NSA Influences Commercial End-of-Life Data Security
Never before has there been such an intense focus on data security and privacy. With data breaches increasing exponentially and the European Union’s recent implementation of the General Data Protection Regulation (GDPR), data security has been at the forefront of news stories over the past several months, with both businesses and consumers suddenly paying very close attention. With this increased attention has come an understanding that data continues to exist even when it is no longer needed or used. Due to this newfound understanding and GDPR’s “Right to be Forgotten,” the eradication of data has new urgency and has become critical to a successful data security program. But where does the National Security Agency (NSA) come into all of this?
The NSA has had an unprecedented influence on commercial data security legislation and regulations, including the Health Insurance Portability and Accountability Act (HIPAA), the Fair and Accurate Credit Transactions Act (FACTA), the Federal Information Security Modernization Act (FISMA), and even GDPR, as well as the National Institute for Standards and Technology (NIST) and the German institute for standardization commonly known as DIN.
Formed in 1952, NSA security directives are considered the golden standard when it comes to all security measures, including data security. Generally, it can be said that if a security standard meets NSA requirements, it will also sufficiently meet any commercial regulation. But how has the NSA actually influenced these commercial regulations? Let’s take a look at three newer regulations to see the clear connection between NSA standards and commercial regulations for data end-of-life.
The HIPAA Security Rule exists to secure electronic protected health information (e-PHI) in an effort to safeguard individuals’ electronic medical data privacy. This rule, which is a subset of the 1996 HIPAA Privacy Rule that protects PHI, was published in February of 2003 and takes a multifaceted approach to protection and security of e-PHI. The security rule requires a broad range of safeguards, including administrative, technical and physical protection of e-PHI. These safeguards not only cover confidentiality of health records and personally identifiable information; they also require that entities handling e-PHI have security measures in place that protect against possible threats from both internal and external sources, impermissible uses, and compromised technical, software and hardware infrastructure. Many of these requirements, such as security of data at end-of-life and protection of physical hardware, are directives that first came from the NSA.
Data privacy and security is the central component of GDPR legislation, and the NSA has arguably the most stringent data privacy and security requirements of any organization worldwide. For example, GDPR requires that sensitive data be destroyed at end-of-life to a 10mm particle size. The only other organization that requires a particular particle size for data end-of-life is the NSA, which requires a 1mm x 5mm particle size for paper and a 2mm particle for solid state drive destruction. While the required particle size is larger for GDPR, any requirement for data destruction particle size is directly descended from NSA policy.
Intergraf, the European Federation for Print and Digital Communication, has developed standards for security printers and initiated the development of the 2013 ISO 14298 standards in cooperation with industry experts and standardization organizations from 25 countries on five different continents. Although ISO 14298 in and of itself does not mandate specific requirements, Intergraf offers Implementation Guidelines and Intergraf Certification Requirements specifically developed for the secure printing industry, allowing highly security-focused organizations to become certified and ensure the highest security for their customers. Because these requirements are kept in strictest confidence and only available to security printers, we cannot share any specific requirements herein. What we can mention is that these requirements include logical security, supply chain assurance and physical security, an example of which is that data end-of-life such as printer plates must be shredded or disintegrated—another example of a commercial regulation being directly influenced by NSA directives.
With the increase in data breaches and the ever-changing ways in which nefarious individuals gain access to secure information, it is no wonder that organizations are looking to beef up security and to find new ways to stave off would-be thieves. Interestingly enough, the new focus on data end-of-life has roots dating back to the original NSA determination that classified paper must be destroyed to a specific particle size. While requiring drive destruction at end-of-life is a new process for many commercial organizations, it is really just a matter of catching up to what the NSA has known for years: that data end-of-life presents a security risk that must be neutralized.
Andrew Kelleher is President at Security Engineered Machinery, global leader in information end-of-life solutions for over 50 years.