Data security is not just hackers in cyberspace. It also exists in the physical world, and some of it relates to pedestrian but necessary security protocols for nuts-and-bolts objects. A recent report of a data leak shows how focusing exclusively on active systems can lead to unexpected and potentially problematic results.
In the story linked above, a manufacturer of connected vehicles replaced a number of its data storage appliances. A white-hat hacker reported that he had purchased four of the replaced units from eBay and found that they still contained the customers’ personal data, including the owners’ home and work locations, all saved wifi passwords, calendar entries from the customers’ phones, call lists and address books from paired phones, and Netflix and other stored session cookies. This incident follows a report from white-hat hackers last year who discovered drivers’ personal information in the electronic systems of salvaged vehicles.
These data security incidents did not involve the classic fear: a remote hacker technologically infiltrating internet-facing systems or connected vehicles. Rather, both incidents show that “dumpster diving” is alive and well. Some of the data in the most recent incident were stored in clear text that would have been immediately readable to anyone possessing the drives in question, but even the most sophisticated commercially available encryption might be cracked in the future.
Although many enterprises devote considerable attention to network and endpoint security for live systems, physical access to live systems, records management, and shredding of hard copy, they frequently fail to plan for the almost continuous acquisition and disposal of hardware that can store data. Many businesses do not understand that doing a quick format on a hard drive is far from reliably erasing it. And people tend to overlook the fact that if a car synchs a smartphone, or even collects user data directly, all of that needs to be eliminated when the vehicle is disposed of. The fact that data is old or unneeded does not mean that it is not there—or not protected by the law. Many data breach notification laws may be triggered if personal information is disclosed as a result of disposal of hardware.
The autonomous vehicle industry has long appreciated the importance of cybersecurity for its cars and other vehicles. Even the federal government has weighed in, as the National Highway Traffic Safety Administration offered its assessment of data security in the AV space. Off-the-road enterprises should also consider systematic measures both to preserve the sanctity of data that is in current use and to make sure that where a piece of hardware gets its final sendoff, its contents do not get sent around. The optimal end-of-life sanitization for data storage devices will vary with the value of the data, its regulatory framework, and the nature of the storage media and how it was used. There are many compliant ways to mitigate disposal risks, but the important thing is to understand they exist.
To sign up for The Open Road: Automotive Law Blog email updates, please click here.