Digital Security

NAID Introduces SSD Sanitization Endorsement. SAFE Data Act Moves out of Subcommittee .

NAID Introduces SSD Sanitization Endorsement

The board of directors for the National Association for Information Destruction (NAID), the Phoenix-based trade association representing the secure data destruction industry, has approved the launch of the NAID AAA Certification for Sanitization Operations for solid-state memory devices (SSD), including mobile phones, smart phones, memory cards and computers.

NAID's program for certifying sanitization operations previously only applied to conventional hard drives.

Companies that are already NAID AAA Certified for Sanitization Operations can now add a solid-state memory endorsement to their current status at their next announced audits (not applicable to unannounced audits) for no additional fee, the association says.

NAID AAA Certification of Sanitization Operations is a voluntary program available to NAID members that is designed to verify the security and effectiveness of sanitization services offered by IT asset management firms, electronics recycling companies and other providers.

To validate the destruction process, NAID auditors arrive with various SSDs, including mobile phones, smart phones and memory cards, containing known information. This allows the auditors to inspect the sanitization process. After the physical inspection and review of compliance records, the auditors also remove other previously processed SSDs from the operator's inventory. These devices are subjected to forensic inspection using specialized equipment to determine the efficacy of the processors' systems of sanitization, the organization says.

NAID's 15 independent auditors are required to be certified protection professionals, the highest professional security accreditation available, through ASIS International.
 


SAFE Data Act Moves out of Subcommittee

The Secure and Fortify (SAFE) Data Act of 2011 has moved from the House Subcommittee on Commerce, Manufacturing and Trade to the full Energy and Commerce Committee for consideration.

The act, introduced by Congresswoman Mary Bono Mack of California, is intended to help protect American consumers from identity theft.

The act would require companies and organizations that hold personal information to establish and maintain security policies to prevent unauthorized access. It also would require notification to the FTC (Federal Trade Commission) and consumers within 48 hours of securing and assessing the scope of a data breach. The FTC would be given the authority to levy civil penalties if companies or entities failed to respond in a timely and responsible manner.

"The SAFE Data Act will provide American consumers with better safeguards in the future," Bono Mack said when she released the discussion draft of her legislation.

It also would grant the FTC the ability to expand the definition of "personally identifiable information," so long as this new data pose a reasonable risk of identity theft or would otherwise "result in unlawful conduct."

Changes made to the act following the release of the draft discussion in mid-June include:

  • Agreeing to make the concept of "assessing the nature and scope of a breach" so it can't become a pretext for delaying notification;
  • Agreeing to strike the requirement to "reasonably restore the integrity of the data system;"
  • Agreeing that entities governed by Gramm-Leach-Bliley but that fall under FTC jurisdiction are subject to the requirements of the SAFE Data Act; and
  • Agreeing on a backstop of 45 days for breach notification. In past legislation, the drop-dead date for notification was 60 days.


The discussion draft of the proposed legislation can be viewed at http://bono.house.gov/UploadedFile/Data_Breach_Draft.pdf.