threats from those who might use data left on those machines for untoward means.
That’s the finding of an investigation conducted earlier this year by the complaints commissioner’s office.
The 39-page report under the somewhat unassuming title of ‘The Appropriate Disposal of Electronic Data Storage Containers’ reveals some surprising cases where computers or other devices that contained sensitive information could have easily wound up in the wrong hands.
For example, complaints office Analyst Scott Swing notes one instance in his report where computers from the Portfolio of Internal and External Affairs were donated to the prisoner education programme at Northward Prison.
The hard drives, data storage devices, on those computers ‘could not be verified as having been wiped (cleared of information)’ according to a summary of Mr. Swing’s report.
The Portfolio of Internal and External Affairs is the civil service office charged with overseeing operations of the Royal Cayman Islands Police Service, Customs, and the Immigration Department, among others.
‘(The portfolio’s Chief Officer) was not aware of what (the computers) were being used for at the prison nor was he aware of what was done with them prior to sending them out to the prison,’ the complaints commissioner’s report stated.
In a separate case, a local charity had discovered several computers it was given still contained files stored by another government entity that deals with highly sensitive information.
‘While the charity administrator did not open individual files, (the) testimony leads to the conclusion that many files, including some which may have contained very sensitive personal information, and confidential communications with Cabinet, remained on these computers,’ Mr. Swing wrote in the report.
In a third instance, discarded office machines from by another government entity had somehow found their way to the Cayman Islands Red Cross Thrift Shop where they were to go on sale to the public. One of those machines, a photocopier, contained a 40 Gigabyte hard drive; a device with the ability to store a significant amount of information.
‘While these…incidents may have been isolated, and the information contained on the (data storage containers) may not have been capable of causing any harm if placed in the public domain, they could just as easily have contained information that had national security implications,’ Mr. Swing wrote in the complaints commissioner’s report.
There were several problems identified by the complaints commissioner’s office review, the first being that most of the government departments looked at during the investigation lacked effective disposal procedures for data storage devices…including government’s Computer Services Department, where many of the junked data storage devices were sent.
In most cases, no records were kept by government departments about where desktop computers went after they were finished using them; whether they were donated, stripped for parts, or simply tossed into the George Town Landfill. There were also no clear indications in many cases as to whether computer hard drives had been ‘wiped’ on those machines.
Officials at computer services told complaints commissioner’s analysts only the computer hard drives that were still to be used within government were re-imaged.
‘Once a hard drive was no longer of use to government, the Computer Services Department would take it to the landfill and destroy it with a sledgehammer,’ Mr. Swing notes in the report. ‘(Computer services) did not remove the platter from the casing but simply smashed up the whole case.’
Mr. Swing noted in his analysis that the practice of scavenging for spare computer parts at the landfill was known to be ‘growing’ and that more thorough data control and protection measures were needed.
The report also stated that there was a general lack of appreciation amongst the various ministries, departments and portfolios about the need for data protection. Mr. Swing opined that portable 8 Gigabyte ‘memory sticks’ or ‘jump drives’ that can contain all the word processing data handled by a civil servant in the course of one year were treated like pens or pencils.
‘It is not uncommon for these jump drives to go missing,’ Mr. Swing wrote.
The use of personal computers and their ability to retain personal information was an issue ‘that was beyond the technical expertise of many of the chief officers interviewed,’ Mr. Swing noted.
The complaints commissioner lauded several government departments and ministries for taking immediate steps to rectify the problem.
The Ministry of Education took steps to enact an electronic records disposal policy immediately, according to the commissioner’s office. The schools system had a separate IT management structure and had a satisfactory electronic data management policy, according to the complaints commissioner.
The Cabinet Office also promised to create a policy for handling electronic data disposal. Both the Portfolio of Internal and External Affairs, and the Ministry of Health acknowledged that the complaints commissioner’s investigation had been helpful in highlighting an important issue.