Research: Common Lost and Found Practices May Cause Data Breaches
n
Our survey of 100 hospitality industry lost and found managers revealed that most do not take the steps necessary to ensure the sensitive data on lost electronic devices is properly protected. Here's what we found:
n
n
46% of managers said they donated unclaimed devices to charity, while 37% admitted they had no disposal plan in place. 12% give their unclaimed devices to the local police department to deal with, 4% give the device back to the employee that found it, and 1% throw them in the trash. While some of the managers showed concern about the sensitive data the devices may contain, none of them performed even the most minimal data erase procedure before disposing them.
n
n
n
The Pitfalls
n
n
Give to Charity – Donating to local non-profits is a noble gesture, but most of these organizations do not have the time or skill necessary to professionally clear unclaimed electronic devices. Many organizations simply pass the devices off to a for profit company, that may or may not ensure the devices are cleared properly. Donating may expose a property to liability, if someone is harmed because of a data breach.
n
n
Give to Employees – Many managers will return an unclaimed electronic device to the employee that found it. This is rightly viewed as a way to incentivize employees to turn in items that have been left behind by guests. Caution needs to be taken when a property's policy is to give an unclaimed device to the person who found it. Since many people do not password protect their devices, all of their sensitive data, including pictures and financial information, can be easily accessed. If the original owner is harmed because the manager did not exercise appropriate care, the property could face legal action.
n
n
Give to Law Enforcement – This may sound like the best alternative. However, many law enforcement agencies will not accept unclaimed electronic devices from local businesses because of the potential liability attached. Besides, this just adds to the workload of an already overworked agency.
n
n
n
No Plan – As Benjamin Franklin once said, “If you fail to plan, you are planning to fail!”. With no plan on how to dispose of data laden electronic devices in place, it is simply a matter of time before a breach occurs. While it may seem like a small thing, a simple plan can protect a property's guests and reputation. Contact us to get started with a no cost, easy to implement, unclaimed electronic device disposal plan.
n
n
What Kind of Data is Found on a Smartphone?
n
n
To demonstrate the kind of information that can be found on lost devices, we cataloged the type of data found on 200 micro SD cards found in randomly chosen, unclaimed smartphones, sent to us by hospitality industry lost and found managers. It is interesting to note that many of the devices were locked with a PIN lock, but none of the SD cards were protected in any way (see this article for more information on securing SD cards). Below are the results:
n
n
One was overwritten, meaning the device was professionally cleared and all data was overwritten. The device appeared to be erased remotely by software such as the mobile data software company Lookout provides.
n
n
Seven devices had photos, videos, or written information which pertained to growing, using or selling illegal drugs.
n
n
Twenty devices contained business files, some of which named customers, vendors, and sales volumes.
n
n
n
Twenty-nine devices contained information that could aid a criminal in stealing identity, burglary, or even worse. We found files with home addresses, schedules, even one file named "User Names and Passwords" which contained…you guessed it…user names and passwords to over 30 accounts ranging from social networks to bank accounts.
n
n
Thirty five devices were cleared before we received them, but with a free software downoad we were able to recover the "cleared" data on all of them.
n
n
Thirty-nine devices contained some form of professionally produced pornography, both photo and video.
n
n
Fifty devices contained intimate photos or videos that appeared to be taken, or downloaded, using the device. They included both male and female in partially nude, fully nude, and explicit content.
n
n
One hundred fifty-five devices contained personal photos of children, family members, animals, homes, cars…etc…, other personal infomation, including team rosters, school flyers, job applications, college transcripts…etc…
n
n
Finding a Good Solution
n
n
Think about the data your device contains. If you lost it, would you want someone looking through your personal, private, and sensitive information? You would expect any professional who handled it to protect your digital life. Hotels, resorts, and entertainment venues should do the same for their guests.
n
n
When evaluating an unclaimed electronic device disposal solution, there are a few things to look for. First, ask the organization, to whom you send your devices, how they handle shipments. Do they do the processing, or does another organization do the processing? If so, do they have control over the process? If not, ask to speak with the company that processes the devices on their behalf. Second, does the organization processing the devices have the skill, knowledge, and tools necessary to delete all personal data? Third, does the organization have the proper insurance to cover any liability claim arising from improper handling? Finally, do they have an environmentally friendly end of life policy for devices that cannot be reused?
n
n
The Data-Secure program we offer answers all the questions above, plus a few more. If you are a lost and found manager, contact us to see how our free program can help you protect your company and your guests from data breaches.
n