BarnOwl Info Sharing session: 26 October 2017
“SO YOU’VE INSTALLED THE SECURITY SOFTWARE…THINK YOU’VE COVERED YOUR POPI RISK? THINK AGAIN
Presented by Ron Keschner, one of the founders and creators of Tarsus Dispose IT
Thank you very much Ron Keschner for your enlightening presentation at our BarnOwl info sharing event held at the BarnOwl offices in Bryanston on the 26th October 2017. The event was well attended and very well received. Thank you Ron.
Ron showed a video (included in the presentation link below) where 2nd hand photo copiers were purchased and the hard drives removed to find out what data was on them. In one case criminal records, social security numbers, pay slips, bank statements, IDs, tax information etc. were extracted. In another case, detailed personal medical history was recovered for 1000s of patients. Not only is this a serious breach of data privacy laws (no matter what the country / jurisdiction) but this information in the wrong hands is a gold mine for those with criminal intent.
Ron enlightened us about IT Asset Disposal (ITAD) which is no longer about selling end-of-term hardware to the highest bidder. Stringent legislation NOW demands environmental compliance, safety of sensitive information and financial and tax compliance. (King 4 requires ITAD to be included in all audits going forward). The penalties and consequences of losing company data is frightening not just in terms of reputational damage but in terms of fines and criminal sentencing:
NEMWA;2008 & PoPIA;2013
- 5-10 Year Criminal Sentencing
- R5m – R10m Enforced Penalty (this is the bare minimum)
- MASSIVE REPUTATIONAL DAMAGE (PoPIA)
“Offender must make a breach public knowledge by means of mass media”
- National print media
- Online media
NB: “NPA’s focus has shifted to the conduct of company directors and the scope for personal criminal liability for environmental degradation caused on their watch”.
Source: Werksmans Attorneys
The Tarsus IT disposal unit (company) specialises in the disposal / resale of ‘end-of-term’ hardware and the professional scrubbing of data. In some instances helicopters are used to guard the trucks transporting the hardware from the client site to Tarsus’s secure warehouse where the data is scrubbed. Data is now more valuable than a truck full of money, not just in terms of the criminal repercussions of losing or leaking data but also the reputational damage done to your company and to the privacy of any individual involved. I also found it very interesting that your asset register should include the weight of the hardware since there are stringent environmental regulations around asset disposal / eWaste.
So, when your IT manager tells you not to worry because:
- “I have Deleted the files”
- “I can just format the hard drive”
- “I will just reload your Operating System”
Don’t be fooled….. all the information can still be retrieved by someone who knows what they are doing!
When it comes to asset disposal you require specialist services to ensure POPI compliant data destruction and disposal of redundant assets:
- Data Destruction
- Data Sanitization
- HDD Destruction
- eWaste collection
One way to minimise the risk of falling short of POPI is to engage with a COMPLIANT ITAD service provider, who will ensure an auditable and compliant disposal of IT and electronic goods process. The service provider should also help recover value for the goods, manage complex logistics and provide all the necessary compliance with regulations.
Once again thank you Ron for your time and for sharing with us your extensive and practical experience.
Written by: Jonathan Crisp
Director – BarnOwl GRC and Audit software
About Ron Keschner:
Ron Keschner is one of the founders and creators of Tarsus Dispose IT, the business concept created solely around the requirements of corporate Risk Management.
After almost 20 years in the South African IT hardware channel, first as a product GM at Tarsus Technologies and then as founder and Managing Director of Channel Capital, the IT hardware funder, he realised in early 2016 that with the onset of POPIA and the global explosion around data security, this would soon become the key focus of CIO’s as well as Risk Managers across the length and breadth of the South African corporate arena.
Together with GO Rentals, South Africa’s Premier IT rental and hardware-as-a-service supplier, Tarsus then created Tarsus Dispose-IT to address all issues around the implementation of an effective and compliant ITAD (IT Asset Disposal) policy and give corporate business peace of mind with the upcoming promulgation into law of the POPI Act.
As presenter of Business Mix’s The Shake Rattle and Ron Show, Ron is sure to make a compelling case for exactly where Risk Management really should be focusing its efforts over the next 12 to 24 months.
BarnOwl is a fully integrated governance, risk management, compliance and audit software solution used by over 200 organisations in Africa, Australasia, Europe and the UK. BarnOwl is a locally developed software solution and is the preferred risk management solution for the South African public sector supporting the National Treasury risk framework.