By Alan Zaccario
The Aftermath of the Pandemic and the Ethical Implications of Data Deletion and Sanitization
An exclusive Hotel Online article series on securing customer and employee data – Part 1
Embarrassing reports of lost data surfacing on the dark web are becoming more and more prevalent in the media. As hoteliers we become the custodians of our guests and customers’ data from the time acquired and utilized until that information is archived or permanently deleted. However, what happens when that chain of custody is broken? What happens to the employee data too? More importantly what plans do you as an owner have to prevent a disclosure from surfacing and damaging your reputation?
The answer might be to consider creating a Data Deletion and Sanitization Policy that satisfies requirements of other programs such as PCI DSS and HIPPA. While it will remain part of the ongoing business operations, it can be called up to quickly delete data when an uncontrolled transfer of data is possible. There is a great deal of technical and business issues to consider; hopefully evoking some questions about how and where data is stored, used and can be lost.
Several years ago, I was tasked with the setup a network for company that had purchased some PCs and server at an auction. After some IT magic resetting passwords and booting things up, the customer was disappointed (I was horrified) to discover that this equipment had all come from the same failed company and storage capacity was nearly full of unencrypted files. Plainly readable were personal files, employee data, sales data and complete customer lists, email and other information. We had stumbled into a hacker’s motherlode. This company had failed to develop or had been unable to implement a data sanitization process before they turned off the lights the last time. The new owners had no desire for any of this treasure trove anyway, so I deleted it all using the best methods available at the time.
Data sanitization is the process to permanently and irrevocably destroy data so that it can no longer be read. Usually it involves wiping clean all evidence of previous data from entire system or hardware such as hard drives. Organizations like DoD and NIST produce very specific standards on what constitutes data sanitization using three methods: clear, purge and erase. Data deletion is a broader term that can entail individual files or libraries of files. While generally not acceptable as method of permanent destruction by the DOD, it still has compelling benefits in the private sector. Usually a third-party software is used to safely render individual files unreadable without wiping out the entire hard drive. This method does not take into account duplicate files in other directories, temporary files, renamed files etc. Think of it this way: data deletion prevents a user from seeing a file stored in your office, sanitization removes the entire office building. Your security response would be based on how important the document might be and whether you needed anything else in the office.
Keep in mind that data exists in many different forms including storerooms of paper documentation long since forgotten. Businesses need to consider having a better view of what data they possess, in what state of use, and where it is located. From there they need to consider creating a data sanitization policy which can be quickly and inexpensively implemented when absolutely necessary. Finally, owners need to carefully consider how and when that policy will come into effect. As described, once implemented there is no turning back.
Most major brands take immediate responsibilities for the data they own and have an excellent execution of sanitization as part of an exit strategy. Similarly, management companies use effective means of wiping some of their proprietary data during a takeover/turnover process. Most often, these processes are part of transfer of ownership. Whether specifically mentioned or not, at least some data is part of the sale agreement. Many properties are independent, and many of the systems that collect and process data (POS, PMS, CRM) are solely the owner’s responsibility. Moreover, valuable data exists on many overlooked systems and locations some less obvious than others. However, if a property or company suddenly closes with no future owner transfer, what becomes of the data then? Who protects the customers and employees from the disclosure of data? Ethically, you do.
Truly agonizing decisions occur daily regarding the fate of some properties. Admittedly, data assets are not on the top of everyone’s list. Perhaps even the legal ownership and subsequent liability of data loss would be in question if the original owner no longer exists. However, public opinion in the age of social media can have an even greater impact than the legal system. PCI and PII breaches have been reported in the media and impacted both brand and management company reputations. Regardless of the scope of the breach or remediation thereafter, the incident lives on in the Internet forever. How the data has been acquired and for what means it is used, most certainly has legal implications. Unfortunately, irrevocable damage may be done to customers and employees long before the first charge has been filed.
Data typically exists in states of availability, location and uses different levels of protection (encryption usually). Somewhere within this matrix of state, location and protection, lies the greatest liability for owners.
A “state” of availability refers to what part of the information data life cycle it currently resides. As the term Life Cycle indicates, data has a born on and died on date too. The “state” refers to where is it during that cycle. There are several states, but let’s focus just three: active, archived and deleted.
Active data is the one most commonly used in the course of business. This data set frequently is accessed, modified and processed. An example would be a property management system or customer relationship management product. Both of these acquire and modify customer information on a daily basis. Consider too the amount of static information generated in the form of payroll reports, employee evaluations and security incident reports. This active data is stored and accessed on site, at a hosted provider or in a cloud.
Archived data is set aside from the active batch to be called up again for use. In most cases, archived data is never looked at again. Without proper catalogs the contents will eventually be lost to time. It stands at the ready but awaits deletion. The contents are still very valuable; probably more so considering the owner might not even know it is gone. Archived data may exist in paper form, back up hard drives, magnetic tapes and optical media.
Deleted data is designated to be wiped clean but is still available. Contrary to what it says on the file, this can still be recovered even after deleted. Digitally speaking a file that has been deleted only has the pointers and flags removed which hides it for common sight. A forensic program can quickly discover and restore these files even after the user thinks they are long gone. Though fictionalized to some extent; almost every crime/drama show has an IT expert that apparently can perform this as part of the key story plot. We have all seen boxes of paper and even blue bins that read “To Be Shred” or “To be Destroyed.” If you can reach in and grab a paper, then obviously the task has yet to be completed. Same applies with digital files.
Knowing where the data is located is not only important, but also the greatest challenge. In the digital world there is sometimes a blurring whether the files are stored on a local device, in a cloud or hybrid of the two. Physical assets like paper and backup media might be in desk drawers, storage rooms or offsite public storage units.
The policy should identify where the data is being used or collected regardless of the media.
Onsite storage should be the focal point of a Data Deletion and Sanitization Policy. Most of the property’s digital assets such as servers, laptops, and PCs included in the scope of data collection. PMS, POS or application server hosting, CRM data and cloud share applications are prime locations of data and need to be included in any policy. However, onsite assets, by far, pose the largest threat. PC and laptop users tend to keep private data close to them rather than risk sharing inadvertently on the servers shared drive. Their hard drives often contain drafts and documents considered private. Lists of employee data, meeting details, group attendee lists even possible unmasked credit card data associated with a meeting can often be located. The servers themselves can house multiple copies of the same file in different department directories.
What about copiers? An often-overlooked source of disclosure could come from the copier/scanners used in the back office and accounting departments. Many of the modern large multifunction devices have storage devices that keep encrypted images of everything scanned or copied. Take time now to determine with the manufacturer or equipment supplier how that data is being stored, what type of encryption is in place and the process used to wipe data when the device is taken back after a lease. Insist on a certificate of destruction if that is the case. Some of the older multifunction devices did not use encryption at all, making that a significant source or disclosure.
A concerted effort has been underway for several years to go paperless, but old habits and business necessity are hard things to change. Papers are located in binders, desk drawers, filing cabinets, mechanical rooms etc. Recall that at this point there is likely a folder containing credit card authorization forms with live credit card information located somewhere in the GM or accounting office. After these documents end up in a dumpster, no technical skill is required to do significant damage to a customer. Considered low hanging fruit in the hacking community, physical assets like paper still exist in significant quantities to be a major liability.
Backup media often exists onsite as well. Some servers utilize magnetic tape to run backups each night. Tapes are to be rotated and stored in a fire rated safe. Too often, they are not. Visual inspections of a computer/systems room frequently show a weeks’ worth of tapes lined neatly on top of the server. USB hard drives, thumb drive and writeable DVDs are used on smaller servers PCs and laptops. Unencrypted media slipped into a pocket and restored will quickly expose documents and databases.
The new owners of the property will have little regard for the physical contents or disposal methods. Most will go to the dumpster, liquidator or whomever takes it. At this point, the state of the data no longer matters, nor does the location. Access to sensitive data is now fair game.
Please join us next week for part 2 of Where Data Goes to Die.