In an ideal world, recycling IT assets or sensitive documents would not pose a security threat. Unfortunately, as a Toronto Health Clinic recently learned, the world is far from ideal. In a widely publicized incident, the clinic’s private health records were literally blowing in the wind on a downtown Toronto street being used for a movie set. The clinic’s paper-disposal provider, which offers both shredding and recycling services, mistakenly believed these documents were to be recycled. The company subcontracted the paper to another recycling company, which in turn sold it to the film production company.
“Recycling has merit – but it does not necessarily provide security,” says dataXile principal Joseph Bozic. Mr. Bozic, whose company provides secure data disposal for IT equipment, adds, “Similar breaches could occur with electronic data stored on IT assets. While there are numerous recyclers in the market interested in recovering value from discarded computer equipment, few of these companies are concerned with the secure destruction of the information stored on that equipment.”
As the Toronto health clinic and its paper disposal provider discovered, this is bad for business in more ways than one. Upon investigation, both organizations were deemed to have violated Ontario’s Personal Health Information Protection Act (PHIPA), prompting Ontario Privacy Commissioner Dr. Ann Cavoukian to issue the first order under the new law.
Mr. Bozic commented, “The incident is disappointing, but sadly it doesn’t really surprise me. It is becoming increasingly important for both firms and service providers to ensure they have done their due diligence. Whether service providers are destroying paper documents or electronic ones, questions need to be asked and answered. Issues like collection, process, and the use of any subcontractors and their practices must be addressed. If you do not feel comfortable with the answers, keep shopping until you feel confident in your provider.”
Despite being the first two companies to face an order under PHIPA, Mr. Bozic feels they were fortunate. “Neither the clinic nor the paper disposal company were publicly identified. Future violators may not be as fortunate and many organizations would find that kind of publicity especially devastating.”
About dataXile Corporation
Toronto-based dataXile Corporation (dataXile.com) is an information security company specializing in secure electronic data disposal. The company understands the risks and challenges associated with secure electronic information destruction and is committed to eliminating them.